UFW default rules... where are they?

0

0

In the tutorial on UFW here

https://help.ubuntu.com/community/UFW

it says that UFW uses the default rules if enabled and not configured. I checked the folder:

/etc/ufw/

and the files I found there are

after.rules
after6.rules
before.rules
before6.rules
sysctl.conf
ufw.conf

So where are the "default rules"? There are 4 different rules files, and I don't know which on is the one it's gonna choose if I enable it.

I'm afraid if I enable it, it would just block port 22 and I'll lose SSH connection to my server, which is not easy to recover from.

How can I safely start the firewall?

The Quantum Physicist

Posted 2014-01-20T10:31:18.047

Reputation: 648

Answers

2

You may enable UFW, and then issue these commands: 

   sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

This will surely allow ssh. If you like the setup, yu can write these two lines inside the file /etc/rc.local, and they will be applied at boot (no need of sudo, in this case).

EDIT

There are basically three files of importance, in /etc/ufw: sysctl.conf, after.rules, before.rules. The remaining files concern rules for IPv6 (after6|before6.rules), the definitions of the port used by a handful of applications (in the subdirectory ./applications.d), and the file to start ufw, ufw.conf.

sysctl.conf completely replaces /etc/sysctl.conf, it is thus just a duplicate. It contains information for the kernel that is intended as a set of security measures.

The rules are separated in before and after (the lines entered from the command line), because the order matters: when reading a series of rules, the firewall will apply the first rule that is relevant, whether that be ACCEPT, DROP, or whatever; the remaining rules are then not even read. It follows that very specific rules precede general rules.

The before rules are simple: they allow loopback and ICMP (=pings), drop INVALID packets, allow passage of packets if the conversation has already begun (the equivalent of my rule 1 above), allow DHCP, and local traffic, which is bsolutely essential for the operation of the LAN, i.e. especially network discovery, multicast and broadcast.

The after rules only prevent logging of ports which produce too much material.

A single rule can be read as follows:

   -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

This adds (-A) to the table before-input the rule that ACCEPTs packets of protocol UDP which originated (sport= source port) from port 67 and which are destined for port 68 (dport= destination port). This table is read on INPUT, so that it is ignored whenever the kernel is dealing with an OUTPUT or a FORWARD packet (both types of packets are going out, but OUTPUT packets originated on this machine, while FORWARD packets originated elsewhere and are moving on to their final destination).

MariusMatutiae

Posted 2014-01-20T10:31:18.047

Reputation: 41 321

Thank you for the response. But can you please explain a little bit more? What are the default rules of UFW? I want to learn to control my firewall and not just copy/paste some commands, if you know what I mean. Thank you. – The Quantum Physicist – 2014-01-20T11:58:08.497

Asked: 2014-01-20T10:31:18.047

Viewed: 2 148 times

Active: 2016-02-29T15:52:05.163