man-pages/man8/ufw.8.html
2021-03-31 01:06:50 +01:00

641 lines
27 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of UFW:</TITLE>
</HEAD><BODY>
<H1>UFW:</H1>
Section: February 2016 (8)<BR>Updated: <BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<P>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
ufw - program for managing a netfilter firewall
<P>
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
This program is for managing a Linux firewall and aims to provide an easy to
use interface for the user.
<P>
<A NAME="lbAD">&nbsp;</A>
<H2>USAGE</H2>
<DL COMPACT>
<DT id="1">ufw [<B>--dry-run</B>] <B>enable|disable|reload</B><DD>
<DT id="2">ufw [<B>--dry-run</B>] <B>default</B> allow|deny|reject [incoming|outgoing|routed]<DD>
<DT id="3">ufw [<B>--dry-run</B>] <B>logging</B> on|off|LEVEL<DD>
<DT id="4">ufw [<B>--dry-run</B>] <B>reset</B><DD>
<DT id="5">ufw [<B>--dry-run</B>] <B>status</B> [verbose|numbered]<DD>
<DT id="6">ufw [<B>--dry-run</B>] <B>show</B> REPORT<DD>
<DT id="7">ufw [<B>--dry-run</B>] [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B>] [<B>log|log-all</B>] [ PORT[/PROTOCOL] | APPNAME ] [<B>comment</B> COMMENT]<DD>
<DT id="8">ufw [<B>--dry-run</B>] [<B>rule</B>] [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B> [<B>on</B> INTERFACE]] [<B>log|log-all</B>] [<B>proto</B> PROTOCOL] [<B>from</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME ]] [<B>to</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME ]] [<B>comment</B> COMMENT]<DD>
<DT id="9">ufw [<B>--dry-run</B>] <B>route</B> [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B> <B>on</B> INTERFACE] [<B>log|log-all</B>] [<B>proto</B> PROTOCOL] [<B>from</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME]] [<B>to</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME]] [<B>comment</B> COMMENT]<DD>
<DT id="10">ufw [<B>--dry-run</B>] <B>delete</B> NUM<DD>
<DT id="11">ufw [<B>--dry-run</B>] <B>app</B> <B>list|info|default|update</B><DD>
<P>
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>
<DL COMPACT>
<DT id="12"><B>--version</B><DD>
show program's version number and exit
<DT id="13"><B>-h</B>, <B>--help</B><DD>
show help message and exit
<DT id="14"><B>--dry-run</B><DD>
don't modify anything, just show the changes
<DT id="15"><B>enable</B><DD>
reloads firewall and enables firewall on boot.
<DT id="16"><B>disable</B><DD>
unloads firewall and disables firewall on boot
<DT id="17"><B>reload</B><DD>
reloads firewall
<DT id="18"><B>default</B> allow|deny|reject DIRECTION<DD>
change the default policy for traffic going DIRECTION, where DIRECTION is one
of <B>incoming</B>, <B>outgoing</B> or <B>routed</B>. Note that existing rules
will have to be migrated manually when changing the default policy. See <B>RULE
SYNTAX</B> for more on <B>deny</B> and <B>reject</B>.
<DT id="19"><B>logging</B> on|off|LEVEL<DD>
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems
configured for rsyslog support may also log to /var/log/ufw.log. Specifying a
LEVEL turns logging on for the specified LEVEL. The default log level is 'low'.
See <B>LOGGING</B> for details.
<DT id="20"><B>reset</B><DD>
Disables and resets firewall to installation defaults. Can also give the
<B>--force</B> option to perform the reset without confirmation.
