Metainformationen zur Seite
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
start:linux:ubuntu:ufw [2020/06/29 14:26] wikiadmin angelegt |
start:linux:ubuntu:ufw [2020/06/29 15:19] (aktuell) wikiadmin [Einige Beispielanwendungen] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== | + | ====== |
+ | ===== Installation und Status | ||
[[https:// | [[https:// | ||
- | < | + | < |
sudo apt-get update // Software update starten. | sudo apt-get update // Software update starten. | ||
sudo -s // root Rechte erlangen, Sie müssendas root Passort eingeben. | sudo -s // root Rechte erlangen, Sie müssendas root Passort eingeben. | ||
apt-get install ufw // Startet die Installation von ufw | apt-get install ufw // Startet die Installation von ufw | ||
+ | </ | ||
+ | |||
+ | Mit folgendem Befehlt lässt sich die Einstellungen der Firewall anzeigen lassen. | ||
+ | <code CPP [enable_line_numbers=" | ||
+ | ufw status // Beispielausgabe: | ||
+ | |||
+ | root@HPGen10-1: | ||
+ | Status: active | ||
+ | |||
+ | To | ||
+ | -- | ||
+ | OpenSSH | ||
+ | 22/ | ||
+ | OpenSSH (v6) | ||
+ | 22/tcp (v6) ALLOW | ||
+ | |||
+ | root@HPGen10-1: | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Wo wird was gespeichert ? ===== | ||
+ | |||
+ | Die Einstellungen werden in folgenden drei Dateien gespeichern: | ||
+ | |||
+ | - / | ||
+ | - / | ||
+ | - / | ||
+ | |||
+ | Diese Dateien lassen sich mit jedem Texteditor wie zum Beispiel [[https:// | ||
+ | Hier eine Beispielausgabe der Datei: **/ | ||
+ | |||
+ | <code CPP [enable_line_numbers=" | ||
+ | root@HPGen10-1: | ||
+ | # | ||
+ | # rules.before | ||
+ | # | ||
+ | # Rules that should be run before the ufw command line added rules. Custom | ||
+ | # rules should be added to one of these chains: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Don't delete these required lines, otherwise there will be errors | ||
+ | *filter | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | # End required lines | ||
+ | |||
+ | |||
+ | # allow all on loopback | ||
+ | -A ufw-before-input -i lo -j ACCEPT | ||
+ | -A ufw-before-output -o lo -j ACCEPT | ||
+ | |||
+ | # quickly process packets for which we already have a connection | ||
+ | -A ufw-before-input -m conntrack --ctstate RELATED, | ||
+ | -A ufw-before-output -m conntrack --ctstate RELATED, | ||
+ | -A ufw-before-forward -m conntrack --ctstate RELATED, | ||
+ | |||
+ | # drop INVALID packets (logs these in loglevel medium and higher) | ||
+ | -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny | ||
+ | -A ufw-before-input -m conntrack --ctstate INVALID -j DROP | ||
+ | |||
+ | # ok icmp codes for INPUT | ||
+ | -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
+ | -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT | ||
+ | -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT | ||
+ | -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT | ||
+ | |||
+ | # ok icmp code for FORWARD | ||
+ | -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
+ | -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT | ||
+ | -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT | ||
+ | -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT | ||
+ | |||
+ | # allow dhcp client to work | ||
+ | -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT | ||
+ | |||
+ | # | ||
+ | # ufw-not-local | ||
+ | # | ||
+ | -A ufw-before-input -j ufw-not-local | ||
+ | |||
+ | # if LOCAL, RETURN | ||
+ | -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN | ||
+ | |||
+ | # if MULTICAST, RETURN | ||
+ | -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN | ||
+ | |||
+ | # if BROADCAST, RETURN | ||
+ | -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN | ||
+ | |||
+ | # all other non-local packets are dropped | ||
+ | -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny | ||
+ | -A ufw-not-local -j DROP | ||
+ | |||
+ | # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above | ||
+ | # is uncommented) | ||
+ | -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT | ||
+ | |||
+ | # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above | ||
