641 lines
27 KiB
HTML
641 lines
27 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of UFW:</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>UFW:</H1>
|
|
Section: February 2016 (8)<BR>Updated: <BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<P>
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
ufw - program for managing a netfilter firewall
|
|
<P>
|
|
|
|
<A NAME="lbAC"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
This program is for managing a Linux firewall and aims to provide an easy to
|
|
use interface for the user.
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>USAGE</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="1">ufw [<B>--dry-run</B>] <B>enable|disable|reload</B><DD>
|
|
<DT id="2">ufw [<B>--dry-run</B>] <B>default</B> allow|deny|reject [incoming|outgoing|routed]<DD>
|
|
<DT id="3">ufw [<B>--dry-run</B>] <B>logging</B> on|off|LEVEL<DD>
|
|
<DT id="4">ufw [<B>--dry-run</B>] <B>reset</B><DD>
|
|
<DT id="5">ufw [<B>--dry-run</B>] <B>status</B> [verbose|numbered]<DD>
|
|
<DT id="6">ufw [<B>--dry-run</B>] <B>show</B> REPORT<DD>
|
|
<DT id="7">ufw [<B>--dry-run</B>] [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B>] [<B>log|log-all</B>] [ PORT[/PROTOCOL] | APPNAME ] [<B>comment</B> COMMENT]<DD>
|
|
<DT id="8">ufw [<B>--dry-run</B>] [<B>rule</B>] [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B> [<B>on</B> INTERFACE]] [<B>log|log-all</B>] [<B>proto</B> PROTOCOL] [<B>from</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME ]] [<B>to</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME ]] [<B>comment</B> COMMENT]<DD>
|
|
<DT id="9">ufw [<B>--dry-run</B>] <B>route</B> [<B>delete</B>] [<B>insert</B> NUM] [<B>prepend</B>] <B>allow|deny|reject|limit</B> [<B>in|out</B> <B>on</B> INTERFACE] [<B>log|log-all</B>] [<B>proto</B> PROTOCOL] [<B>from</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME]] [<B>to</B> ADDRESS [<B>port</B> PORT | <B>app</B> APPNAME]] [<B>comment</B> COMMENT]<DD>
|
|
<DT id="10">ufw [<B>--dry-run</B>] <B>delete</B> NUM<DD>
|
|
<DT id="11">ufw [<B>--dry-run</B>] <B>app</B> <B>list|info|default|update</B><DD>
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="12"><B>--version</B><DD>
|
|
show program's version number and exit
|
|
<DT id="13"><B>-h</B>, <B>--help</B><DD>
|
|
show help message and exit
|
|
<DT id="14"><B>--dry-run</B><DD>
|
|
don't modify anything, just show the changes
|
|
<DT id="15"><B>enable</B><DD>
|
|
reloads firewall and enables firewall on boot.
|
|
<DT id="16"><B>disable</B><DD>
|
|
unloads firewall and disables firewall on boot
|
|
<DT id="17"><B>reload</B><DD>
|
|
reloads firewall
|
|
<DT id="18"><B>default</B> allow|deny|reject DIRECTION<DD>
|
|
change the default policy for traffic going DIRECTION, where DIRECTION is one
|
|
of <B>incoming</B>, <B>outgoing</B> or <B>routed</B>. Note that existing rules
|
|
will have to be migrated manually when changing the default policy. See <B>RULE
|
|
SYNTAX</B> for more on <B>deny</B> and <B>reject</B>.
|
|
<DT id="19"><B>logging</B> on|off|LEVEL<DD>
|
|
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems
|
|
configured for rsyslog support may also log to /var/log/ufw.log. Specifying a
|
|
LEVEL turns logging on for the specified LEVEL. The default log level is 'low'.
|
|
See <B>LOGGING</B> for details.
|
|
<DT id="20"><B>reset</B><DD>
|
|
Disables and resets firewall to installation defaults. Can also give the
|
|
<B>--force</B> option to perform the reset without confirmation.
