translator
987
edits
Difference between revisions of "Firewalls"
m
Template inserted
m (Template inserted) |
m (Template inserted) |
||
| Line 19: | Line 19: | ||
<!--T:6--> | <!--T:6--> | ||
You can install the {{ic|ufw}} package using you favorite package manager or the command: | You can install the {{ic|ufw}} package using you favorite package manager or the command: | ||
{{UserCmd|command=pamac install ufw}} | <tvar|usercmd1>{{UserCmd|command=pamac install ufw}}</> | ||
<!--T:7--> | <!--T:7--> | ||
Once UFW is installed you need to start and enable it using the commands: | Once UFW is installed you need to start and enable it using the commands: | ||
{{UserCmd|command=sudo systemctl enable ufw.service}} | <tvar|usercmd2>{{UserCmd|command=sudo systemctl enable ufw.service}}</> | ||
{{UserCmd|command=sudo ufw enable}} | <tvar|usercmd3>{{UserCmd|command=sudo ufw enable}}</> | ||
| Line 45: | Line 45: | ||
<!--T:11--> | <!--T:11--> | ||
This indicates that it will block all incoming traffic and allow all outgoing traffic. This is a good starting point for most desktop systems. However, often we will want to allow some incoming traffic. This can be done with the command {{ic|ufw allow}}. For example, if we want to allow incoming ssh traffic so we can connect to the machine from other machines on the network we could use the command: | This indicates that it will block all incoming traffic and allow all outgoing traffic. This is a good starting point for most desktop systems. However, often we will want to allow some incoming traffic. This can be done with the command {{ic|ufw allow}}. For example, if we want to allow incoming ssh traffic so we can connect to the machine from other machines on the network we could use the command: | ||
{{UserCmd|command=sudo ufw allow ssh}} | <tvar|usercmd4>{{UserCmd|command=sudo ufw allow ssh}}</> | ||
<!--T:12--> | <!--T:12--> | ||
If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443. We could use the command: | If we wanted to also tcp connections to a local webserver on a non-standard https port, 8443. We could use the command: | ||
{{UserCmd|command=sudo ufw allow in 8443/tcp}} | <tvar|usercmd5>{{UserCmd|command=sudo ufw allow in 8443/tcp}}</> | ||
<!--T:13--> | <!--T:13--> | ||
| Line 58: | Line 58: | ||
<!--T:15--> | <!--T:15--> | ||
You may notice a difference in the above two commands. When we built the rules for ssh we used the name and for https we used the port number, 8443. This is because UFW has a small database of applications it knows the ports for. You can see the list with the command: | You may notice a difference in the above two commands. When we built the rules for ssh we used the name and for https we used the port number, 8443. This is because UFW has a small database of applications it knows the ports for. You can see the list with the command: | ||
{{UserCmd|command=sudo ufw app list}} | <tvar|usercmd5>{{UserCmd|command=sudo ufw app list}}</> | ||
| Line 79: | Line 79: | ||
<!--T:19--> | <!--T:19--> | ||
Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command: | Some additional preconfigured applications can be added by installing the package {{ic|ufw-extras}} with your favorite package manager or the command: | ||
{{UserCmd|command=pamac install ufw-extras}} | <tvar|usercmd7>{{UserCmd|command=pamac install ufw-extras}}</> | ||
==Removing Rules== <!--T:20--> | ==Removing Rules== <!--T:20--> | ||
| Line 85: | Line 85: | ||
<!--T:21--> | <!--T:21--> | ||
Rules can be removed with the {{ic|ufw delete}} command. For example, to delete our 8443 rules we could use the command: | Rules can be removed with the {{ic|ufw delete}} command. For example, to delete our 8443 rules we could use the command: | ||
{{UserCmd|command=sudo ufw delete allow 8443/tcp}} | <tvar|usercmd8>{{UserCmd|command=sudo ufw delete allow 8443/tcp}}</> | ||
| Line 103: | Line 103: | ||
<!--T:24--> | <!--T:24--> | ||
Now if we wanted to stop allowing ssh on ipv6 we could use the command: | Now if we wanted to stop allowing ssh on ipv6 we could use the command: | ||
{{UserCmd|command=sudo ufw delete 2}} | <tvar|usercmd9>{{UserCmd|command=sudo ufw delete 2}}</> | ||
==GUFW== <!--T:25--> | ==GUFW== <!--T:25--> | ||
| Line 115: | Line 115: | ||
<!--T:27--> | <!--T:27--> | ||
If it is not installed already gufw can be installed from the repos: | If it is not installed already gufw can be installed from the repos: | ||
{{UserCmd|command=pamac install gufw}} | <tvar|usercmdA>{{UserCmd|command=pamac install gufw}}</> | ||
| Line 130: | Line 130: | ||
<!--T:31--> | <!--T:31--> | ||
To enable loading rules on startup you can use the command: | To enable loading rules on startup you can use the command: | ||
{{UserCmd|command=sudo systemctl enable iptables.service}} | <tvar|usercmdB>{{UserCmd|command=sudo systemctl enable iptables.service}}</> | ||
| Line 139: | Line 139: | ||
<!--T:33--> | <!--T:33--> | ||
To display the currently loaded rules: | To display the currently loaded rules: | ||
{{UserCmd|command=sudo iptables -L}} | <tvar|usercmdC>{{UserCmd|command=sudo iptables -L}}</> | ||
| Line 154: | Line 154: | ||
<!--T:36--> | <!--T:36--> | ||
To allow ssh connections | To allow ssh connections | ||
{{UserCmd|command=sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT}} | <tvar|usercmdF>{{UserCmd|command=sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT}}</> | ||
{{UserCmd|command=sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT}} | <tvar|usercmdG>{{UserCmd|command=sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT}}</> | ||
=See Also= <!--T:37--> | =See Also= <!--T:37--> | ||