<DT id="21"><B>status</B><DD>
show status of firewall and ufw managed rules. Use <B>status verbose</B> for
extra information. In the status output, 'Anywhere' is synonymous with 'any'
and '0.0.0.0/0'. Note that when using <B>status</B>, there is a subtle
difference when reporting interfaces. For example, if the following rules are
added:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth0&nbsp;from&nbsp;192.168.0.0/16
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;out&nbsp;on&nbsp;eth1&nbsp;to&nbsp;10.0.0.0/8
<BR>&nbsp;&nbsp;ufw&nbsp;route&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth0&nbsp;out&nbsp;on&nbsp;eth1&nbsp;to&nbsp;10.0.0.0/8&nbsp;from&nbsp;192.168.0.0/16
<BR>&nbsp;&nbsp;ufw&nbsp;limit&nbsp;2222/tcp&nbsp;comment&nbsp;'SSH&nbsp;port'
<P>
<B>ufw status</B> will output:
<P>
<BR>&nbsp;&nbsp;To&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From
<BR>&nbsp;&nbsp;--&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----
<BR>&nbsp;&nbsp;Anywhere&nbsp;on&nbsp;eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;192.168.0.0/16
<BR>&nbsp;&nbsp;10.0.0.0/8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW&nbsp;OUT&nbsp;&nbsp;&nbsp;Anywhere&nbsp;on&nbsp;eth1
<BR>&nbsp;&nbsp;10.0.0.0/8&nbsp;on&nbsp;eth1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW&nbsp;FWD&nbsp;&nbsp;&nbsp;192.168.0.0/16&nbsp;on&nbsp;eth0
<BR>&nbsp;&nbsp;Anywhere&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LIMIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;SSH&nbsp;port
<P>
For the input and output rules, the interface is reported relative to the
firewall system as an endpoint, whereas with route rules, the interface is
reported relative to the direction packets flow through the firewall.
<P>
<DT id="22"><B>show</B> REPORT<DD>
display information about the running firewall. See <B>REPORTS</B>
<DT id="23"><B>allow</B> ARGS<DD>
add allow rule. See <B>RULE SYNTAX</B>
<DT id="24"><B>deny</B> ARGS<DD>
add deny rule. See <B>RULE SYNTAX</B>
<DT id="25"><B>reject</B> ARGS<DD>
add reject rule. See <B>RULE SYNTAX</B>
<DT id="26"><B>limit</B> ARGS<DD>
add limit rule. Currently only IPv4 is supported. See <B>RULE SYNTAX</B>
<DT id="27"><B>delete</B> RULE|NUM<DD>
deletes the corresponding RULE
<DT id="28"><B>insert</B> NUM RULE<DD>
insert the corresponding RULE as rule number NUM
<DT id="29"><B>prepend</B> RULE<DD>
prepend the corresponding RULE to the top of the ruleset
<P>
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>RULE SYNTAX</H2>
<P>
Users can specify rules using either a simple syntax or a full syntax. The
simple syntax only specifies the port and optionally the protocol to be
allowed or denied on the host.
<P>
Both syntaxes support specifying a comment for the rule. For existing rules,
specifying a different comment updates the comment and specifying '' removes
the comment.
<P>
Example rules using the simple syntax:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;53
<P>
This rule will allow tcp and udp port 53 to any address on this host. To
specify a protocol, append '/protocol' to the port. For example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;25/tcp
<P>
This will allow tcp port 25 to any address on this host. <B>ufw</B> will also
check /etc/services for the port and protocol if specifying a service by name.
Eg:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;smtp
<P>
<B>ufw</B> supports both ingress and egress filtering and users may optionally
specify a direction of either <B>in</B> or <B>out</B> for either incoming or
outgoing traffic. If no direction is supplied, the rule applies to incoming
traffic. Eg:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;in&nbsp;http
<BR>&nbsp;&nbsp;ufw&nbsp;reject&nbsp;out&nbsp;smtp
<BR>&nbsp;&nbsp;ufw&nbsp;reject&nbsp;telnet&nbsp;comment&nbsp;'telnet&nbsp;is&nbsp;unencrypted'
<P>
Users can also use a fuller syntax, specifying the source and destination
addresses and ports. This syntax is loosely based on OpenBSD's PF syntax. For
example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;proto&nbsp;tcp&nbsp;to&nbsp;any&nbsp;port&nbsp;80
<P>
This will deny all traffic to tcp port 80 on this host. Another example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;proto&nbsp;tcp&nbsp;from&nbsp;10.0.0.0/8&nbsp;to&nbsp;192.168.0.1&nbsp;port&nbsp;25
<P>
This will deny all traffic from the RFC1918 Class A network to tcp port 25
with the address 192.168.0.1.
