Manjaro Difference between revisions of "Firewalls"

Difference between revisions of "Firewalls"

From Manjaro
m (Template inserted)
m (Template inserted)
Line 19: Line 19:
<!--T:6-->
<!--T:6-->
You can install the {{ic|ufw}} package using you favorite package manager or the command:
You can install the {{ic|ufw}} package using you favorite package manager or the command:
  {{UserCmd|command=pamac install ufw}}
  <tvar|usercmd1>{{UserCmd|command=pamac install ufw}}</>




<!--T:7-->
<!--T:7-->
Once UFW is installed you need to start and enable it using the commands:
Once UFW is installed you need to start and enable it using the commands:
  {{UserCmd|command=sudo systemctl enable ufw.service}}
  <tvar|usercmd2>{{UserCmd|command=sudo systemctl enable ufw.service}}</>
  {{UserCmd|command=sudo ufw enable}}
  <tvar|usercmd3>{{UserCmd|command=sudo ufw enable}}</>




Line 45: Line 45:
<!--T:11-->
<!--T:11-->
This indicates that it will block all incoming traffic and allow all outgoing traffic.  This is a good starting point for most desktop systems.  However, often we will want to allow some incoming traffic.  This can be done with the command {{ic|ufw allow}}.  For example, if we want to allow incoming ssh traffic so we can connect to the machine from other machines on the network we could use the command:
This indicates that it will block all incoming traffic and allow all outgoing traffic.  This is a good starting point for most desktop systems.  However, often we will want to allow some incoming traffic.  This can be done with the command {{ic|ufw allow}}.  For example, if we want to allow incoming ssh traffic so we can connect to the machine from other machines on the network we could use the command:
  {{UserCmd|command=sudo ufw allow ssh}}
  <tvar|usercmd4>{{UserCmd|command=sudo ufw allow ssh}}</>


<!--T:12-->
<!--T:12-->
If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443.  We could use the command:
If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443.  We could use the command:
  {{UserCmd|command=sudo ufw allow in 8443/tcp}}
  <tvar|usercmd5>{{UserCmd|command=sudo ufw allow in 8443/tcp}}</>


<!--T:13-->
<!--T:13-->
Line 58: Line 58:
<!--T:15-->
<!--T:15-->
You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:
You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:
{{UserCmd|command=sudo ufw app list}}
<tvar|usercmd5>{{UserCmd|command=sudo ufw app list}}</>




Line 79: Line 79:
<!--T:19-->
<!--T:19-->
Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command:
Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command:
  {{UserCmd|command=pamac install ufw-extras}}
  <tvar|usercmd7>{{UserCmd|command=pamac install ufw-extras}}</>


==Removing Rules== <!--T:20-->
==Removing Rules== <!--T:20-->
Line 85: Line 85:
<!--T:21-->
<!--T:21-->
Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:
Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:
  {{UserCmd|command=sudo ufw delete allow 8443/tcp}}
  <tvar|usercmd8>{{UserCmd|command=sudo ufw delete allow 8443/tcp}}</>




Line 103: Line 103:
<!--T:24-->
<!--T:24-->
Now if we wanted to stop allowing ssh on ipv6 we could use the command:
Now if we wanted to stop allowing ssh on ipv6 we could use the command:
  {{UserCmd|command=sudo ufw delete 2}}
  <tvar|usercmd9>{{UserCmd|command=sudo ufw delete 2}}</>


==GUFW== <!--T:25-->
==GUFW== <!--T:25-->
Line 115: Line 115:
<!--T:27-->
<!--T:27-->
If it is not installed already gufw can be installed from the repos:
If it is not installed already gufw can be installed from the repos:
  {{UserCmd|command=pamac install gufw}}
  <tvar|usercmdA>{{UserCmd|command=pamac install gufw}}</>




Line 130: Line 130:
<!--T:31-->
<!--T:31-->
To enable loading rules on startup you can use the command:
To enable loading rules on startup you can use the command:
  {{UserCmd|command=sudo systemctl enable iptables.service}}
  <tvar|usercmdB>{{UserCmd|command=sudo systemctl enable iptables.service}}</>




Line 139: Line 139:
<!--T:33-->
<!--T:33-->
To display the currently loaded rules:
To display the currently loaded rules:
  {{UserCmd|command=sudo iptables -L}}
  <tvar|usercmdC>{{UserCmd|command=sudo iptables -L}}</>




Line 154: Line 154:
<!--T:36-->
<!--T:36-->
To allow ssh connections
To allow ssh connections
  {{UserCmd|command=sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT}}
  <tvar|usercmdF>{{UserCmd|command=sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT}}</>
  {{UserCmd|command=sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT}}
  <tvar|usercmdG>{{UserCmd|command=sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT}}</>


=See Also= <!--T:37-->
=See Also= <!--T:37-->

Revision as of 14:09, 17 September 2021

Other languages:
English • ‎русский • ‎فارسی • ‎中文(中国大陆)‎

Overview

Running a local firewall is almost always a good practice. Even when you are behind a network firewall, a local firewall protects you from threats on the inside of your network.