|
|
<DT id="21"><B>status</B><DD>
|
|
show status of firewall and ufw managed rules. Use <B>status verbose</B> for
|
|
extra information. In the status output, 'Anywhere' is synonymous with 'any'
|
|
and '0.0.0.0/0'. Note that when using <B>status</B>, there is a subtle
|
|
difference when reporting interfaces. For example, if the following rules are
|
|
added:
|
|
<P>
|
|
<BR> ufw allow in on eth0 from 192.168.0.0/16
|
|
<BR> ufw allow out on eth1 to 10.0.0.0/8
|
|
<BR> ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16
|
|
<BR> ufw limit 2222/tcp comment 'SSH port'
|
|
<P>
|
|
<B>ufw status</B> will output:
|
|
<P>
|
|
<BR> To Action From
|
|
<BR> -- ------ ----
|
|
<BR> Anywhere on eth0 ALLOW 192.168.0.0/16
|
|
<BR> 10.0.0.0/8 ALLOW OUT Anywhere on eth1
|
|
<BR> 10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0
|
|
<BR> Anywhere LIMIT Anywhere # SSH port
|
|
<P>
|
|
For the input and output rules, the interface is reported relative to the
|
|
firewall system as an endpoint, whereas with route rules, the interface is
|
|
reported relative to the direction packets flow through the firewall.
|
|
<P>
|
|
<DT id="22"><B>show</B> REPORT<DD>
|
|
display information about the running firewall. See <B>REPORTS</B>
|
|
<DT id="23"><B>allow</B> ARGS<DD>
|
|
add allow rule. See <B>RULE SYNTAX</B>
|
|
<DT id="24"><B>deny</B> ARGS<DD>
|
|
add deny rule. See <B>RULE SYNTAX</B>
|
|
<DT id="25"><B>reject</B> ARGS<DD>
|
|
add reject rule. See <B>RULE SYNTAX</B>
|
|
<DT id="26"><B>limit</B> ARGS<DD>
|
|
add limit rule. Currently only IPv4 is supported. See <B>RULE SYNTAX</B>
|
|
<DT id="27"><B>delete</B> RULE|NUM<DD>
|
|
deletes the corresponding RULE
|
|
<DT id="28"><B>insert</B> NUM RULE<DD>
|
|
insert the corresponding RULE as rule number NUM
|
|
<DT id="29"><B>prepend</B> RULE<DD>
|
|
prepend the corresponding RULE to the top of the ruleset
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>RULE SYNTAX</H2>
|
|
|
|
<P>
|
|
|
|
Users can specify rules using either a simple syntax or a full syntax. The
|
|
simple syntax only specifies the port and optionally the protocol to be
|
|
allowed or denied on the host.
|
|
<P>
|
|
Both syntaxes support specifying a comment for the rule. For existing rules,
|
|
specifying a different comment updates the comment and specifying '' removes
|
|
the comment.
|
|
<P>
|
|
Example rules using the simple syntax:
|
|
<P>
|
|
<BR> ufw allow 53
|
|
<P>
|
|
This rule will allow tcp and udp port 53 to any address on this host. To
|
|
specify a protocol, append '/protocol' to the port. For example:
|
|
<P>
|
|
<BR> ufw allow 25/tcp
|
|
<P>
|
|
This will allow tcp port 25 to any address on this host. <B>ufw</B> will also
|
|
check /etc/services for the port and protocol if specifying a service by name.
|
|
Eg:
|
|
<P>
|
|
<BR> ufw allow smtp
|
|
<P>
|
|
<B>ufw</B> supports both ingress and egress filtering and users may optionally
|
|
specify a direction of either <B>in</B> or <B>out</B> for either incoming or
|
|
outgoing traffic. If no direction is supplied, the rule applies to incoming
|
|
traffic. Eg:
|
|
<P>
|
|
<BR> ufw allow in http
|
|
<BR> ufw reject out smtp
|
|
<BR> ufw reject telnet comment 'telnet is unencrypted'
|
|
<P>
|
|
|
|
Users can also use a fuller syntax, specifying the source and destination
|
|
addresses and ports. This syntax is loosely based on OpenBSD's PF syntax. For
|
|
example:
|
|
<P>
|
|
<BR> ufw deny proto tcp to any port 80
|
|
<P>
|
|
This will deny all traffic to tcp port 80 on this host. Another example:
|
|
<P>
|
|
<BR> ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
|
|
<P>
|
|
This will deny all traffic from the RFC1918 Class A network to tcp port 25
|
|
with the address 192.168.0.1.
