|
Size: 1036
Comment:
|
Size: 1463
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from UFW | |
| Line 4: | Line 3: |
| '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around '''iptables''', automatically writing rules for it. | '''`ufw(8)`''' (meaning '''Uncomplicated Firewall''') is a firewall management program. It is a wrapper around `iptables(8)`. <<TableOfContents>> ---- |
| Line 7: | Line 10: |
| == Basic Setup == | |
| Line 9: | Line 11: |
| This is more than sufficient for servers that are not meant to be web-facing. | == Installation == Install the `ufw` package through your preferred package manager. Then [[Linux/Systemd|start and enable]] ufw.service. Note that not all operating systems have strong support for `ufw(8)`. [[Linux/Alpine|Alpine Linux]] prefers its users to use [[Awall]]; [[Linux/Fedora|Fedora]] and associated projects ship with the incompatible [[Linux/SystemdFirewalld|firewalld]]. BSDs do not offer `iptables(8)`, so `ufw(8)` is a non-option. ---- == Configuration == A basic rule set is: |
| Line 12: | Line 26: |
| ufw allow outgoing all ufw deny incoming all ufw allow ssh |
ufw default deny incoming ufw default allow outgoing |
| Line 19: | Line 31: |
| If using custom ports, adjust as needed. This would be set in `/etc/ssh/sshd_config`. | `ufw(8)` is distributed with '''app profiles''' that simplify the configuration process. Instead of allowing ''ports'', consider allowing ''apps''. {{{ ufw allow ssh }}} |
| Line 22: | Line 38: |
| == HTTP == | |
| Line 24: | Line 39: |
| Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. | === Web Servers === The following rules should allow any web server to operate. |
| Line 28: | Line 45: |
| ufw allow 80 | |
| Line 30: | Line 46: |
| ufw allow 443 | |
| Line 33: | Line 48: |
| If using custom ports, adjust as needed. | Additional steps may be required if using [[Encryption/Certbot|certbot]] on a custom port. |
| Line 36: | Line 51: |
| == FTP == | |
| Line 38: | Line 52: |
| There are standard unencrypted FTP ports: | === FTP === |
| Line 43: | Line 57: |
| ufw allow 989/tcp ufw allow 990/tcp |
|
| Line 45: | Line 61: |
| For security, encrypted FTP uses a pool of ports. This is the recommended setup for `vsftpd`: | Passive configuration also utilizes a pool of ports. Recommended to use custom ports, so adjust as needed. |
| Line 48: | Line 64: |
| ufw allow 990/tcp |
UFW
ufw(8) (meaning Uncomplicated Firewall) is a firewall management program. It is a wrapper around iptables(8).
Contents
Installation
Install the ufw package through your preferred package manager. Then start and enable ufw.service.
Note that not all operating systems have strong support for ufw(8). Alpine Linux prefers its users to use Awall; Fedora and associated projects ship with the incompatible firewalld. BSDs do not offer iptables(8), so ufw(8) is a non-option.
Configuration
A basic rule set is:
ufw default deny incoming ufw default allow outgoing ufw allow 22
ufw(8) is distributed with app profiles that simplify the configuration process. Instead of allowing ports, consider allowing apps.
ufw allow ssh
Web Servers
The following rules should allow any web server to operate.
ufw allow http ufw allow https
Additional steps may be required if using certbot on a custom port.
FTP
ufw allow 20/tcp ufw allow 21/tcp ufw allow 989/tcp ufw allow 990/tcp
Passive configuration also utilizes a pool of ports. Recommended to use custom ports, so adjust as needed.
ufw allow 40000:42000/tcp