UFW

UFW stands for Uncomplicated FireWall, and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use. UFW is far simpler than iptables and a good place to start unless you have very specialized needs.


Installing UFW

You can install the ufw package using you favorite package manager or the command:

user $ pamac install ufw COPY TO CLIPBOARD



Once UFW is installed you need to start and enable it using the commands:

user $ sudo systemctl enable ufw.service COPY TO CLIPBOARD


user $ sudo ufw enable COPY TO CLIPBOARD



Warning
Don't enable both iptables.service and ufw.service

Adding Rules

To view the current configuration you can use the command ufw status. Here is what it looks like in a new install:


$ sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip


This indicates that it will block all incoming traffic and allow all outgoing traffic. This is a good starting point for most desktop systems. However, often we will want to allow some incoming traffic. This can be done with the command ufw allow. For example, if we want to allow incoming ssh traffic so we can connect to the machine from other machines on the network we could use the command:

user $ sudo ufw allow ssh COPY TO CLIPBOARD


If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443. We could use the command:

user $ sudo ufw allow in 8443/tcp COPY TO CLIPBOARD




Tip
When you don't specify "in" or "out", "in" is assumed

UFW and Applications

You may notice a difference in the above two commands. When we built the rules for ssh we used the name and for https we used the port number, 8443. This is because UFW has a small database of applications it knows the ports for. You can see the list with the command:

user $ sudo ufw app list COPY TO CLIPBOARD



For applications on the list you can add them by name. If you want to review the configuration for one of the applications, you can use the command ufw app info. For example, to the configuration for ssh:


$ sudo ufw app info SSH

Profile: SSH
Title: SSH server
Description: SSH server

Port:
  22/tcp



Tip
When using ufw app the commands are case sensitive but when adding rules they are not


Some additional preconfigured applications can be added by installing the package ufw-extras with your favorite package manager or the command:

user $ pamac install ufw-extras COPY TO CLIPBOARD


Removing Rules

Rules can be removed with the ufw delete command. For example, to delete our 8443 rules we could use the command:

user $ sudo ufw delete allow 8443/tcp COPY TO CLIPBOARD



You can also delete them by number. This is easier if you have a numbered list which you can see with the command:


$ sudo ufw status numbered

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere                  
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6)


Now if we wanted to stop allowing ssh on ipv6 we could use the command:

user $ sudo ufw delete 2 COPY TO CLIPBOARD


GUFW

Gufw.jpg


Prefer to use GUI applications and still want to manage your firewall? No problem. GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.


If it is not installed already gufw can be installed from the repos:

user $ pamac install gufw COPY TO CLIPBOARD



It will now be available in the menu as Firewall Configuration or by running gufw directly.

iptables

iptables is included as part of the Linux kernel. iptables is significantly more complicated than using a tool like UFW. As a result, a full tutorial on iptables is beyond the scope of this wiki. Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation. Some of this is linked below. Here are some basics to get you started.


To enable loading rules on startup you can use the command:

user $ sudo systemctl enable iptables.service COPY TO CLIPBOARD



This will load the rules from the file /etc/iptables/iptables.rules.


To display the currently loaded rules:

user $ sudo iptables -L COPY TO CLIPBOARD



To save the current rules to a file

user $ sudo sh -c "iptables-save > /etc/iptables/iptables.rules" /etc/iptables/iptables.rules" " aria-disabled="false">COPY TO CLIPBOARD



To load the rules from a file

user $ sudo sh -c "iptables-restore > /etc/iptables/iptables.rules" /etc/iptables/iptables.rules" " aria-disabled="false">COPY TO CLIPBOARD



To allow ssh connections

user $ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT COPY TO CLIPBOARD


user $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT COPY TO CLIPBOARD


See Also

Cookies help us deliver our services. By using our services, you agree to our use of cookies.