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;proto&nbsp;tcp&nbsp;from&nbsp;2001:db8::/32&nbsp;to&nbsp;any&nbsp;port&nbsp;25
<P>
This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this
host. IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling
to work.
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;in&nbsp;on&nbsp;eth0&nbsp;to&nbsp;224.0.0.1&nbsp;proto&nbsp;igmp
<P>
This will deny all igmp traffic to 224.0.0.1 on the eth0 interface.
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth0&nbsp;to&nbsp;192.168.0.1&nbsp;proto&nbsp;gre
<P>
This will allow all gre traffic to 192.168.0.1 on the eth0 interface.
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;proto&nbsp;tcp&nbsp;from&nbsp;any&nbsp;to&nbsp;any&nbsp;port&nbsp;80,443,8080:8090&nbsp;comment&nbsp;'web&nbsp;app'
<P>
The above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive
and adds a comment for the rule. When specifying multiple ports, the ports list
must be numeric, cannot contain spaces and must be modified as a whole. Eg, in
the above example you cannot later try to delete just the '443' port. You
cannot specify more than 15 ports (ranges count as 2 ports, so the port count
in the above example is 4).
<P>
<B>ufw</B> supports several different protocols. The following are valid in any
rule and enabled when the protocol is not specified:
<P>
<BR>&nbsp;&nbsp;tcp
<BR>&nbsp;&nbsp;udp
<P>
The following have certain restrictions and are not enabled when the protocol
is not specified:
<P>
<BR>&nbsp;&nbsp;ah&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;valid&nbsp;without&nbsp;port&nbsp;number
<BR>&nbsp;&nbsp;esp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;valid&nbsp;without&nbsp;port&nbsp;number
<BR>&nbsp;&nbsp;gre&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;valid&nbsp;without&nbsp;port&nbsp;number
<BR>&nbsp;&nbsp;ipv6&nbsp;&nbsp;&nbsp;&nbsp;valid&nbsp;for&nbsp;IPv4&nbsp;addresses&nbsp;and&nbsp;without&nbsp;port&nbsp;number
<BR>&nbsp;&nbsp;igmp&nbsp;&nbsp;&nbsp;&nbsp;valid&nbsp;for&nbsp;IPv4&nbsp;addresses&nbsp;and&nbsp;without&nbsp;port&nbsp;number
<P>
Rules for traffic not destined for the host itself but instead for traffic that
should be routed/forwarded through the firewall should specify the <B>route</B>
keyword before the rule (routing rules differ significantly from PF syntax and
instead take into account netfilter FORWARD chain conventions). For example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;route&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth1&nbsp;out&nbsp;on&nbsp;eth2
<P>
This will allow all traffic routed to eth2 and coming in on eth1 to traverse
the firewall.
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;route&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth0&nbsp;out&nbsp;on&nbsp;eth1&nbsp;to&nbsp;12.34.45.67&nbsp;port&nbsp;80&nbsp;proto&nbsp;tcp
<P>
This rule allows any packets coming in on eth0 to traverse the firewall out
on eth1 to tcp port 80 on 12.34.45.67.
<P>
In addition to routing rules and policy, you must also setup IP forwarding.
This may be done by setting the following in /etc/ufw/sysctl.conf:
<P>
<BR>&nbsp;&nbsp;net/ipv4/ip_forward=1
<BR>&nbsp;&nbsp;net/ipv6/conf/default/forwarding=1
<BR>&nbsp;&nbsp;net/ipv6/conf/all/forwarding=1
<P>
then restarting the firewall:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;disable
<BR>&nbsp;&nbsp;ufw&nbsp;enable
<P>
Be aware that setting kernel tunables is operating system specific and
<B>ufw</B> sysctl settings may be overridden. See the <B>sysctl</B> manual page
for details.