|
|
<P>
|
|
<BR> ufw deny proto tcp from 2001:db8::/32 to any port 25
|
|
<P>
|
|
This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this
|
|
host. IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling
|
|
to work.
|
|
<P>
|
|
<BR> ufw deny in on eth0 to 224.0.0.1 proto igmp
|
|
<P>
|
|
This will deny all igmp traffic to 224.0.0.1 on the eth0 interface.
|
|
<P>
|
|
<BR> ufw allow in on eth0 to 192.168.0.1 proto gre
|
|
<P>
|
|
This will allow all gre traffic to 192.168.0.1 on the eth0 interface.
|
|
<P>
|
|
<BR> ufw allow proto tcp from any to any port 80,443,8080:8090 comment 'web app'
|
|
<P>
|
|
The above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive
|
|
and adds a comment for the rule. When specifying multiple ports, the ports list
|
|
must be numeric, cannot contain spaces and must be modified as a whole. Eg, in
|
|
the above example you cannot later try to delete just the '443' port. You
|
|
cannot specify more than 15 ports (ranges count as 2 ports, so the port count
|
|
in the above example is 4).
|
|
<P>
|
|
<B>ufw</B> supports several different protocols. The following are valid in any
|
|
rule and enabled when the protocol is not specified:
|
|
<P>
|
|
<BR> tcp
|
|
<BR> udp
|
|
<P>
|
|
The following have certain restrictions and are not enabled when the protocol
|
|
is not specified:
|
|
<P>
|
|
<BR> ah valid without port number
|
|
<BR> esp valid without port number
|
|
<BR> gre valid without port number
|
|
<BR> ipv6 valid for IPv4 addresses and without port number
|
|
<BR> igmp valid for IPv4 addresses and without port number
|
|
<P>
|
|
Rules for traffic not destined for the host itself but instead for traffic that
|
|
should be routed/forwarded through the firewall should specify the <B>route</B>
|
|
keyword before the rule (routing rules differ significantly from PF syntax and
|
|
instead take into account netfilter FORWARD chain conventions). For example:
|
|
<P>
|
|
<BR> ufw route allow in on eth1 out on eth2
|
|
<P>
|
|
This will allow all traffic routed to eth2 and coming in on eth1 to traverse
|
|
the firewall.
|
|
<P>
|
|
<BR> ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp
|
|
<P>
|
|
This rule allows any packets coming in on eth0 to traverse the firewall out
|
|
on eth1 to tcp port 80 on 12.34.45.67.
|
|
<P>
|
|
In addition to routing rules and policy, you must also setup IP forwarding.
|
|
This may be done by setting the following in /etc/ufw/sysctl.conf:
|
|
<P>
|
|
<BR> net/ipv4/ip_forward=1
|
|
<BR> net/ipv6/conf/default/forwarding=1
|
|
<BR> net/ipv6/conf/all/forwarding=1
|
|
<P>
|
|
then restarting the firewall:
|
|
<P>
|
|
<BR> ufw disable
|
|
<BR> ufw enable
|
|
<P>
|
|
Be aware that setting kernel tunables is operating system specific and
|
|
<B>ufw</B> sysctl settings may be overridden. See the <B>sysctl</B> manual page
|
|
for details.
