Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

creating rules in ufw


  • Please log in to reply
8 replies to this topic

#1 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:01:21 PM

Posted 01 July 2014 - 10:38 PM

there documentation leaves much to be desired with gufw.

So I start ufw and discover that it prevents scp/ssh so I create a rule.

The rule states I will allow in from anywhere on port 22 (ssh) and another rule that says I will allow in from anywhere on port 23 (scp). But I don't want to allow from anywhere but only from my private network. So I click the modify button and I do not understand what they mean with the 'from <ip>' and the 'to <ip>' field. Any ideas? I'm thinking it means the range I want but after I fiddled with that once it broke things so I suppose I better ask.


Edited by bmike1, 01 July 2014 - 10:43 PM.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:21 AM

Posted 01 July 2014 - 10:43 PM

 

I do not understand what they mean with the 'from <ip>' and the 'to <ip>' field. Any ideas?

From ip example from ip 123.456.789 To Ip 987.654.321   the <ip> means <place ip here>  EG <987.654.321><123.456.789> 

 

 

 

I'm thinking it means the range

I am thinking specific IP to IP.

 

 

So if  1 pc is on 123.456.789 and and the other is on 987.654.321 you are creating a specific rule saying that those 2 PC's are allowed to connect.


Edited by NickAu1, 01 July 2014 - 11:02 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 bmike1

bmike1
  • Topic Starter

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:01:21 PM

Posted 01 July 2014 - 11:07 PM

thanks


A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#4 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:21 AM

Posted 01 July 2014 - 11:10 PM

You are most welcome.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#5 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2014 - 11:46 PM

there documentation leaves much to be desired with gufw.

So I start ufw and discover that it prevents scp/ssh so I create a rule.

The rule states I will allow in from anywhere on port 22 (ssh) and another rule that says I will allow in from anywhere on port 23 (scp). But I don't want to allow from anywhere but only from my private network. So I click the modify button and I do not understand what they mean with the 'from <ip>' and the 'to <ip>' field. Any ideas? I'm thinking it means the range I want but after I fiddled with that once it broke things so I suppose I better ask.

 

I recommend using the command-line tool instead of the graphical version. The command-line version is very simple to use and has loads of documentation.

 

You can achieve this from the command-line by doing:

sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

Just modify the command to reflect your actual network.

 

Off-Topic:

Make sure to also follow best practices when using SSH. Here is some strongly recommended reading:

 

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

https://help.ubuntu.com/community/SSH/OpenSSH/Keys


Edited by Kaosu, 01 July 2014 - 11:50 PM.


#6 bmike1

bmike1
  • Topic Starter

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA

Posted 02 July 2014 - 01:20 AM

is there a way to allow for a range of addresses in. say from 192.168.0.1 to 192.168.0.100 ?


Edited by bmike1, 02 July 2014 - 01:21 AM.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#7 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2014 - 07:04 PM

is there a way to allow for a range of addresses in. say from 192.168.0.1 to 192.168.0.100 ?

 

The code in my previous example should allow that. The term 192.168.0.0/24 is the same as setting your subnet mask to 255.255.255.0. This basically means that your network will be operating on a single subnet and can have up to 256 hosts. Another way of looking at this would be: 192.168.0.[1-254].

 

If you want to only allow or deny specific addresses access to SSH then create each one as a separate rule. Creating them as separate rules gives you the advantage of easy maintenance as you want to allow or deny more hosts access to SSH. If you're using UFW then you are already losing your ability to truly optimize for performance in a high traffic environment anyway.

 

Here is an example of allowing a specific host access:

sudo ufw allow from 192.168.0.22 to any port 22 proto tcp

Here is an example of denying a specific host access:

sudo ufw deny from 192.168.0.22 to any port 22

If this machine is routing traffic across the network then the rules will change slightly. Pretend that 192.168.0.12 is a development server and 192.168.0.22 needs SSH access to the server for his/her job. However, I don't want him/her to have access to the other production servers.

sudo ufw allow from 192.168.0.22 to 192.168.0.12 port 22 proto tcp

Since your firewall should be using a default deny policy for incoming traffic, you don't need to create deny rules for the other production servers.

 

Let me know if you need anymore help.


Edited by Kaosu, 02 July 2014 - 07:34 PM.


#8 bmike1

bmike1
  • Topic Starter

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:01:21 PM

Posted 03 July 2014 - 12:46 AM

cool... Iunderstand that. just out of curiosity what if you wanted to allow only like xxx.yyy.zzz.55 to xxx.yyy.zzz.133?


A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#9 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2014 - 03:03 AM

cool... Iunderstand that. just out of curiosity what if you wanted to allow only like xxx.yyy.zzz.55 to xxx.yyy.zzz.133?

 

Your example is pretty odd, but you can achieve this with the following commands:

sudo ufw allow from 192.168.0.55/32 to any port 22 proto tcp
sudo ufw allow from 192.168.0.56/29 to any port 22 proto tcp
sudo ufw allow from 192.168.0.64/26 to any port 22 proto tcp
sudo ufw allow from 192.168.0.128/30 to any port 22 proto tcp
sudo ufw allow from 192.168.0.132/31 to any port 22 proto tcp

For more information about this you can visit http://www.linuxplanet.com/linuxplanet/tutorials/6507/1


Edited by Kaosu, 03 July 2014 - 03:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users