Ufw

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it (how to get started).
Resources

Ufw is the uncomplicated firewall, and is designed to be as simple to implement. It uses logs such as those obtained by syslog-ng for monitoring, and uses iptables as a back end. Ufw supports both IPv4 and IPv6.

Installation

Kernel

The following kernel configuration must be made before ufw will work.

Note
You must make configurations for iptables & run the iptables wiki page on top of these
KERNEL IPv4 settings
[*] Networking support  --->
        Networking options  --->
            [*] Network packet filtering framework (Netfilter)  --->
                Core Netfilter Configuration  --->
                    <M>   NetBIOS name service protocol support

IP version 6 is not required, however it is highly recommended.

KERNEL IPv6 settings
[*] Networking support  --->
        Networking options  --->
            [*] Network packet filtering framework (Netfilter)  --->
                [*] Advanced netfilter configuration
                IPv6: Netfilter Configuration  --->
                    <M>   "rt" Routing header match support
                    <M>   "HL" hoplimit target support

USE flags

USE flags for net-firewall/ufw A program used to manage a netfilter firewall

examples Example ufw config files
ipv6 IPv6 support for iptables

Emerge

root #emerge --ask ufw

Service

To allow ssh by default:

root #ufw allow ssh
Important
ssh is blocked by default.

OpenRC

To start ufw at boot:

root #rc-update add ufw default

To start ufw immediately:

root #rc-service ufw start

systemd

To start ufw at boot:

root #systemctl enable ufw

To start ufw immediately:

root #systemctl start ufw

Configuration

To create a simple configuration, run:

root #ufw default deny
root #ufw allow from 192.168.0.0/24
root #ufw allow <application-name>

To get a list of possible applications to add, run:

root #ufw app list

Then replace <application-name> with the name of the desired application. For example, to allow incoming Deluge traffic:

root #ufw allow Deluge

Next run

root #ufw enable

The last step is only required only the first time you install the package.

After changes to the rules, restart the firewall:

root #ufw reload

Specific use-cases and applications follow:

KDE Connect

To allow KDE Connect to work on the local network (192.168.0.x), ports 1714 through 1764 have to be opened for both UDP and TCP.

root #ufw allow proto udp from 192.168.0.0/24 to any port 1714:1764 ; ufw allow proto tcp from 192.168.0.0/24 to any port 1714:1764

External Resources