1UFW FRAMEWORK(8) April 2014 UFW FRAMEWORK(8)
2
6 ufw-framework - using the ufw framework
7
9 ufw provides both a command line interface and a framework for managing
10 a netfilter firewall. While the ufw command provides an easy to use
11 interface for managing a firewall, the ufw framework provides the
12 administrator methods to customize default behavior and add rules not
13 supported by the command line tool. In this way, ufw can take full
14 advantage of Linux netfilter's power and flexibility.
15
18 The framework provides boot time initialization, rules files for adding
19 custom rules, a method for loading netfilter modules, configuration of
20 kernel parameters and configuration of IPv6. The framework consists of
21 the following files:
22 /usr/libexec/ufw/ufw-init
24 initialization script
25 /etc/ufw/before.init
27 initialization customization script run before ufw is initial‐
28 ized
29 /etc/ufw/after.init
31 initialization customization script run after ufw is initialized
32 /etc/ufw/before[6].rules
34 rules file containing rules evaluated before UI added rules
35 /var/lib/ufw/user[6].rules
37 rules file containing UI added rules (managed with the ufw com‐
38 mand)
39 /etc/ufw/after[6].rules
41 rules file containing rules evaluated after UI added rules
42 /etc/default/ufw
44 high level configuration
45 /etc/ufw/sysctl.conf
47 kernel network tunables
48 /etc/ufw/ufw.conf
50 additional high level configuration
51
54 ufw is started on boot with /usr/libexec/ufw/ufw-init. This script is a
55 standard SysV style initscript used by the ufw command and should not
56 be modified. The /etc/before.init and /etc/after.init scripts may be
57 used to perform any additional firewall configuration that is not yet
58 supported in ufw itself and if they exist and are executable, ufw-init
59 will execute these scripts. ufw-init will exit with error if either of
60 these scripts exit with error. ufw-init supports the following argu‐
61 ments:
62 start: loads the firewall
64 stop: unloads the firewall
66 restart:
68 reloads the firewall
69 force-reload:
71 same as restart
72 status:
74 basic status of the firewall
75 force-stop:
77 same as stop, except does not check if the firewall is already
78 loaded
79 flush-all:
81 flushes the built-in chains, deletes all non-built-in chains and
82 resets the policy to ACCEPT
83 ufw-init will call before.init and after.init with start, stop, status
85 and flush-all, but typically, if used, these scripts need only imple‐
86 ment start and stop.
87 ufw uses many user-defined chains in addition to the built-in iptables
89 chains. If MANAGE_BUILTINS in /etc/default/ufw is set to 'yes', on stop
90 and reload the built-in chains are flushed. If it is set to 'no', on
91 stop and reload the ufw secondary chains are removed and the ufw pri‐
92 mary chains are flushed. In addition to flushing the ufw specific
93 chains, it keeps the primary chains in the same order with respect to
94 any other user-defined chains that may have been added. This allows for
95 ufw to interoperate with other software that may manage their own fire‐
96 wall rules.
97 To ensure your firewall is loading on boot, you must integrate this
99 script into the boot process. Consult your distribution's documentation
100 for the proper way to modify your boot process if ufw is not already
101 integrated.
102
105 ufw is in part a front-end for iptables-restore, with its rules saved
106 in /etc/ufw/before.rules, /etc/ufw/after.rules and
107 /var/lib/ufw/user.rules. Administrators can customize before.rules and
108 after.rules as desired using the standard iptables-restore syntax.
109 Rules are evaluated as follows: before.rules first, user.rules next,
110 and after.rules last. IPv6 rules are evaluated in the same way, with
111 the rules files named before6.rules, user6.rules and after6.rules.
112 Please note that ufw status only shows rules added with ufw and not the
113 rules found in the /etc/ufw rules files.
114 Important: ufw only uses the *filter table by default. You may add any
116 other tables such as *nat, *raw and *mangle as desired. For each table
117 a corresponding COMMIT statement is required.
118 After modifying any of these files, you must reload ufw for the rules
120 to take effect. See the EXAMPLES section for common uses of these
121 rules files.
