Ufw

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.
Resources

Ufw is the uncomplicated firewall, and is designed to be as simple to implement. It uses logs such as those obtained by syslog-ng for monitoring, and uses iptables as a back end. Ufw supports both IPv4 and IPv6.

Installation

Kernel

The following kernel configuration must be made before ufw will work.

Note
You must make configurations for iptables & run the iptables wiki page on top of these
KERNEL IPv4 settings
[*] Networking support  --->
        Networking options  --->
            [*] Network packet filtering framework (Netfilter)  --->
                Core Netfilter Configuration  --->
                    <M>   NetBIOS name service protocol support

IP version 6 is not required, however it is highly recommended.

KERNEL IPv6 settings
[*] Networking support  --->
        Networking options  --->
            [*] Network packet filtering framework (Netfilter)  --->
                [*] Advanced netfilter configuration
                IPv6: Netfilter Configuration  --->
                    <M>   "rt" Routing header match support
                    <M>   "HL" hoplimit target support

USE flags

USE flags for net-firewall/ufw A program used to manage a netfilter firewall

examples Example ufw config files
ipv6 IPv6 support for iptables

Emerge

root #emerge --ask ufw

Service

To allow ssh by default:

root #ufw allow ssh
Important
The ssh access is blocked by default.
Note
This is a workaround for bug #871747.

If you get the warning "ERROR: problem running" then this can be solved by installing dev-python/pip

root #emerge --ask dev-python/pip

OpenRC

To start ufw at boot:

root #rc-update add ufw default

To start ufw immediately:

root #rc-service ufw start

systemd

To start ufw at boot:

root #systemctl enable ufw

To start ufw immediately:

root #systemctl start ufw

Configuration

To create a simple configuration, run:

root #ufw default deny incoming
root #ufw allow from 192.168.0.0/24
root #ufw allow <application-name>

To get a list of possible applications to add, run:

root #ufw app list

Then replace <application-name> with the name of the desired application. For example, to allow incoming Deluge traffic:

root #ufw allow Deluge

Next run

root #ufw enable

The last step is only required only the first time you install the package.

After changes to the rules, restart the firewall:

root #ufw reload

Specific use-cases and applications follow:

KDE Connect

To allow KDE Connect to work on the local network (192.168.0.x), ports 1714 through 1764 have to be opened for both UDP and TCP.

root #ufw allow proto udp from 192.168.0.0/24 to any port 1714:1764
root #ufw allow proto tcp from 192.168.0.0/24 to any port 1714:1764

External Resources