UFW: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
(Created page with "<syntaxhighlight lang="bash"> cat <<-'EXE'|sudo bash apt-get update;echo apt list -a --upgradable apt-get install -y ufw nmap telnet EXE </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow http sudo ufw allow OpenSSH sudo ufw allow in on lxdbr0 sudo ufw route allow in on lxdbr0 sudo ufw route allow out on lxdbr0 sudo ufw status verbose sudo systemctl status ufw sudo ufw enable </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow 5900/tcp sudo u...")
 
 
(17 intermediate revisions by the same user not shown)
Line 7: Line 7:
</syntaxhighlight>
</syntaxhighlight>


==Allow==
{|class="wikitable"|-
!scope="col" colspan="5"| Allow » Basic 
|-
!scope="col"| Name !!scope="col"| Allow
|rowspan="6"|
!scope="col"| Name !!scope="col"| Allow
|-
| HTTP                              || <code>sudo ufw allow http</code>                  ||  RDP                              || <code>sudo ufw allow 5900/tcp</code>
|-
| OpenSSH                          || <code>sudo ufw allow OpenSSH</code>              ||  MySQL                            || <code>sudo ufw allow 3306/tcp</code>
|-
| LXD Bridge                        || <code>sudo ufw allow in on lxdbr0</code>          ||  PostgreSQL                        || <code>sudo ufw allow 5432/tcp</code>
|-
| LXD Bridge                        || <code>sudo ufw route allow in on lxdbr0</code>    ||  Micro Services                    || <code>sudo ufw allow 9000:9010/tcp</code>
|-
| LXD Bridge                        || <code>sudo ufw route allow out on lxdbr0</code>  ||  MinIO Object Storage              || <code>sudo ufw allow 9800:9801/tcp</code>
|-
!scope="col" colspan="5"| Allow » Special
|-
!scope="col"| Name !!scope="col"| Allow
|rowspan="2"|
!scope="col"| Name !!scope="col"| Allow
|-
| OpenVPN                          || <code>sudo ufw allow 1194/udp</code>              || GitLab                            || <code>sudo ufw allow 1080/tcp</code>
|-
| MongoDB                          || <code>sudo ufw allow 27017/tcp</code>            ||                                    ||
|}
===Allow » Minikube » Bridge===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw allow http
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow OpenSSH
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw allow in on lxdbr0
sudo ufw status numbered
sudo ufw route allow in on lxdbr0
</syntaxhighlight>
sudo ufw route allow out on lxdbr0


==Status==
{|
| valign="top" |
<syntaxhighlight lang="bash">
sudo systemctl status ufw
sudo ufw status verbose
sudo ufw status verbose
sudo systemctl status ufw
sudo ufw enable
sudo ufw enable
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw allow 5900/tcp
sudo ufw delete allow 3306
sudo ufw status verbose
sudo ufw status numbered
sudo ufw delete N
</syntaxhighlight>


sudo ufw allow http
| valign="top" |
sudo ufw allow OpenSSH
<syntaxhighlight lang="bash">
sudo ufw allow 5900/tcp
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
</syntaxhighlight>


ufw status
|}
ufw status verbose
systemctl status ufw
</syntaxhighlight>


==Playground==
==Playground==
Line 36: Line 72:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ufw status
netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
netstat -a
netstat -lpn
apt list --installed
netstat -uap|grep nginx
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep resolve
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn    | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
sudo ufw status
sudo ufw app list
</syntaxhighlight>
sudo ufw allow 'Nginx HTTP'
 
sudo ss -tulpn    | grep LISTEN
|valign='top'|
sudo lsof -i -P -n | grep LISTEN
<syntaxhighlight lang="bash">
nc -uv vpn.shahed.biz 1194  # udp
nc -tv vpn.shahed.biz 80    # tcp
nc -tv vpn.shahed.biz 53    # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang="bash">
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)
 
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
</syntaxhighlight>
</syntaxhighlight>


Line 67: Line 137:
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
systemctl status ufw
journalctl -xeu mongod.service
ufw status verbose
systemctl daemon-reload
ufw disable
journalctl -xe|less
ufw enable
journalctl -xe|tail
ufw status
journalctl -xe
</syntaxhighlight>
</syntaxhighlight>


Line 84: Line 154:
| valign="top" |
| valign="top" |
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW]


| valign="top" |
| valign="top" |
Line 118: Line 189:


| valign="top" |
| valign="top" |
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]


|}
|}

Latest revision as of 23:50, 30 September 2024

cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE

Allow

Allow » Basic
Name Allow Name Allow
HTTP sudo ufw allow http RDP sudo ufw allow 5900/tcp
OpenSSH sudo ufw allow OpenSSH MySQL sudo ufw allow 3306/tcp
LXD Bridge sudo ufw allow in on lxdbr0 PostgreSQL sudo ufw allow 5432/tcp
LXD Bridge sudo ufw route allow in on lxdbr0 Micro Services sudo ufw allow 9000:9010/tcp
LXD Bridge sudo ufw route allow out on lxdbr0 MinIO Object Storage sudo ufw allow 9800:9801/tcp
Allow » Special
Name Allow Name Allow
OpenVPN sudo ufw allow 1194/udp GitLab sudo ufw allow 1080/tcp
MongoDB sudo ufw allow 27017/tcp

Allow » Minikube » Bridge

MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered

Status

sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable

sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N

sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp

Playground

netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a

sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN

sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn     | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status

sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status

nc -uv vpn.shahed.biz 1194   # udp
nc -tv vpn.shahed.biz 80     # tcp
nc -tv vpn.shahed.biz 53     # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp

sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)

sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz

journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe

References

Retrieved from "https://cdn.chorke.org/weke/index.php?title=UFW&oldid=13085"