<P>
<P>
<B>ufw</B> supports connection rate limiting, which is useful for protecting
against brute-force login attacks. When a limit rule is used, <B>ufw</B> will
normally allow the connection but will deny connections if an IP address
attempts to initiate 6 or more connections within 30 seconds. See
<A HREF="http://www.debian-administration.org/articles/187">http://www.debian-administration.org/articles/187</A> for details. Typical usage
is:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;limit&nbsp;ssh/tcp
<P>
<P>
Sometimes it is desirable to let the sender know when traffic is being
denied, rather than simply ignoring it. In these cases, use <B>reject</B>
instead of <B>deny</B>. For example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;reject&nbsp;auth
<P>
<P>
By default, <B>ufw</B> will apply rules to all available interfaces. To limit
this, specify <B>DIRECTION on INTERFACE</B>, where DIRECTION is one of <B>in</B>
or <B>out</B> (interface aliases are not supported). For example, to allow all
new incoming http connections on eth0, use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;in&nbsp;on&nbsp;eth0&nbsp;to&nbsp;any&nbsp;port&nbsp;80&nbsp;proto&nbsp;tcp
<P>
<P>
To delete a rule, simply prefix the original rule with <B>delete</B> with or
without the rule comment. For example, if the original rule was:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;80/tcp
<P>
Use this to delete it:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;delete&nbsp;deny&nbsp;80/tcp
<P>
You may also specify the rule by NUM, as seen in the <B>status numbered</B>
output. For example, if you want to delete rule number '3', use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;delete&nbsp;3
<P>
If you have IPv6 enabled and are deleting a generic rule that applies to both
IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting by rule number will delete only
the specified rule. To delete both with one command, prefix the original rule
with <B>delete</B>.
<P>
To insert a rule, specify the new rule as normal, but prefix the rule with
the rule number to insert. For example, if you have four rules, and you want
to insert a new rule as rule number three, use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;insert&nbsp;3&nbsp;deny&nbsp;to&nbsp;any&nbsp;port&nbsp;22&nbsp;from&nbsp;10.0.0.135&nbsp;proto&nbsp;tcp
<P>
Similarly, to add a rule before all other rules matching the rule's IP type,
use the prepend rule:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;prepend&nbsp;deny&nbsp;from&nbsp;1.2.3.4
<P>
This is particularly useful for dynamic firewalls as found in an IPS.
Importantly, if the specified rule is an IPv4 rule, it will be prepended before
all other IPv4 rules. If it is an IPv6 rule, it will be prepended before any
IPv6 rules.
<P>
To see a list of numbered rules, use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;status&nbsp;numbered
<P>
<P>
<B>ufw</B> supports per rule logging. By default, no logging is performed when
a packet matches a rule. Specifying <B>log</B> will log all new connections
matching the rule, and <B>log-all</B> will log all packets matching the rule.
For example, to allow and log all new ssh connections, use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;log&nbsp;22/tcp
<P>
See <B>LOGGING</B> for more information on logging.
<P>
<A NAME="lbAG">&nbsp;</A>
<H2>EXAMPLES</H2>
<P>
Deny all access to port 53:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;53
<P>
<P>
Allow all access to tcp port 80:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;80/tcp
<P>
<P>
Allow all access from RFC1918 networks to this host:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;from&nbsp;10.0.0.0/8
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;from&nbsp;172.16.0.0/12
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;from&nbsp;192.168.0.0/16
<P>
<P>
Deny access to udp port 514 from host 1.2.3.4:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;deny&nbsp;proto&nbsp;udp&nbsp;from&nbsp;1.2.3.4&nbsp;to&nbsp;any&nbsp;port&nbsp;514
<P>
<P>
Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;proto&nbsp;udp&nbsp;from&nbsp;1.2.3.5&nbsp;port&nbsp;5469&nbsp;to&nbsp;1.2.3.4&nbsp;port&nbsp;5469
<P>
<A NAME="lbAH">&nbsp;</A>
<H2>REMOTE MANAGEMENT</H2>
<P>
When running <B>ufw enable</B> or starting <B>ufw</B> via its initscript,
<B>ufw</B> will flush its chains. This is required so <B>ufw</B> can maintain a
consistent state, but it may drop existing connections (eg ssh). <B>ufw</B>
does support adding rules before enabling the firewall, so administrators can
do:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;proto&nbsp;tcp&nbsp;from&nbsp;any&nbsp;to&nbsp;any&nbsp;port&nbsp;22
<P>
before running '<B>ufw enable</B>'. The rules will still be flushed, but the
ssh port will be open after enabling the firewall. Please note that once
ufw is 'enabled', <B>ufw</B> will not flush the chains when adding or removing
rules (but will when modifying a rule or changing the default policy). By
default, <B>ufw</B> will prompt when enabling the firewall while running under
ssh. This can be disabled by using '<B>ufw --force enable</B>'.
