Configuring UFW on Ubuntu

What
This is a set of scripts to set the firewall rules on my main system at home.
Why
Learn UFW. See what’s happening (ssh attempts, etc). Repeatable. Capture learning.
Who
Me.
When
2015-06-20 Sat>
Where
Ubuntu 14.04 system at home.
How
See below. Also see http://www.howtogeek.com/115116/how-to-configure-ubuntus-built-in-firewall/ for starters.

Show ufw firewall rules

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`
ufw status || true
# Sat Jun 20 07:20:16 EDT 2015
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   DENY        224.0.0.0/8
Anywhere                   ALLOW       10.0.0.0/8 (log)
22/tcp                     ALLOW       Anywhere (log)
2468/tcp                   ALLOW       Anywhere (log)
25/tcp                     DENY        Anywhere (log)
587/tcp                    DENY        Anywhere (log)
51413/tcp                  ALLOW       Anywhere
51413/udp                  ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6) (log)
2468/tcp (v6)              ALLOW       Anywhere (v6) (log)
25/tcp (v6)                DENY        Anywhere (v6) (log)
587/tcp (v6)               DENY        Anywhere (v6) (log)
51413/tcp (v6)             ALLOW       Anywhere (v6)
51413/udp (v6)             ALLOW       Anywhere (v6)

Clear ufw firewall rules

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`
ufw --force reset  || true
# Sat Jun 20 07:21:11 EDT 2015
Backing up 'user6.rules' to '/lib/ufw/user6.rules.20150620_072111'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20150620_072111'
Backing up 'user.rules' to '/lib/ufw/user.rules.20150620_072111'
Backing up 'after.rules' to '/etc/ufw/after.rules.20150620_072111'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20150620_072111'
Backing up 'before.rules' to '/etc/ufw/before.rules.20150620_072111'

Set a single ufw firewall rule for testiong

  exec 2>&1;set -e; set -u; set +x; echo '#' `date;`

  # Reset to known state
  ufw --force reset  || true

  ufw allow out log 22/tcp || true 
  ufw allow out 53/tcp || true
  ufw allow out 80/tcp || true 
  ufw allow out 443/tcp || true

  ufw allow out 53/udp || true
  ufw allow out 123/udp || true

  ufw deny out log to any || true


  # default deny
#  ufw default deny || true

  # turn on logging
  ufw logging on || true

  #
  # Turn firewall back on and show status
  #

  ufw enable || true
  ufw status || true
# Sat Jun 20 08:41:48 EDT 2015
Backing up 'before.rules' to '/etc/ufw/before.rules.20150620_084149'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20150620_084149'
Backing up 'after.rules' to '/etc/ufw/after.rules.20150620_084149'
Backing up 'user6.rules' to '/lib/ufw/user6.rules.20150620_084149'
Backing up 'user.rules' to '/lib/ufw/user.rules.20150620_084149'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20150620_084149'

Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Logging enabled
Firewall is active and enabled on system startup
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW OUT   Anywhere (log)
53/tcp                     ALLOW OUT   Anywhere
80/tcp                     ALLOW OUT   Anywhere
443/tcp                    ALLOW OUT   Anywhere
53/udp                     ALLOW OUT   Anywhere
123/udp                    ALLOW OUT   Anywhere
Anywhere                   DENY OUT    Anywhere (log)
22/tcp (v6)                ALLOW OUT   Anywhere (v6) (log)
53/tcp (v6)                ALLOW OUT   Anywhere (v6)
80/tcp (v6)                ALLOW OUT   Anywhere (v6)
443/tcp (v6)               ALLOW OUT   Anywhere (v6)
53/udp (v6)                ALLOW OUT   Anywhere (v6)
123/udp (v6)               ALLOW OUT   Anywhere (v6)
Anywhere (v6)              DENY OUT    Anywhere (v6) (log)

Set ufw firewall rules that I want for production

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`

# Reset to known state
ufw --force reset  || true

# allow/log things we want to know about

ufw allow out log 22/tcp || true 
ufw allow out log 53/tcp || true
ufw allow in  log 22/tcp || true
ufw allow in  log 2468/tcp || true

# allow things we don't care about

# isn't there a way to say "allow anything in any direction if it's UDP port BLAH?"
ufw allow out proto udp from any port 51413 to any || true
ufw allow out proto udp from any to any port 51413 || true
ufw allow in proto udp from any to any port 51413 || true
ufw allow in proto udp from any port 51413 to any || true

ufw allow out proto tcp from any port 51413 to any || true
ufw allow out proto tcp from any to any port 51413 || true
ufw allow in proto tcp from any to any port 51413 || true
ufw allow in proto tcp from any port 51413 to any || true


ufw allow out 53/udp || true
ufw allow out 80/tcp || true 
ufw allow out 443/tcp || true
ufw allow out 123/udp || true

ufw allow out proto udp from any to any port 17500 || true # dropbox
ufw allow in  proto udp from any to any port 17500 || true # dropbox
ufw allow out proto udp from any port 17500  to any || true # dropbox
ufw allow in  proto udp from any port 17500  to any || true # dropbox

