UFW: Difference between revisions
Jump to navigation
Jump to search
(19 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
EXE | EXE | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==App== | |||
{| | |||
|valign='top'| | |||
<syntaxhighlight lang="ini"> | |||
cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null | |||
[Chorke] | |||
title=Chorke Academia, Inc. | |||
description=Chorke Academia, Inc. App | |||
ports=1983/tcp | |||
INI | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat /etc/ufw/applications.d/chorke | |||
ls -lah /etc/ufw/applications.d/ | |||
sudo ufw app update Chorke | |||
sudo ufw app info Chorke | |||
sudo ufw app list | |||
</syntaxhighlight> | |||
|- | |||
|colspan='3'| | |||
---- | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw allow from 10.19.83.10 to any app Chorke | |||
sudo ufw allow Chorke | |||
sudo ufw status verbose | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw delete allow from 10.19.83.10 to any app Chorke | |||
sudo ufw delete allow Chorke | |||
sudo ufw status numbered | |||
</syntaxhighlight> | |||
|} | |||
==Allow== | ==Allow== | ||
Line 38: | Line 80: | ||
|- | |- | ||
| Email Submission || <code>sudo ufw allow 587/tcp</code> || SMTPS || <code>sudo ufw allow 465/tcp</code> | | Email Submission || <code>sudo ufw allow 587/tcp</code> || SMTPS || <code>sudo ufw allow 465/tcp</code> | ||
|- | |||
| HTTP ALT || <code>sudo ufw allow 8000/tcp</code> || SMTP RAP || <code>sudo ufw allow 162/tcp</code> | |||
|} | |} | ||
Line 68: | Line 112: | ||
sudo ufw delete allow 9000:9010/tcp | sudo ufw delete allow 9000:9010/tcp | ||
sudo ufw delete allow 3306/tcp | sudo ufw delete allow 3306/tcp | ||
</syntaxhighlight> | |||
|} | |||
==Verify== | |||
{| | |||
| valign="top" | | |||
'''UFW » Allowed » Ports''' | |||
<syntaxhighlight lang="bash"> | |||
REMOTE_HOST="cid.chorke.org";\ | |||
REMOTE_PORTS="22 25 80 162 443 465 587";\ | |||
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \ | |||
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\ | |||
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done | |||
</syntaxhighlight> | |||
| valign="top" | | |||
'''UFW » Denied » Ports''' | |||
<syntaxhighlight lang="bash"> | |||
REMOTE_HOST="cid.chorke.org";\ | |||
REMOTE_PORTS="3306 4321 5432 5900 8080";\ | |||
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \ | |||
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\ | |||
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 150: | Line 218: | ||
journalctl -xe | journalctl -xe | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw app info 'Apache Secure' | |||
sudo ufw app info 'Apache Full' | |||
sudo ufw app info 'Apache' | |||
sudo ufw app info OpenSSH | |||
sudo ufw app info CUPS | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat /etc/ufw/applications.d/apache2-utils.ufw.profile | |||
cat /etc/ufw/applications.d/openssh-server | |||
cat /etc/ufw/applications.d/cups | |||
ls -alh /etc/ufw/applications.d/ | |||
sudo ufw app list | |||
</syntaxhighlight> | |||
|- | |||
|colspan='3'| | |||
---- | |||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw allow from 10.19.83.110 to any app OpenSSH | |||
sudo ufw allow from 10.19.83.110 to any port 22/tcp | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH | |||
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp | |||
</syntaxhighlight> | |||
|- | |||
|colspan='3'| | |||
---- | |||
|- | |||
|colspan='2'| | |||
<syntaxhighlight lang="bash"> | |||
ssh -qt [email protected] ssh -qt [email protected] bash | |||
sudo su | |||
cat << EXE | sudo bash | |||
systemctl status ufw | |||
ufw enable | |||
ufw allow 22/tcp | |||
ufw allow 25/tcp | |||
ufw allow 80/tcp | |||
ufw allow 443/tcp | |||
ufw allow 8000/tcp | |||
ufw allow 67/udp | |||
ufw allow 68/udp | |||
ufw allow 162/udp | |||
ufw allow from 10.19.83.1 to any port 22 proto tcp | |||
ufw status numbered | |||
systemctl status ufw | |||
EXE | |||
</syntaxhighlight> | |||
|valign='top'| | |||
|- | |||
