UFW: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(28 intermediate revisions by the same user not shown)
Line 6: Line 6:
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
==App==
{|
|valign='top'|
<syntaxhighlight lang="ini">
cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/
sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered
</syntaxhighlight>
|}


==Allow==
==Allow==
{|class="wikitable"
{|class="wikitable"|-
!scope="col" colspan="5"| Allow » Basic 
|-
|-
!scope="col"| Name !!scope="col"| Allow
!scope="col"| Name !!scope="col"| Allow
Line 22: Line 65:
| LXD Bridge                        || <code>sudo ufw route allow in on lxdbr0</code>    ||  Micro Services                    || <code>sudo ufw allow 9000:9010/tcp</code>
| LXD Bridge                        || <code>sudo ufw route allow in on lxdbr0</code>    ||  Micro Services                    || <code>sudo ufw allow 9000:9010/tcp</code>
|-
|-
| LXD Bridge                        || <code>sudo ufw route allow out on lxdbr0</code>  ||  MinIO Object Storage              || <code>sudo ufw allow 9800:9801/tcp</code>  
| LXD Bridge                        || <code>sudo ufw route allow out on lxdbr0</code>  ||  MinIO Object Storage              || <code>sudo ufw allow 9800:9801/tcp</code>
|-
!scope="col" colspan="5"| Allow » Special
|-
!scope="col"| Name !!scope="col"| Allow
|rowspan="6"|
!scope="col"| Name !!scope="col"| Allow
|-
| OpenVPN                          || <code>sudo ufw allow 1194/udp</code>              || GitLab                            || <code>sudo ufw allow 1080/tcp</code>
|-
| MongoDB                          || <code>sudo ufw allow 27017/tcp</code>            || Git                                || <code>sudo ufw allow 9418/tcp</code>
|-
| HTTPS                            || <code>sudo ufw allow 443/tcp</code>              || SMTP                              || <code>sudo ufw allow 25/tcp</code>
|-
| Email Submission                  || <code>sudo ufw allow 587/tcp</code>              || SMTPS                              || <code>sudo ufw allow 465/tcp</code>
|-
| HTTP ALT                          || <code>sudo ufw allow 8000/tcp</code>              || SMTP RAP                          || <code>sudo ufw allow 162/tcp</code>
|}
|}


Line 53: Line 112:
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
sudo ufw delete allow 3306/tcp
</syntaxhighlight>
|}
==Verify==
{|
| valign="top" |
'''UFW » Allowed » Ports'''
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
| valign="top" |
'''UFW » Denied » Ports'''
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
</syntaxhighlight>


Line 118: Line 201:


sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
sudo ufw --dry-run allow https
sudo ufw --dry-run allow http
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
<syntaxhighlight lang="bash">
journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups
ls -alh /etc/ufw/applications.d/
sudo ufw app list
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|colspan='2'|
<syntaxhighlight lang="bash">
sudo su
cat << EXE | sudo bash
systemctl status ufw
ufw enable
ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp
ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp
ufw allow from 10.19.83.1 to any port 22 proto tcp
ufw status numbered
systemctl status ufw
EXE
</syntaxhighlight>
|valign='top'|
|-
|colspan='3'|
----
|-
|valign='top'|
|valign='top'|
|valign='top'|


|}
|}
Line 125: Line 300:
{|
{|
| valign="top" |
| valign="top" |
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://askubuntu.com/questions/409013/ UFW » Create an App Profile]
* [https://ubuntu.com/server/docs/firewalls UFW » Firewalls]
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW]
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW]


Line 162: Line 340:
| valign="top" |
| valign="top" |
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[Linux User Creation]]
* [[IPTables]]
* [[CIDR]]
* [[Port]]


|}
|}

Latest revision as of 20:56, 20 December 2024

cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE

App

cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI
cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/

sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list

sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered

Allow

Allow » Basic
Name Allow Name Allow
HTTP sudo ufw allow http RDP sudo ufw allow 5900/tcp
OpenSSH sudo ufw allow OpenSSH MySQL sudo ufw allow 3306/tcp
LXD Bridge sudo ufw allow in on lxdbr0 PostgreSQL sudo ufw allow 5432/tcp
LXD Bridge sudo ufw route allow in on lxdbr0 Micro Services sudo ufw allow 9000:9010/tcp
LXD Bridge sudo ufw route allow out on lxdbr0 MinIO Object Storage sudo ufw allow 9800:9801/tcp
Allow » Special
Name Allow Name Allow
OpenVPN sudo ufw allow 1194/udp GitLab sudo ufw allow 1080/tcp
MongoDB sudo ufw allow 27017/tcp Git sudo ufw allow 9418/tcp
HTTPS sudo ufw allow 443/tcp SMTP sudo ufw allow 25/tcp
Email Submission sudo ufw allow 587/tcp SMTPS sudo ufw allow 465/tcp
HTTP ALT sudo ufw allow 8000/tcp SMTP RAP sudo ufw allow 162/tcp

Allow » Minikube » Bridge

MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered

Status

sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable
sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp

Verify

UFW » Allowed » Ports

REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

UFW » Denied » Ports

REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

Playground

netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn     | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status

sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
nc -uv vpn.shahed.biz 1194   # udp
nc -tv vpn.shahed.biz 80     # tcp
nc -tv vpn.shahed.biz 53     # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)

sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz

sudo ufw --dry-run allow https
sudo ufw --dry-run allow http

journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS
cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups 
ls -alh /etc/ufw/applications.d/
sudo ufw app list

sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp

ssh -qt [email protected] ssh -qt [email protected] bash
sudo su

cat << EXE | sudo bash
systemctl status ufw 
ufw enable

ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp

ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp

ufw allow from 10.19.83.1 to any port 22 proto tcp

ufw status numbered
systemctl status ufw 
EXE

References