|
|
<P>
|
|
<P>
|
|
|
|
<B>ufw</B> supports connection rate limiting, which is useful for protecting
|
|
against brute-force login attacks. When a limit rule is used, <B>ufw</B> will
|
|
normally allow the connection but will deny connections if an IP address
|
|
attempts to initiate 6 or more connections within 30 seconds. See
|
|
<A HREF="http://www.debian-administration.org/articles/187">http://www.debian-administration.org/articles/187</A> for details. Typical usage
|
|
is:
|
|
<P>
|
|
<BR> ufw limit ssh/tcp
|
|
<P>
|
|
<P>
|
|
|
|
Sometimes it is desirable to let the sender know when traffic is being
|
|
denied, rather than simply ignoring it. In these cases, use <B>reject</B>
|
|
instead of <B>deny</B>. For example:
|
|
<P>
|
|
<BR> ufw reject auth
|
|
<P>
|
|
<P>
|
|
|
|
By default, <B>ufw</B> will apply rules to all available interfaces. To limit
|
|
this, specify <B>DIRECTION on INTERFACE</B>, where DIRECTION is one of <B>in</B>
|
|
or <B>out</B> (interface aliases are not supported). For example, to allow all
|
|
new incoming http connections on eth0, use:
|
|
<P>
|
|
<BR> ufw allow in on eth0 to any port 80 proto tcp
|
|
<P>
|
|
<P>
|
|
|
|
To delete a rule, simply prefix the original rule with <B>delete</B> with or
|
|
without the rule comment. For example, if the original rule was:
|
|
<P>
|
|
<BR> ufw deny 80/tcp
|
|
<P>
|
|
Use this to delete it:
|
|
<P>
|
|
<BR> ufw delete deny 80/tcp
|
|
<P>
|
|
You may also specify the rule by NUM, as seen in the <B>status numbered</B>
|
|
output. For example, if you want to delete rule number '3', use:
|
|
<P>
|
|
<BR> ufw delete 3
|
|
<P>
|
|
If you have IPv6 enabled and are deleting a generic rule that applies to both
|
|
IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting by rule number will delete only
|
|
the specified rule. To delete both with one command, prefix the original rule
|
|
with <B>delete</B>.
|
|
<P>
|
|
|
|
To insert a rule, specify the new rule as normal, but prefix the rule with
|
|
the rule number to insert. For example, if you have four rules, and you want
|
|
to insert a new rule as rule number three, use:
|
|
<P>
|
|
<BR> ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp
|
|
<P>
|
|
Similarly, to add a rule before all other rules matching the rule's IP type,
|
|
use the prepend rule:
|
|
<P>
|
|
<BR> ufw prepend deny from 1.2.3.4
|
|
<P>
|
|
This is particularly useful for dynamic firewalls as found in an IPS.
|
|
Importantly, if the specified rule is an IPv4 rule, it will be prepended before
|
|
all other IPv4 rules. If it is an IPv6 rule, it will be prepended before any
|
|
IPv6 rules.
|
|
<P>
|
|
To see a list of numbered rules, use:
|
|
<P>
|
|
<BR> ufw status numbered
|
|
<P>
|
|
<P>
|
|
|
|
<B>ufw</B> supports per rule logging. By default, no logging is performed when
|
|
a packet matches a rule. Specifying <B>log</B> will log all new connections
|
|
matching the rule, and <B>log-all</B> will log all packets matching the rule.
|
|
For example, to allow and log all new ssh connections, use:
|
|
<P>
|
|
<BR> ufw allow log 22/tcp
|
|
<P>
|
|
See <B>LOGGING</B> for more information on logging.
|
|
<P>
|
|
<A NAME="lbAG"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<P>
|
|
|
|
Deny all access to port 53:
|
|
<P>
|
|
<BR> ufw deny 53
|
|
<P>
|
|
<P>
|
|
|
|
Allow all access to tcp port 80:
|
|
<P>
|
|
<BR> ufw allow 80/tcp
|
|
<P>
|
|
<P>
|
|
|
|
Allow all access from RFC1918 networks to this host:
|
|
<P>
|
|
<BR> ufw allow from 10.0.0.0/8
|
|
<BR> ufw allow from 172.16.0.0/12
|
|
<BR> ufw allow from 192.168.0.0/16
|
|
<P>
|
|
<P>
|
|
|
|
Deny access to udp port 514 from host 1.2.3.4:
|
|
<P>
|
|
<BR> ufw deny proto udp from 1.2.3.4 to any port 514
|
|
<P>
|
|
<P>
|
|
|
|
Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:
|
|
<P>
|
|
<BR> ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
|
|
<P>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>REMOTE MANAGEMENT</H2>
|
|
|
|
<P>
|
|
|
|
When running <B>ufw enable</B> or starting <B>ufw</B> via its initscript,
|
|
<B>ufw</B> will flush its chains. This is required so <B>ufw</B> can maintain a
|
|
consistent state, but it may drop existing connections (eg ssh). <B>ufw</B>
|
|
does support adding rules before enabling the firewall, so administrators can
|
|
do:
|
|
<P>
|
|
<BR> ufw allow proto tcp from any to any port 22
|
|
<P>
|
|
before running '<B>ufw enable</B>'. The rules will still be flushed, but the
|
|
ssh port will be open after enabling the firewall. Please note that once
|
|
ufw is 'enabled', <B>ufw</B> will not flush the chains when adding or removing
|
|
rules (but will when modifying a rule or changing the default policy). By
|
|
default, <B>ufw</B> will prompt when enabling the firewall while running under
|
|
ssh. This can be disabled by using '<B>ufw --force enable</B>'.
