Move UFW logs
I went to /etc/rsyslog.d/20-ufw.conf and changed the path to
# Log kernel generated UFW log messages to file
:msg,contains,”[UFW ” /var/log/ufw/ufw.log
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop
/etc/logrotate.d/ufw
/var/log/ufw/ufw.log
{
rotate 2
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
endscript
}
As part of my continuing Ubuntu 22.04 training, I circled back around to their firewall. UFW or Uncomplicated firewall. I have a Fortinet 60E UTM firewall protecting my house. The 221-C Wireless Access Point is integrated into the 60E. Since going to Windows 10 with UTM and Avast firewall fully enabled, I decided to setup UFW on all the Ubuntu servers. I will provide part of the configuration without giving away everything I protect my home with.
What is UFW: Well it is called the uncomplicated firewall. It is not exactly uncomplicated. I will start with the commands to install it. It is disabled to begin with because you need to configure to allow ssh or you will be locked out forever. I enabled medium logging. I will show both IPv4 and IPv6 rules.
sudo apt install ufw
sudo ufw logging medium
sudo ufw status verbose
Next, I modify a few configuration files for multicast traffic. This will fix multicast errors.
/etc/ufw/user.rules
### Multicast
-A ufw-before-input -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT
/etc/ufw/user6.rules
### Multicast
-A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
Before you enable UFW, setup your allow ssh traffic. I did not give you the enable command for this reason. I have 8 layer 3 ports on the 60E with IPv4 and IPv6 subnets. I will give you one of each. IPv4 covers the most common subnet for home users. You might have 192.168.0.0/24 or 192.168.100.0/24. I have many more IPv4 subnets. So you need to see what your workstation is using.
I included the entire delegated subnet for my IPv6. You want to make sure your IPv4 subnet is enabled to allow ssh in.
sudo ufw allow from 192.168.1.0/24 to any port ssh sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port ssh
I have two DNS/DHCP Ubuntu servers for my house. UFW on these servers needs port 53 commands. I only want my IPv4 and IPv6 subnets allowed into these DNS servers. UFW allows traffic out to the internet for DNS port 53. These rules allow only my subnets to go into the DNS servers.
#DNS sudo ufw allow from 192.168.1.0/24 to any port 53 sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port 53
#DHCP sudo ufw allow proto udp to any port 67 from 192.168.1.0/24 sudo ufw allow proto udp to any port 68 from 192.168.1.0/24 sudo ufw allow proto udp to any port 67 from 2600:1702:980:25ef:0:0:0:0/64 sudo ufw allow proto udp to any port 68 from 2600:1702:980:25ef:0:0:0:0/64
My desktop and dropbox servers have xRDP installed on them. I use it for programming and a dropbox server. They are Ubuntu Desktop GUI based.
sudo ufw allow from 192.168.1.0/24 to any port 3389
sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port 3389
Many of my Ubuntu servers and desktops have samba shares.
#samba shares sudo ufw allow proto udp to any port 137 from 192.168.1.0/24 sudo ufw allow proto udp to any port 138 from 192.168.1.0/24 sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24 sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24 sudo ufw allow proto udp to any port 137 from 2600:1702:980:25ef:0:0:0:0/64 sudo ufw allow proto udp to any port 138 from 2600:1702:980:25ef:0:0:0:0/64 sudo ufw allow proto tcp to any port 139 from 2600:1702:980:25ef:0:0:0:0/64 sudo ufw allow proto tcp to any port 445 from 2600:1702:980:25ef:0:0:0:0/64
I have a few servers with WordPress and web sites on them. The difference with these commands is I am allowing the web sites access from the internet. You still come through the Fortinet 60E UTM.
#wordpress and websites sudo ufw allow http sudo ufw allow https
To connect to my SQL server, I put on it’s UFW
sudo ufw allow proto tcp to any port 1433 from 192.168.1.0/24 sudo ufw allow proto udp to any port 1434 from 192.168.1.0/24 sudo ufw allow proto tcp to any port 1433 from 2600:1702:980:25ef:0:0:0:0/64 sudo ufw allow proto udp to any port 1434 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw enable : this is how you enable it. Before enabling do this. Make sure OpenSSH is there.
sudo ufw app list
Available applications:
CUPS
OpenSSH
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Firewall is active and enabled on system startup
sudo ufw status verbose Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From — —— —- 22/tcp ALLOW IN 192.168.1.0/24 22/tcp ALLOW IN 2600:1702:980:25ef::/64
sudo ufw app list: Another server shows ssh and samba. Available applications: OpenSSH Samba
sudo ufw status verbose Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From — —— —- 22/tcp ALLOW IN 192.168.1.0/24 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere
137/udp ALLOW IN 192.168.1.0/24
138/udp ALLOW IN 192.168.1.0/24
139/tcp ALLOW IN 192.168.1.0/24
445/tcp ALLOW IN 192.168.1.0/24
22/tcp ALLOW IN 2600:1702:980:25ef::/64
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
137/udp ALLOW IN 2600:1702:980:25ef::/64
138/udp ALLOW IN 2600:1702:980:25ef::/64
139/tcp ALLOW IN 2600:1702:980:25ef::/64
445/tcp ALLOW IN 2600:1702:980:25ef::/64