<P>
<A NAME="lbAI">&nbsp;</A>
<H2>APPLICATION INTEGRATION</H2>
<P>
<B>ufw</B> supports application integration by reading profiles located in
/etc/ufw/applications.d. To list the names of application profiles
known to <B>ufw</B>, use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;app&nbsp;list
<P>
Users can specify an application name when adding a rule (quoting any profile
names with spaces). For example, when using the simple syntax, users can use:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;&lt;name&gt;
<P>
Or for the extended syntax:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;from&nbsp;192.168.0.0/16&nbsp;to&nbsp;any&nbsp;app&nbsp;&lt;name&gt;
<P>
You should not specify the protocol with either syntax, and with the extended
syntax, use <B>app</B> in place of the <B>port</B> clause.
<P>
Details on the firewall profile for a given application can be seen with:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;app&nbsp;info&nbsp;&lt;name&gt;
<P>
where '&lt;name&gt;' is one of the applications seen with the app list command.
Users may also specify <B>all</B> to see the profiles for all known
applications.
<P>
Syntax for the application profiles is a simple .INI format:
<P>
<BR>&nbsp;&nbsp;[&lt;name&gt;]
<BR>&nbsp;&nbsp;title=&lt;title&gt;
<BR>&nbsp;&nbsp;description=&lt;description&gt;
<BR>&nbsp;&nbsp;ports=&lt;ports&gt;
<P>
The 'ports' field may specify a '|'-separated list of ports/protocols where
the protocol is optional. A comma-separated list or a range (specified
with 'start:end') may also be used to specify multiple ports, in which case the
protocol is required. For example:
<P>
<BR>&nbsp;&nbsp;[SomeService]
<BR>&nbsp;&nbsp;title=Some&nbsp;title
<BR>&nbsp;&nbsp;description=Some&nbsp;description
<BR>&nbsp;&nbsp;ports=12/udp|34|56,78:90/tcp
<P>
In the above example, 'SomeService' may be used in app rules and it specifies
UDP port 12, TCP and UDP on port 34 and TCP ports 56 and 78-90 inclusive.
<P>
After creating or editing an application profile, users can run:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;app&nbsp;update&nbsp;&lt;name&gt;
<P>
This command will automatically update the firewall with updated profile
information. If specify 'all' for name, then all the profiles will be updated.
To update a profile and add a new rule to the firewall automatically, users
can run:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;app&nbsp;update&nbsp;--add-new&nbsp;&lt;name&gt;
<P>
The behavior of the <B>update --add-new</B> command can be configured using:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;app&nbsp;default&nbsp;&lt;policy&gt;
<P>
The default application policy is <B>skip</B>, which means that the <B>update
--add-new</B> command will do nothing. Users may also specify a policy of
<B>allow</B> or <B>deny</B> so the <B>update --add-new</B> command may
automatically update the firewall. <B>WARNING:</B> it may be a security to risk
to use a default <B>allow</B> policy for application profiles. Carefully
consider the security ramifications before using a default <B>allow</B> policy.