+ | # is uncommented) | ||
+ | -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT | ||
+ | |||
+ | # don't delete the ' | ||
+ | COMMIT | ||
+ | root@HPGen10-1: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Hier eine Beispielausgabe der Datei: **/ | ||
+ | <code CPP [enable_line_numbers=" | ||
+ | root@HPGen10-1: | ||
+ | *filter | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | ### RULES ### | ||
+ | |||
+ | ### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 OpenSSH - in | ||
+ | -A ufw-user-input -p tcp --dport 22 -j ACCEPT -m comment --comment ' | ||
+ | |||
+ | ### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in | ||
+ | -A ufw-user-input -p tcp --dport 22 -j ACCEPT | ||
+ | |||
+ | ### END RULES ### | ||
+ | |||
+ | ### LOGGING ### | ||
+ | -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
+ | -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
+ | -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 | ||
+ | -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
+ | -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 | ||
+ | ### END LOGGING ### | ||
+ | |||
+ | ### RATE LIMITING ### | ||
+ | -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " | ||
+ | -A ufw-user-limit -j REJECT | ||
+ | -A ufw-user-limit-accept -j ACCEPT | ||
+ | ### END RATE LIMITING ### | ||
+ | COMMIT | ||
+ | root@HPGen10-1: | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Hier eine Beispielausgabe der Datei: **/ | ||
+ | <code CPP [enable_line_numbers=" | ||
+ | root@HPGen10-1: | ||
+ | # | ||
+ | # rules.input-after | ||
+ | # | ||
+ | # Rules that should be run after the ufw command line added rules. Custom | ||
+ | # rules should be added to one of these chains: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Don't delete these required lines, otherwise there will be errors | ||
+ | *filter | ||
+ | : | ||
+ | : | ||
+ | : | ||
+ | # End required lines | ||
+ | |||
+ | # don't log noisy services by default | ||
+ | -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input | ||
+ | -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input | ||
+ | -A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input | ||
+ | -A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input | ||
+ | -A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input | ||
+ | -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input | ||
+ | |||
+ | # don't log noisy broadcast | ||
+ | -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input | ||
+ | |||
+ | # don't delete the ' | ||
+ | COMMIT | ||
+ | root@HPGen10-1: | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Einige Beispielanwendungen ===== | ||
+ | |||
+ | <code CPP [enable_line_numbers=" | ||
+ | # Listet alle Anwendungen auf die durch die Firewall gelangen soll. | ||
+ | ufw app list | ||
+ | |||
+ | # Zeigt die Details zu OpenSSH an. | ||
+ | ufw app info OpenSSH | ||
+ | |||
+ | # Lässt OpenSSH durch die Firewall. | ||
+ | ufw allow OpenSSH | ||
+ | |||
+ | # Zeigt die Einstellungen an. | ||
+ | ufw status | ||
+ | |||
+ | # Den Port 32456 über TCP freizugeben | ||
+ | ufw 32456/tcp | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Dokumentation ===== | ||
+ | Mit folgendem Behfehl lässt sich die Dokumentation von **ufw** ausgeben | ||
+ | |||
+ | <code C#> | ||
+ | sudo man ufw | ||
+ | </ | ||
+ | |||
+ | <code C#> | ||
+ | root@HPGen10-1: | ||
+ | |||
+ | Usage: ufw COMMAND | ||
+ | |||
+ | Commands: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | allow ARGS add allow rule | ||
+ | deny ARGS add deny rule | ||
+ | | ||
+ | limit ARGS add limit rule | ||
+ | | ||
+ | | ||
+ | route RULE add route RULE | ||
+ | route delete RULE|NUM | ||
+ | route insert NUM RULE | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | show ARG show firewall report | ||
+ | | ||
+ | |||
+ | Application profile commands: | ||
+ | app list list application profiles | ||
+ | app info PROFILE | ||
+ | app update PROFILE | ||
+ | app default ARG set default application policy | ||
+ | |||
+ | root@HPGen10-1: | ||
+ | </ | ||
- | </code |