|
Size: 1491
Comment:
|
← Revision 15 as of 2023-04-08 13:25:45 ⇥
Size: 1222
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from UFWSetup = UFW = |
= Ufw = |
| Line 4: | Line 3: |
| '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around `iptables`, automatically writing rules for it. | '''`ufw(8)`''' ('''U'''ncomplicated '''F'''ire'''w'''all) is a firewall management program. It is a wrapper around `iptables(8)`. |
| Line 6: | Line 5: |
| UFW is accessed through the `ufw` executable, which on many distributions is installed to `/usr/sbin`--only the root user will have this program on their path. The associated `systemd` service file is `ufw.service`. | <<TableOfContents>> |
| Line 12: | Line 11: |
| == Basic Setup == | == Installation == |
| Line 14: | Line 13: |
| This is more than sufficient for servers that are not meant to be web-facing. {{{ ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 22 }}} If using custom ports, adjust as needed. This would be set in `/etc/ssh/sshd_config`. |
Several [[Linux]] distributions offer a `ufw` package. Then [[Linux/Systemd|start and enable]] ufw.service. |
| Line 30: | Line 19: |
| == HTTP == | == Configuration == |
| Line 32: | Line 21: |
| Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. First the unencrypted port, then the encrypted port. | A basic rule set is: {{{ ufw default deny incoming ufw default allow outgoing ufw allow 22 }}} `ufw(8)` is distributed with '''app profiles''' that simplify the configuration process. Instead of allowing ''ports'', consider allowing ''apps''. {{{ ufw allow ssh }}} === Web Servers === The following rules should allow any web server to operate. |
| Line 36: | Line 43: |
| ufw allow 80 | |
| Line 38: | Line 44: |
| ufw allow 443 | |
| Line 41: | Line 46: |
| If using custom ports, adjust as needed. ---- |
Additional steps may be required if using [[Encryption/Certbot|certbot]] on a custom port. |
| Line 47: | Line 50: |
| == FTP == First the unencrypted port, then the encrypted (FTPS, '''not''' SFTP) port. |
=== FTP === |
| Line 58: | Line 59: |
| Passive configuration also utilizes a pool of ports. This is an example--'''''not''''' recommended--configuration for `vsftpd`. | Passive configuration also utilizes a pool of ports. Recommended to use custom ports, so adjust as needed. |
| Line 64: | Line 65: |
| Recommended to use custom ports, so adjust as needed. | ---- == See also == [[https://man.archlinux.org/man/ufw.8|ufw(8)]] |
Ufw
ufw(8) (Uncomplicated Firewall) is a firewall management program. It is a wrapper around iptables(8).
Contents
Installation
Several Linux distributions offer a ufw package. Then start and enable ufw.service.
Configuration
A basic rule set is:
ufw default deny incoming ufw default allow outgoing ufw allow 22
ufw(8) is distributed with app profiles that simplify the configuration process. Instead of allowing ports, consider allowing apps.
ufw allow ssh
Web Servers
The following rules should allow any web server to operate.
ufw allow http ufw allow https
Additional steps may be required if using certbot on a custom port.
FTP
ufw allow 20/tcp ufw allow 21/tcp ufw allow 989/tcp ufw allow 990/tcp
Passive configuration also utilizes a pool of ports. Recommended to use custom ports, so adjust as needed.
ufw allow 40000:42000/tcp