Ubuntu firewall
TBA.
Table of contents
Introduction
A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing the server in malicious ways.
For a web server, we only want to allow remote login (ssh) from a limited range of IP-addresses, and for web clients to connect on the standard web ports (http and https). Everything else should be blocked.
Sources:
The ports to keep open:
22 : ssh 80 : http 443 : https
Drush uses wget to download projects. Wget uses http and https so a firewall that keeps these ports open will not interfere with normal operations to keep the site up to date.
UFW
UFW, or Uncomplicated FireWall, is an interface to iptables (i.e. the standard program to mange the tables implemented by the Gnu/Linux kernel firewall). UFW is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult to learn how to use it to properly configure a firewall. UFW is easier to work with.
UFW is installed by default on Ubuntu. If it is not for some reason, you can install it with the following command:
$ sudo apt install ufw
To check its status, you may use the following command:
$ sudo ufw status verbose Status: inactive
If the status is inactive, even if rules are defined, the status command will not let you see them.
However, this command will:
$ sudo ufw show added Added user rules (see 'ufw status' for running firewall): (None)
The above indicates that no rules have been added yet.
If
you get a warning about duplicate apache profiles, navigate
to /etc/ufw/applications.d
. You will probably find two
identical apache profiles. Remove apache2.2-common
.
Setting up default policies
By default, UFW is set to deny all incoming connections and allow all outgoing connections. But to make sure the UFW rules are set to the defaults before we start adding new rules, do the following:
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Allowing incoming connections
To allow incoming connections using ssh and web, do:
$ sudo ufw allow ssh $ sudo ufw allow http $ sudo ufw allow https
To get an overview over rules added:
$ sudo ufw show added Added user rules (see 'ufw status' for running firewall): ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp
Enabling UFW
To enable UFW, use this command:
$ sudo ufw enable Command may disrupt existing ssh …. Proceed with operation (y|n)? y Firewall active and is enabled on system startup
The warning that says the command may disrupt existing means that your current connection may go dead. However, as long as there is a firewall rule that allows ssh connections, you will be able to log in again.
You may disable UFW with the following command:
$ sudo ufw disable Firewall stopped and disabled on system startup
When the firewall is active, the following command will tell you what rules that are set:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6)
Adjusting permissions
If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, to allow access on port 22 for all addresses starting with “129.240” (but no other) you may specify that using this format: “129.240.0.0/16”. You also need to delete the rule that allows connections to port 22 from anywhere. The following sequence of commands accomplish this:
$ sudo ufw allow from 129.240.0.0/16 to any port 22 $ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 443/tcp ALLOW IN Anywhere [ 4] 22/tcp ALLOW IN 129.240.0.0/16 [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 6] 80/tcp (v6) ALLOW IN Anywhere (v6) [ 7] 443/tcp (v6) ALLOW IN Anywhere (v6) $ sudo ufw delete 1
The order of commands is significant, if you delete the first port 22 rule before adding the one with a restricted IP range, you will lock yourself out.
To learn the public IP-adress of the PC your browser runs on, visit WhatIsMyIPAddress.com.
To learn a web server's public address from the CLI, type:
$ hostname -I 138.68.64.125
Check current IP-address for HNM-PC: whatismyipaddress.com. History:
IPv4: 77.16.60.64 (2020-01-30) IPv4: 77.16.61.93 (2020-01-31) IPv4: 77.16.217.106 (2020-03-29)
I.e.: The IP-address assigned by Telenor seems to change pretty randomly.
These are the IP-addresses I currently whitelist:å>
91.205.187.70 (pvn.no) 138.68.64.125 (do18) 138.68.64.217 (do19) 167.172.177.32 (do20) 167.172.182.56 (karde) 165.227.146.209 (snp) 129.240.0.0/16 (UiO) 77.16.0.0/16 (HNM-PC - Telenor) 77.18.0.0/16 (HNM-PC - Telenor)
Final word
[TBA]
Last update: 2018-11-06 [gh].