|
|
<P>
|
|
<A NAME="lbAI"> </A>
|
|
<H2>APPLICATION INTEGRATION</H2>
|
|
|
|
<P>
|
|
|
|
<B>ufw</B> supports application integration by reading profiles located in
|
|
/etc/ufw/applications.d. To list the names of application profiles
|
|
known to <B>ufw</B>, use:
|
|
<P>
|
|
<BR> ufw app list
|
|
<P>
|
|
Users can specify an application name when adding a rule (quoting any profile
|
|
names with spaces). For example, when using the simple syntax, users can use:
|
|
<P>
|
|
<BR> ufw allow <name>
|
|
<P>
|
|
Or for the extended syntax:
|
|
<P>
|
|
<BR> ufw allow from 192.168.0.0/16 to any app <name>
|
|
<P>
|
|
You should not specify the protocol with either syntax, and with the extended
|
|
syntax, use <B>app</B> in place of the <B>port</B> clause.
|
|
<P>
|
|
Details on the firewall profile for a given application can be seen with:
|
|
<P>
|
|
<BR> ufw app info <name>
|
|
<P>
|
|
where '<name>' is one of the applications seen with the app list command.
|
|
Users may also specify <B>all</B> to see the profiles for all known
|
|
applications.
|
|
<P>
|
|
Syntax for the application profiles is a simple .INI format:
|
|
<P>
|
|
<BR> [<name>]
|
|
<BR> title=<title>
|
|
<BR> description=<description>
|
|
<BR> ports=<ports>
|
|
<P>
|
|
The 'ports' field may specify a '|'-separated list of ports/protocols where
|
|
the protocol is optional. A comma-separated list or a range (specified
|
|
with 'start:end') may also be used to specify multiple ports, in which case the
|
|
protocol is required. For example:
|
|
<P>
|
|
<BR> [SomeService]
|
|
<BR> title=Some title
|
|
<BR> description=Some description
|
|
<BR> ports=12/udp|34|56,78:90/tcp
|
|
<P>
|
|
In the above example, 'SomeService' may be used in app rules and it specifies
|
|
UDP port 12, TCP and UDP on port 34 and TCP ports 56 and 78-90 inclusive.
|
|
<P>
|
|
After creating or editing an application profile, users can run:
|
|
<P>
|
|
<BR> ufw app update <name>
|
|
<P>
|
|
This command will automatically update the firewall with updated profile
|
|
information. If specify 'all' for name, then all the profiles will be updated.
|
|
To update a profile and add a new rule to the firewall automatically, users
|
|
can run:
|
|
<P>
|
|
<BR> ufw app update --add-new <name>
|
|
<P>
|
|
The behavior of the <B>update --add-new</B> command can be configured using:
|
|
<P>
|
|
<BR> ufw app default <policy>
|
|
<P>
|
|
The default application policy is <B>skip</B>, which means that the <B>update
|
|
--add-new</B> command will do nothing. Users may also specify a policy of
|
|
<B>allow</B> or <B>deny</B> so the <B>update --add-new</B> command may
|
|
automatically update the firewall. <B>WARNING:</B> it may be a security to risk
|
|
to use a default <B>allow</B> policy for application profiles. Carefully
|
|
consider the security ramifications before using a default <B>allow</B> policy.