<P>
<A NAME="lbAJ">&nbsp;</A>
<H2>LOGGING</H2>
<P>
<B>ufw</B> supports multiple logging levels. <B>ufw</B> defaults to a loglevel
of 'low' when a loglevel is not specified. Users may specify a loglevel with:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;logging&nbsp;LEVEL
<P>
LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined
as:
<DL COMPACT>
<DT id="30"><B>off</B><DD>
disables ufw managed logging
<DT id="31"><B>low</B><DD>
logs all blocked packets not matching the defined policy (with rate limiting),
as well as packets matching logged rules
<DT id="32"><B>medium</B><DD>
log level low, plus all allowed packets not matching the defined policy, all
INVALID packets, and all new connections. All logging is done with rate
limiting.
<DT id="33"><B>high</B><DD>
log level medium (without rate limiting), plus all packets with rate limiting
<DT id="34"><B>full</B><DD>
log level high without rate limiting
<P>
</DL>
<P>
Loglevels above medium generate a lot of logging output, and may quickly fill
up your disk. Loglevel medium may generate a lot of logging output on a busy
system.
<P>
Specifying 'on' simply enables logging at log level 'low' if logging is
currently not enabled.
<P>
<A NAME="lbAK">&nbsp;</A>
<H2>REPORTS</H2>
<P>
The following reports are supported. Each is based on the live system and with
the exception of the <B>listening</B> report, is in raw iptables format:
<P>
<BR>&nbsp;&nbsp;raw
<BR>&nbsp;&nbsp;builtins
<BR>&nbsp;&nbsp;before-rules
<BR>&nbsp;&nbsp;user-rules
<BR>&nbsp;&nbsp;after-rules
<BR>&nbsp;&nbsp;logging-rules
<BR>&nbsp;&nbsp;listening
<BR>&nbsp;&nbsp;added
<P>
The <B>raw</B> report shows the complete firewall, while the others show a
subset of what is in the <B>raw</B> report.
<P>
The <B>listening</B> report will display the ports on the live system in the
listening state for tcp and the open state for udp, along with the address of
the interface and the executable listening on the port. An '*' is used in
place of the address of the interface when the executable is bound to all
interfaces on that port. Following this information is a list of rules which
may affect connections on this port. The rules are listed in the order they are
evaluated by the kernel, and the first match wins. Please note that the
default policy is not listed and tcp6 and udp6 are shown only if IPV6 is
enabled.
<P>
The <B>added</B> report displays the list of rules as they were added on the
command-line. This report does not show the status of the running firewall
(use '<B>ufw status</B>' instead). Because rules are normalized by <B>ufw</B>,
rules may look different than the originally added rule. Also, <B>ufw</B> does
not record command ordering, so an equivalent ordering is used which lists
IPv6-only rules after other rules.
<P>
<A NAME="lbAL">&nbsp;</A>
<H2>NOTES</H2>
<P>
On installation, <B>ufw</B> is disabled with a default incoming policy of deny,
a default forward policy of deny, and a default outgoing policy of allow, with
stateful tracking for NEW connections for incoming and forwarded connections.
In addition to the above, a default ruleset is put in place that does the
following:
<DL COMPACT>
<DT id="35">- DROP packets with RH0 headers<DD>
<DT id="36">- DROP INVALID packets<DD>
<DT id="37">- ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-problem, and echo-request for IPv4. destination-unreachable, packet-too-big, time-exceeded, parameter-problem, and echo-request for IPv6.<DD>
<DT id="38">- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)<DD>
<DT id="39">- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT)<DD>
<DT id="40">- ACCEPT DHCP client traffic (INPUT)<DD>
<DT id="41">- DROP non-local traffic (INPUT)<DD>
<DT id="42">- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service discovery (INPUT)<DD>
<DT id="43">- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service discovery (INPUT)<DD>
<P>
</DL>
<P>
Rule ordering is important and the first match wins. Therefore when adding
rules, add the more specific rules first with more general rules later.
<P>
<B>ufw</B> is not intended to provide complete firewall functionality via
its command interface, but instead provides an easy way to add or remove
simple rules.