# general allow with logging
ufw allow in  log from 10.0.0.0/8 || true

# silently drop some things
ufw deny to 224.0.0.0/8 || true

# deny and log the rest
ufw deny out log to any || true

#
# Allow and log things we are curious about
#
# log things we're interested in


# default deny
ufw default deny || true

# turn on logging
ufw logging on || true

#
# Turn firewall back on and show status
#

ufw enable || true
ufw status || true
# Sat Jun 20 10:22:12 EDT 2015
Backing up 'after.rules' to '/etc/ufw/after.rules.20150620_102212'
Backing up 'user.rules' to '/lib/ufw/user.rules.20150620_102212'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20150620_102212'
Backing up 'user6.rules' to '/lib/ufw/user6.rules.20150620_102212'
Backing up 'before.rules' to '/etc/ufw/before.rules.20150620_102212'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20150620_102212'

Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated (v6)
Rules updated
Rules updated
Rules updated
Rules updated (v6)
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
Logging enabled
Firewall is active and enabled on system startup
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere (log)
2468/tcp                   ALLOW       Anywhere (log)
51413/udp                  ALLOW       Anywhere
Anywhere                   ALLOW       51413/udp
51413/tcp                  ALLOW       Anywhere
Anywhere                   ALLOW       51413/tcp
17500/udp                  ALLOW       Anywhere
Anywhere                   ALLOW       17500/udp
Anywhere                   ALLOW       10.0.0.0/8 (log)
224.0.0.0/8                DENY        Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6) (log)
2468/tcp (v6)              ALLOW       Anywhere (v6) (log)
51413/udp (v6)             ALLOW       Anywhere (v6)
Anywhere (v6)              ALLOW       51413/udp (v6)
51413/tcp (v6)             ALLOW       Anywhere (v6)
Anywhere (v6)              ALLOW       51413/tcp (v6)
17500/udp (v6)             ALLOW       Anywhere (v6)
Anywhere (v6)              ALLOW       17500/udp (v6)

22/tcp                     ALLOW OUT   Anywhere (log)
53/tcp                     ALLOW OUT   Anywhere (log)
Anywhere                   ALLOW OUT   51413/udp
51413/udp                  ALLOW OUT   Anywhere
Anywhere                   ALLOW OUT   51413/tcp
51413/tcp                  ALLOW OUT   Anywhere
53/udp                     ALLOW OUT   Anywhere
80/tcp                     ALLOW OUT   Anywhere
443/tcp                    ALLOW OUT   Anywhere
123/udp                    ALLOW OUT   Anywhere
17500/udp                  ALLOW OUT   Anywhere
Anywhere                   ALLOW OUT   17500/udp
Anywhere                   DENY OUT    Anywhere (log)
22/tcp (v6)                ALLOW OUT   Anywhere (v6) (log)
53/tcp (v6)                ALLOW OUT   Anywhere (v6) (log)
Anywhere (v6)              ALLOW OUT   51413/udp (v6)
51413/udp (v6)             ALLOW OUT   Anywhere (v6)
Anywhere (v6)              ALLOW OUT   51413/tcp (v6)
51413/tcp (v6)             ALLOW OUT   Anywhere (v6)
53/udp (v6)                ALLOW OUT   Anywhere (v6)
80/tcp (v6)                ALLOW OUT   Anywhere (v6)
443/tcp (v6)               ALLOW OUT   Anywhere (v6)
123/udp (v6)               ALLOW OUT   Anywhere (v6)
17500/udp (v6)             ALLOW OUT   Anywhere (v6)
Anywhere (v6)              ALLOW OUT   17500/udp (v6)
Anywhere (v6)              DENY OUT    Anywhere (v6) (log)

enable ufw

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`
ufw enable || true
# Sat Jun 20 07:21:26 EDT 2015
Firewall is active and enabled on system startup

Show ufw firewall rules

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`
ufw status || true
# Sat Jun 20 07:30:43 EDT 2015
Status: active

To                         Action      From
--                         ------      ----
224.0.0.0/8                DENY        Anywhere
Anywhere                   ALLOW       10.0.0.0/8 (log)
22/tcp                     ALLOW       Anywhere (log)
2468/tcp                   ALLOW       Anywhere (log)
25/tcp                     DENY        Anywhere (log)
587/tcp                    DENY        Anywhere (log)
51413/tcp                  ALLOW       Anywhere
51413/udp                  ALLOW       Anywhere
255.255.255.255 17500/udp  ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6) (log)
2468/tcp (v6)              ALLOW       Anywhere (v6) (log)
25/tcp (v6)                DENY        Anywhere (v6) (log)
587/tcp (v6)               DENY        Anywhere (v6) (log)
51413/tcp (v6)             ALLOW       Anywhere (v6)
51413/udp (v6)             ALLOW       Anywhere (v6)

Show ufw rules added

exec 2>&1;set -e; set -u; set +x; echo '#' `date;`
ufw show added || true
# Sat Jun 20 07:16:05 EDT 2015
Added user rules (see 'ufw status' for running firewall):
ufw allow log 22/tcp
ufw allow log 2468/tcp
ufw deny log 25/tcp
ufw deny log 587/tcp
ufw allow 51413/tcp
ufw allow 51413/udp
ufw allow log from 10.0.0.0/8
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s