Skip to content

This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!


ufw

ufw stands for uncomplicated firewall, and is just that. It uses logs such as those obtained by syslog-ng for monitoring, and uses iptables as a back end. ufw supports both IPv4 and IPv6.

Reference(s)

Table of contents


Install

A correct kernel config is needed:

$ cd /usr/src/linux
# make nconfig # or `# make menuconfig`

    # IP v4 settings
    # Double check here: <https://wiki.gentoo.org/wiki/Ufw#Kernel>
    #
    > [*] Networking support  ---> # Symbol: NET [=y]
    >   Networking options  --->
    >     [*] Network packet filtering framework (Netfilter)  ---> # Symbol: NETFILTER [=y]
    >       Core Netfilter Configuration  --->
    >         <*> NetBIOS name service protocol support # Symbol: NF_CONNTRACK_NETBIOS_NS [=y]

    # IP v6 settings
    # Double check here: <https://wiki.gentoo.org/wiki/Ufw#Kernel>
    #
    > [*] Networking support  ---> # Symbol: NET [=y]
    >   Networking options  --->
    >     [*] Network packet filtering framework (Netfilter)  ---> # Symbol: NETFILTER [=y]
    >       IPv6: Netfilter Configuration  --->
    >         <*>   "rt" Routing header match support # Symbol: IP6_NF_MATCH_RT [=y]
    >         <*>   "HL" hoplimit target support # Symbol: IP6_NF_TARGET_HL [=y]

    # Iptables
    # Double check here: <https://wiki.gentoo.org/wiki/Iptables#Kernel>
    #
    ⚠️ TODO⚠️

Warning

After configuring the kernel don't forget to do a kernel make and rebuild!

# emerge -a ufw
# pacman -S ufw
# apt install ufw

Config

Add ufw to the default boot level and start it:

# rc-update add ufw default
# rc-service ufw start

Depending on your runit implementation, either run:

# ln -s /etc/runit/sv/ufw /service
or run:
# ln -s /etc/runit/sv/ufw /var/service
or run:
# ln -s /etc/runit/sv/ufw /run/runit/service
In any case, finally run:
# sv up ufw

# service ufw start
# chkconfig ufw on
# systemctl enable ufw
# systemctl start ufw

Use

  • Enable ufw (only required one time after the package has been installed)

    # ufw enable
    

  • Allow ssh (if wanted) which is blocked by default:

    # ufw allow ssh
    

  • Create a simple configuration (just an example):

    # ufw default deny
    # ufw allow from 192.168.0.0/24
    

  • Get a list of possible applications to add:

    # ufw app list
    

  • Add an application:

    # ufw allow application-name
    


Notes

For Nextcloud?:

$ sudo ufw allow 80,443/tcp
$ sudo ufw allow nextcloud


If this cheat sheet has been useful to you, then please consider leaving a star here.