<P>
The status command shows basic information about the state of the firewall, as
well as rules managed via the <B>ufw</B> command. It does not show rules from the
rules files in /etc/ufw. To see the complete state of the firewall,
users can <B>ufw show raw</B>. This displays the filter, nat, mangle and raw
tables using:
<P>
<BR>&nbsp;&nbsp;iptables&nbsp;-n&nbsp;-L&nbsp;-v&nbsp;-x&nbsp;-t&nbsp;&lt;table&gt;
<BR>&nbsp;&nbsp;ip6tables&nbsp;-n&nbsp;-L&nbsp;-v&nbsp;-x&nbsp;-t&nbsp;&lt;table&gt;
<P>
See the <B>iptables</B> and <B>ip6tables</B> documentation for more details.
<P>
If the default policy is set to REJECT, <B>ufw</B> may interfere with rules
added outside of the ufw framework. See README for details.
<P>
IPV6 is allowed by default. To change this behavior to only accept IPv6 traffic
on the loopback interface, set IPV6 to 'no' in /etc/default/ufw and
reload <B>ufw</B>. When IPv6 is enabled, you may specify rules in the same way
as for IPv4 rules, and they will be displayed with <B>ufw status</B>. Rules that
match both IPv4 and IPv6 addresses apply to both IP versions. For example, when
IPv6 is enabled, the following rule will allow access to port 22 for both IPv4
and IPv6 traffic:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;22
<P>
IPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' protocol
('41'). This protocol can only be used with the full syntax. For example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;proto&nbsp;ipv6
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;from&nbsp;10.4.0.0/16&nbsp;proto&nbsp;ipv6
<P>
IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols. These
protocols can only be used with the full syntax. For example:
<P>
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;proto&nbsp;esp
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;from&nbsp;10.4.0.0/16&nbsp;proto&nbsp;esp
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;proto&nbsp;ah
<BR>&nbsp;&nbsp;ufw&nbsp;allow&nbsp;to&nbsp;10.0.0.1&nbsp;from&nbsp;10.4.0.0/16&nbsp;proto&nbsp;ah
<P>
In addition to the command-line interface, <B>ufw</B> also provides a
framework which allows administrators to modify default behavior as well as
take full advantage of netfilter. See the <B>ufw-framework</B> manual page for
more information.
<P>
<A NAME="lbAM">&nbsp;</A>
<H2>SEE ALSO</H2>
<P>
<B><A HREF="/cgi-bin/man/man2html?8+ufw-framework">ufw-framework</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip6tables">ip6tables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables-restore">iptables-restore</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip6tables-restore">ip6tables-restore</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+sysctl">sysctl</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?5+sysctl.conf">sysctl.conf</A></B>(5)
<P>
<A NAME="lbAN">&nbsp;</A>
<H2>AUTHOR</H2>
<P>
ufw is Copyright 2008-2014, Canonical Ltd.
<P>
<P>
ufw and this manual page was originally written by Jamie Strandboge &lt;<A HREF="mailto:jamie@canonical.com">jamie@canonical.com</A>&gt;
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="44"><A HREF="#lbAB">NAME</A><DD>
<DT id="45"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="46"><A HREF="#lbAD">USAGE</A><DD>
<DT id="47"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="48"><A HREF="#lbAF">RULE SYNTAX</A><DD>
<DT id="49"><A HREF="#lbAG">EXAMPLES</A><DD>
<DT id="50"><A HREF="#lbAH">REMOTE MANAGEMENT</A><DD>
<DT id="51"><A HREF="#lbAI">APPLICATION INTEGRATION</A><DD>
<DT id="52"><A HREF="#lbAJ">LOGGING</A><DD>
<DT id="53"><A HREF="#lbAK">REPORTS</A><DD>
<DT id="54"><A HREF="#lbAL">NOTES</A><DD>
<DT id="55"><A HREF="#lbAM">SEE ALSO</A><DD>
<DT id="56"><A HREF="#lbAN">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:18 GMT, March 31, 2021
</BODY>
</HTML>