|colspan='3'| | |||
---- | |||
|- | |||
|valign='top'| | |||
|valign='top'| | |valign='top'| | ||
Line 162: | Line 302: | ||
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP] | * [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP] | ||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | ||
* [https://askubuntu.com/questions/409013/ UFW » Create an App Profile] | |||
* [https://ubuntu.com/server/docs/firewalls UFW » Firewalls] | * [https://ubuntu.com/server/docs/firewalls UFW » Firewalls] | ||
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW] | * [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW] | ||
Line 199: | Line 340: | ||
| valign="top" | | | valign="top" | | ||
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]] | * [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]] | ||
* [[Linux User Creation]] | |||
* [[IPTables]] | |||
* [[CIDR]] | * [[CIDR]] | ||
* [[Port]] | * [[Port]] | ||
|} | |} |
Latest revision as of 20:56, 20 December 2024
cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE
App
cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI
|
cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/
sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list
| |
| ||
sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow Chorke
sudo ufw status verbose
|
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered
|
Allow
Allow » Basic | ||||
---|---|---|---|---|
Name | Allow | Name | Allow | |
HTTP | sudo ufw allow http |
RDP | sudo ufw allow 5900/tcp
| |
OpenSSH | sudo ufw allow OpenSSH |
MySQL | sudo ufw allow 3306/tcp
| |
LXD Bridge | sudo ufw allow in on lxdbr0 |
PostgreSQL | sudo ufw allow 5432/tcp
| |
LXD Bridge | sudo ufw route allow in on lxdbr0 |
Micro Services | sudo ufw allow 9000:9010/tcp
| |
LXD Bridge | sudo ufw route allow out on lxdbr0 |
MinIO Object Storage | sudo ufw allow 9800:9801/tcp
| |
Allow » Special | ||||
Name | Allow | Name | Allow | |
OpenVPN | sudo ufw allow 1194/udp |
GitLab | sudo ufw allow 1080/tcp
| |
MongoDB | sudo ufw allow 27017/tcp |
Git | sudo ufw allow 9418/tcp
| |
HTTPS | sudo ufw allow 443/tcp |
SMTP | sudo ufw allow 25/tcp
| |
Email Submission | sudo ufw allow 587/tcp |
SMTPS | sudo ufw allow 465/tcp
| |
HTTP ALT | sudo ufw allow 8000/tcp |
SMTP RAP | sudo ufw allow 162/tcp
|
Allow » Minikube » Bridge
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered
Status
sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable
|
sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N
|
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
|
Verify
UFW » Allowed » Ports REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
|
UFW » Denied » Ports REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
|
Playground
netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
|
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
|
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status
|
| ||
sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
|
nc -uv vpn.shahed.biz 1194 # udp
nc -tv vpn.shahed.biz 80 # tcp
nc -tv vpn.shahed.biz 53 # tcp
sudo nmap -sT localhost # tcp
sudo nmap -sU localhost # udp
nc -uv localhost 1194 # udp
nc -tv localhost 80 # tcp
|
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
sudo ufw --dry-run allow https
sudo ufw --dry-run allow http
|
| ||
journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
|
sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS
|
cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups
ls -alh /etc/ufw/applications.d/
sudo ufw app list
|
| ||
sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
|
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
| |
| ||
ssh -qt [email protected] ssh -qt [email protected] bash
sudo su
cat << EXE | sudo bash
systemctl status ufw
ufw enable
ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp
ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp
ufw allow from 10.19.83.1 to any port 22 proto tcp
ufw status numbered
systemctl status ufw
EXE
|
||
| ||
References
| ||