|
|
<P>
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>LOGGING</H2>
|
|
|
|
<P>
|
|
|
|
<B>ufw</B> supports multiple logging levels. <B>ufw</B> defaults to a loglevel
|
|
of 'low' when a loglevel is not specified. Users may specify a loglevel with:
|
|
<P>
|
|
<BR> ufw logging LEVEL
|
|
<P>
|
|
LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined
|
|
as:
|
|
<DL COMPACT>
|
|
<DT id="30"><B>off</B><DD>
|
|
disables ufw managed logging
|
|
<DT id="31"><B>low</B><DD>
|
|
logs all blocked packets not matching the defined policy (with rate limiting),
|
|
as well as packets matching logged rules
|
|
<DT id="32"><B>medium</B><DD>
|
|
log level low, plus all allowed packets not matching the defined policy, all
|
|
INVALID packets, and all new connections. All logging is done with rate
|
|
limiting.
|
|
<DT id="33"><B>high</B><DD>
|
|
log level medium (without rate limiting), plus all packets with rate limiting
|
|
<DT id="34"><B>full</B><DD>
|
|
log level high without rate limiting
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
Loglevels above medium generate a lot of logging output, and may quickly fill
|
|
up your disk. Loglevel medium may generate a lot of logging output on a busy
|
|
system.
|
|
<P>
|
|
|
|
Specifying 'on' simply enables logging at log level 'low' if logging is
|
|
currently not enabled.
|
|
<P>
|
|
<A NAME="lbAK"> </A>
|
|
<H2>REPORTS</H2>
|
|
|
|
<P>
|
|
|
|
The following reports are supported. Each is based on the live system and with
|
|
the exception of the <B>listening</B> report, is in raw iptables format:
|
|
<P>
|
|
<BR> raw
|
|
<BR> builtins
|
|
<BR> before-rules
|
|
<BR> user-rules
|
|
<BR> after-rules
|
|
<BR> logging-rules
|
|
<BR> listening
|
|
<BR> added
|
|
<P>
|
|
The <B>raw</B> report shows the complete firewall, while the others show a
|
|
subset of what is in the <B>raw</B> report.
|
|
<P>
|
|
|
|
The <B>listening</B> report will display the ports on the live system in the
|
|
listening state for tcp and the open state for udp, along with the address of
|
|
the interface and the executable listening on the port. An '*' is used in
|
|
place of the address of the interface when the executable is bound to all
|
|
interfaces on that port. Following this information is a list of rules which
|
|
may affect connections on this port. The rules are listed in the order they are
|
|
evaluated by the kernel, and the first match wins. Please note that the
|
|
default policy is not listed and tcp6 and udp6 are shown only if IPV6 is
|
|
enabled.
|
|
<P>
|
|
|
|
The <B>added</B> report displays the list of rules as they were added on the
|
|
command-line. This report does not show the status of the running firewall
|
|
(use '<B>ufw status</B>' instead). Because rules are normalized by <B>ufw</B>,
|
|
rules may look different than the originally added rule. Also, <B>ufw</B> does
|
|
not record command ordering, so an equivalent ordering is used which lists
|
|
IPv6-only rules after other rules.
|
|
<P>
|
|
<A NAME="lbAL"> </A>
|
|
<H2>NOTES</H2>
|
|
|
|
<P>
|
|
|
|
On installation, <B>ufw</B> is disabled with a default incoming policy of deny,
|
|
a default forward policy of deny, and a default outgoing policy of allow, with
|
|
stateful tracking for NEW connections for incoming and forwarded connections.
|
|
In addition to the above, a default ruleset is put in place that does the
|
|
following:
|
|
<DL COMPACT>
|
|
<DT id="35">- DROP packets with RH0 headers<DD>
|
|
<DT id="36">- DROP INVALID packets<DD>
|
|
<DT id="37">- ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-problem, and echo-request for IPv4. destination-unreachable, packet-too-big, time-exceeded, parameter-problem, and echo-request for IPv6.<DD>
|
|
<DT id="38">- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)<DD>
|
|
<DT id="39">- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT)<DD>
|
|
<DT id="40">- ACCEPT DHCP client traffic (INPUT)<DD>
|
|
<DT id="41">- DROP non-local traffic (INPUT)<DD>
|
|
<DT id="42">- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service discovery (INPUT)<DD>
|
|
<DT id="43">- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service discovery (INPUT)<DD>
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
Rule ordering is important and the first match wins. Therefore when adding
|
|
rules, add the more specific rules first with more general rules later.
