UFW: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
No edit summary
 
(13 intermediate revisions by the same user not shown)
Line 28: Line 28:
sudo ufw app list
sudo ufw app list
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered
</syntaxhighlight>
|}
|}


Line 61: Line 80:
|-
|-
| Email Submission                  || <code>sudo ufw allow 587/tcp</code>              || SMTPS                              || <code>sudo ufw allow 465/tcp</code>
| Email Submission                  || <code>sudo ufw allow 587/tcp</code>              || SMTPS                              || <code>sudo ufw allow 465/tcp</code>
|-
| HTTP ALT                          || <code>sudo ufw allow 8000/tcp</code>              || SMTP RAP                          || <code>sudo ufw allow 162/tcp</code>
|}
|}


Line 91: Line 112:
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
sudo ufw delete allow 3306/tcp
</syntaxhighlight>
|}
==Verify==
{|
| valign="top" |
'''UFW » Allowed » Ports'''
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
| valign="top" |
'''UFW » Denied » Ports'''
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
</syntaxhighlight>


Line 196: Line 241:
----
----
|-
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
 
|-
|colspan='3'|
----
|-
|colspan='2'|
<syntaxhighlight lang="bash">
sudo su
 
cat << EXE | sudo bash
systemctl status ufw
ufw enable
 
ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp
 
ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp


ufw allow from 10.19.83.1 to any port 22 proto tcp


sudo ufw allow Chorke
ufw status numbered
sudo ufw delete allow Chorke
systemctl status ufw  
EXE
</syntaxhighlight>
</syntaxhighlight>
|valign='top'|
|-
|colspan='3'|
----
|-
|valign='top'|


|valign='top'|
|valign='top'|
Line 216: Line 302:
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://askubuntu.com/questions/409013/ UFW » Create an App Profile]
* [https://ubuntu.com/server/docs/firewalls UFW » Firewalls]
* [https://ubuntu.com/server/docs/firewalls UFW » Firewalls]
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW]
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW]
Line 253: Line 340:
| valign="top" |
| valign="top" |
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[Linux User Creation]]
* [[IPTables]]
* [[CIDR]]
* [[CIDR]]
* [[Port]]
* [[Port]]


|}
|}

Latest revision as of 20:56, 20 December 2024

cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE

App

cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI
cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/

sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list

sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered

Allow

Allow » Basic
Name Allow Name Allow
HTTP sudo ufw allow http RDP sudo ufw allow 5900/tcp
OpenSSH sudo ufw allow OpenSSH MySQL sudo ufw allow 3306/tcp
LXD Bridge sudo ufw allow in on lxdbr0 PostgreSQL sudo ufw allow 5432/tcp
LXD Bridge sudo ufw route allow in on lxdbr0 Micro Services sudo ufw allow 9000:9010/tcp
LXD Bridge sudo ufw route allow out on lxdbr0 MinIO Object Storage sudo ufw allow 9800:9801/tcp
Allow » Special
Name Allow Name Allow
OpenVPN sudo ufw allow 1194/udp GitLab sudo ufw allow 1080/tcp
MongoDB sudo ufw allow 27017/tcp Git sudo ufw allow 9418/tcp
HTTPS sudo ufw allow 443/tcp SMTP sudo ufw allow 25/tcp
Email Submission sudo ufw allow 587/tcp SMTPS sudo ufw allow 465/tcp
HTTP ALT sudo ufw allow 8000/tcp SMTP RAP sudo ufw allow 162/tcp

Allow » Minikube » Bridge

MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered

Status

sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable
sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp

Verify

UFW » Allowed » Ports

REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

UFW » Denied » Ports

REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

Playground

netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn     | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status

sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
nc -uv vpn.shahed.biz 1194   # udp
nc -tv vpn.shahed.biz 80     # tcp
nc -tv vpn.shahed.biz 53     # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)

sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz

sudo ufw --dry-run allow https
sudo ufw --dry-run allow http

journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS
cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups 
ls -alh /etc/ufw/applications.d/
sudo ufw app list

sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp

ssh -qt [email protected] ssh -qt [email protected] bash
sudo su

cat << EXE | sudo bash
systemctl status ufw 
ufw enable

ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp

ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp

ufw allow from 10.19.83.1 to any port 22 proto tcp

ufw status numbered
systemctl status ufw 
EXE

References