UFW: Difference between revisions
Jump to navigation
Jump to search
(Created page with "<syntaxhighlight lang="bash"> cat <<-'EXE'|sudo bash apt-get update;echo apt list -a --upgradable apt-get install -y ufw nmap telnet EXE </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow http sudo ufw allow OpenSSH sudo ufw allow in on lxdbr0 sudo ufw route allow in on lxdbr0 sudo ufw route allow out on lxdbr0 sudo ufw status verbose sudo systemctl status ufw sudo ufw enable </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow 5900/tcp sudo u...") |
|||
| (18 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==Allow== | |||
{|class="wikitable"|- | |||
!scope="col" colspan="5"| Allow » Basic | |||
|- | |||
!scope="col"| Name !!scope="col"| Allow | |||
|rowspan="6"| | |||
!scope="col"| Name !!scope="col"| Allow | |||
|- | |||
| HTTP || <code>sudo ufw allow http</code> || RDP || <code>sudo ufw allow 5900/tcp</code> | |||
|- | |||
| OpenSSH || <code>sudo ufw allow OpenSSH</code> || MySQL || <code>sudo ufw allow 3306/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw allow in on lxdbr0</code> || PostgreSQL || <code>sudo ufw allow 5432/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw route allow in on lxdbr0</code> || Micro Services || <code>sudo ufw allow 9000:9010/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw route allow out on lxdbr0</code> || MinIO Object Storage || <code>sudo ufw allow 9800:9801/tcp</code> | |||
|- | |||
!scope="col" colspan="5"| Allow » Special | |||
|- | |||
!scope="col"| Name !!scope="col"| Allow | |||
|rowspan="2"| | |||
!scope="col"| Name !!scope="col"| Allow | |||
|- | |||
| OpenVPN || <code>sudo ufw allow 1194/udp</code> || GitLab || <code>sudo ufw allow 1080/tcp</code> | |||
|- | |||
| MongoDB || <code>sudo ufw allow 27017/tcp</code> || || | |||
|} | |||
===Allow » Minikube » Bridge=== | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')" | |||
sudo ufw allow in on ${MINIKUBE_BRIDGE} | |||
sudo ufw allow in on | sudo ufw status numbered | ||
sudo ufw | </syntaxhighlight> | ||
==Status== | |||
{| | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl status ufw | |||
sudo ufw status verbose | sudo ufw status verbose | ||
sudo ufw enable | sudo ufw enable | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo ufw allow | sudo ufw delete allow 3306 | ||
sudo ufw status | sudo ufw status numbered | ||
sudo ufw delete N | |||
</syntaxhighlight> | |||
sudo ufw allow | | valign="top" | | ||
sudo ufw allow | <syntaxhighlight lang="bash"> | ||
sudo ufw allow | sudo ufw delete allow 9800:9801/tcp | ||
sudo ufw delete allow 9000:9010/tcp | |||
sudo ufw delete allow 3306/tcp | |||
</syntaxhighlight> | |||
|} | |||
==Playground== | ==Playground== | ||
| Line 36: | Line 72: | ||
| valign="top" | | | valign="top" | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ufw status | netstat -uap|grep nginx | ||
apt list --installed | |||
sudo ufw status | |||
netstat -lpn | |||
netstat -a | netstat -a | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign="top" | | | valign="top" | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo ss -tulpn | grep LISTEN | grep resolve | |||
sudo ss -tulpn | grep LISTEN | grep minio | |||
sudo ss -tulpn | grep LISTEN | grep sshd | |||
sudo ss -tulwn | grep LISTEN | sudo ss -tulwn | grep LISTEN | ||
sudo ss -tulpn | grep LISTEN | sudo ss -tulpn | grep LISTEN | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign="top" | | | valign="top" | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo lsof -i -P -n | grep LISTEN | |||
sudo ss -tulpn | grep LISTEN | |||
sudo ufw allow 'Nginx HTTP' | |||
sudo ufw app list | |||
sudo ufw status | |||
</syntaxhighlight> | |||
|- | |||
|colspan='3'| | |||
---- | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl status ufw | |||
sudo apt-get install gufw | |||
sudo ufw status numbered | |||
sudo ufw status verbose | |||
sudo ufw disable | |||
sudo ufw enable | |||
sudo ufw status | sudo ufw status | ||
sudo | </syntaxhighlight> | ||
sudo | |||
sudo | |valign='top'| | ||
sudo | <syntaxhighlight lang="bash"> | ||
nc -uv vpn.shahed.biz 1194 # udp | |||
nc -tv vpn.shahed.biz 80 # tcp | |||
nc -tv vpn.shahed.biz 53 # tcp | |||
sudo nmap -sT localhost # tcp | |||
sudo nmap -sU localhost # udp | |||
nc -uv localhost 1194 # udp | |||
nc -tv localhost 80 # tcp | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo -i -u minikube | |||
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1) | |||
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 67: | Line 137: | ||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
systemctl | journalctl -xeu mongod.service | ||
systemctl daemon-reload | |||
journalctl -xe|less | |||
journalctl -xe|tail | |||
journalctl -xe | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 84: | Line 154: | ||
| valign="top" | | | valign="top" | | ||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | ||
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW] | |||
| valign="top" | | | valign="top" | | ||
| Line 118: | Line 189: | ||
| valign="top" | | | valign="top" | | ||
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]] | |||
* [[CIDR]] | |||
* [[Port]] | |||
|} | |} | ||
Latest revision as of 06:38, 10 November 2024
cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE
Allow
| Allow » Basic | ||||
|---|---|---|---|---|
| Name | Allow | Name | Allow | |
| HTTP | sudo ufw allow http |
RDP | sudo ufw allow 5900/tcp
| |
| OpenSSH | sudo ufw allow OpenSSH |
MySQL | sudo ufw allow 3306/tcp
| |
| LXD Bridge | sudo ufw allow in on lxdbr0 |
PostgreSQL | sudo ufw allow 5432/tcp
| |
| LXD Bridge | sudo ufw route allow in on lxdbr0 |
Micro Services | sudo ufw allow 9000:9010/tcp
| |
| LXD Bridge | sudo ufw route allow out on lxdbr0 |
MinIO Object Storage | sudo ufw allow 9800:9801/tcp
| |
| Allow » Special | ||||
| Name | Allow | Name | Allow | |
| OpenVPN | sudo ufw allow 1194/udp |
GitLab | sudo ufw allow 1080/tcp
| |
| MongoDB | sudo ufw allow 27017/tcp |
|||
Allow » Minikube » Bridge
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered
Status
sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable
|
sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N
|
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
|
Playground
netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
|
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
|
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status
|
|
| ||
sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
|
nc -uv vpn.shahed.biz 1194 # udp
nc -tv vpn.shahed.biz 80 # tcp
nc -tv vpn.shahed.biz 53 # tcp
sudo nmap -sT localhost # tcp
sudo nmap -sU localhost # udp
nc -uv localhost 1194 # udp
nc -tv localhost 80 # tcp
|
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
|
|
| ||
journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
|
||
References
|
| ||