|
|
<P>
|
|
|
|
<B>ufw</B> is not intended to provide complete firewall functionality via
|
|
its command interface, but instead provides an easy way to add or remove
|
|
simple rules.
|
|
<P>
|
|
|
|
The status command shows basic information about the state of the firewall, as
|
|
well as rules managed via the <B>ufw</B> command. It does not show rules from the
|
|
rules files in /etc/ufw. To see the complete state of the firewall,
|
|
users can <B>ufw show raw</B>. This displays the filter, nat, mangle and raw
|
|
tables using:
|
|
<P>
|
|
<BR> iptables -n -L -v -x -t <table>
|
|
<BR> ip6tables -n -L -v -x -t <table>
|
|
<P>
|
|
See the <B>iptables</B> and <B>ip6tables</B> documentation for more details.
|
|
<P>
|
|
|
|
If the default policy is set to REJECT, <B>ufw</B> may interfere with rules
|
|
added outside of the ufw framework. See README for details.
|
|
<P>
|
|
|
|
IPV6 is allowed by default. To change this behavior to only accept IPv6 traffic
|
|
on the loopback interface, set IPV6 to 'no' in /etc/default/ufw and
|
|
reload <B>ufw</B>. When IPv6 is enabled, you may specify rules in the same way
|
|
as for IPv4 rules, and they will be displayed with <B>ufw status</B>. Rules that
|
|
match both IPv4 and IPv6 addresses apply to both IP versions. For example, when
|
|
IPv6 is enabled, the following rule will allow access to port 22 for both IPv4
|
|
and IPv6 traffic:
|
|
<P>
|
|
<BR> ufw allow 22
|
|
<P>
|
|
|
|
IPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' protocol
|
|
('41'). This protocol can only be used with the full syntax. For example:
|
|
<P>
|
|
<BR> ufw allow to 10.0.0.1 proto ipv6
|
|
<BR> ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6
|
|
<P>
|
|
|
|
IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols. These
|
|
protocols can only be used with the full syntax. For example:
|
|
<P>
|
|
<BR> ufw allow to 10.0.0.1 proto esp
|
|
<BR> ufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp
|
|
<BR> ufw allow to 10.0.0.1 proto ah
|
|
<BR> ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah
|
|
<P>
|
|
|
|
In addition to the command-line interface, <B>ufw</B> also provides a
|
|
framework which allows administrators to modify default behavior as well as
|
|
take full advantage of netfilter. See the <B>ufw-framework</B> manual page for
|
|
more information.
|
|
<P>
|
|
<A NAME="lbAM"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<P>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ufw-framework">ufw-framework</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip6tables">ip6tables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables-restore">iptables-restore</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip6tables-restore">ip6tables-restore</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+sysctl">sysctl</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?5+sysctl.conf">sysctl.conf</A></B>(5)
|
|
<P>
|
|
<A NAME="lbAN"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
<P>
|
|
|
|
ufw is Copyright 2008-2014, Canonical Ltd.
|
|
<P>
|
|
<P>
|
|
|
|
ufw and this manual page was originally written by Jamie Strandboge <<A HREF="mailto:jamie@canonical.com">jamie@canonical.com</A>>
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="44"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="45"><A HREF="#lbAC">DESCRIPTION</A><DD>
|
|
<DT id="46"><A HREF="#lbAD">USAGE</A><DD>
|
|
<DT id="47"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="48"><A HREF="#lbAF">RULE SYNTAX</A><DD>
|
|
<DT id="49"><A HREF="#lbAG">EXAMPLES</A><DD>
|
|
<DT id="50"><A HREF="#lbAH">REMOTE MANAGEMENT</A><DD>
|
|
<DT id="51"><A HREF="#lbAI">APPLICATION INTEGRATION</A><DD>
|
|
<DT id="52"><A HREF="#lbAJ">LOGGING</A><DD>
|
|
<DT id="53"><A HREF="#lbAK">REPORTS</A><DD>
|
|
<DT id="54"><A HREF="#lbAL">NOTES</A><DD>
|
|
<DT id="55"><A HREF="#lbAM">SEE ALSO</A><DD>
|
|
<DT id="56"><A HREF="#lbAN">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:18 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|