122
125 Netfilter has many different connection tracking modules. These modules
126 are aware of the underlying protocol and allow the administrator to
127 simplify his or her rule sets. You can adjust which netfilter modules
128 to load by adjusting IPT_MODULES in /etc/default/ufw. Some popular mod‐
129 ules to load are:
130 nf_conntrack_ftp
132 nf_nat_ftp
133 nf_conntrack_irc
134 nf_nat_irc
135 nf_conntrack_netbios_ns
136 nf_conntrack_pptp
137 nf_conntrack_tftp
138 nf_nat_tftp
139
142 ufw will read in /etc/ufw/sysctl.conf on boot when enabled. Please
143 note that /etc/ufw/sysctl.conf overrides values in the system
144 systcl.conf (usually /etc/sysctl.conf). Administrators can change the
145 file used by modifying /etc/default/ufw.
146
149 IPv6 is enabled by default. When disabled, all incoming, outgoing and
150 forwarded packets are dropped, with the exception of traffic on the
151 loopback interface. To adjust this behavior, set IPV6 to 'yes' in
152 /etc/default/ufw. See the ufw manual page for details.
153
156 As mentioned, ufw loads its rules files into the kernel by using the
157 iptables-restore and ip6tables-restore commands. Users wanting to add
158 rules to the ufw rules files manually must be familiar with these as
159 well as the iptables and ip6tables commands. Below are some common
160 examples of using the ufw rules files. All examples assume IPv4 only
161 and that DEFAULT_FORWARD_POLICY in /etc/default/ufw is set to DROP.
162 IP Masquerading
164 To allow IP masquerading for computers from the 10.0.0.0/8 network on
165 eth1 to share the single IP address on eth0:
166 Edit /etc/ufw/sysctl.conf to have:
168 net.ipv4.ip_forward=1
169 Add to the end of /etc/ufw/before.rules, after the *filter section:
171 *nat
172 :POSTROUTING ACCEPT [0:0]
173 -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
174 COMMIT
175 If your firewall is using IPv6 tunnels or 6to4 and is also doing NAT,
177 then you should not usually masquerade protocol '41' (ipv6) packets.
178 For example, instead of the above, /etc/ufw/before.rules can be
179 adjusted to have:
180 *nat
181 :POSTROUTING ACCEPT [0:0]
182 -A POSTROUTING -s 10.0.0.0/8 --protocol ! 41 -o eth0 -j MAS‐
183 QUERADE
184 COMMIT
185 Add the ufw route to allow the traffic:
187 ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
188 Port Redirections
190 To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2:
191 Edit /etc/ufw/sysctl.conf to have:
193 net.ipv4.ip_forward=1
194 Add to the end of /etc/ufw/before.rules, after the *filter section:
196 *nat
197 :PREROUTING ACCEPT [0:0]
198 -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \
199 --to-destination 10.0.0.2:80
200 COMMIT
201 Add the ufw route rule to allow the traffic:
203 ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
204 Egress filtering
207 To block RFC1918 addresses going out of eth0:
208 Add the ufw route rules to reject the traffic:
210 ufw route reject out on eth0 to 10.0.0.0/8
211 ufw route reject out on eth0 to 172.16.0.0/12
212 ufw route reject out on eth0 to 192.168.0.0/16
213 Full example
216 This example combines the other examples and demonstrates a simple
217 routing firewall. Warning: this setup is only an example to demonstrate
218 the functionality of the ufw framework in a concise and simple manner
219 and should not be used in production without understanding what each
220 part does and does not do. Your firewall will undoubtedly want to be
221 less open.
222 This router/firewall has two interfaces: eth0 (Internet facing) and
224 eth1 (internal LAN). Internal clients have addresses on the 10.0.0.0/8
225 network and should be able to connect to anywhere on the Internet. Con‐
226 nections to port 80 from the Internet should be forwarded to 10.0.0.2.
227 Access to ssh port 22 from the administrative workstation (10.0.0.100)
228 to this machine should be allowed. Also make sure no internal traffic
229 goes to the Internet.
230 Edit /etc/ufw/sysctl.conf to have:
232 net.ipv4.ip_forward=1
233 Add to the end of /etc/ufw/before.rules, after the *filter section:
235 *nat
236 :PREROUTING ACCEPT [0:0]
237 :POSTROUTING ACCEPT [0:0]
238 -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \
239 --to-destination 10.0.0.2:80
240 -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
241 COMMIT
242 Add the necessary ufw rules:
244 ufw route reject out on eth0 to 10.0.0.0/8
245 ufw route reject out on eth0 to 172.16.0.0/12
246 ufw route reject out on eth0 to 192.168.0.0/16
247 ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
248 ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
249 ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp
250
253 When using ufw with libvirt and bridging, packets may be blocked. The
254 libvirt team recommends that the following sysctl's be set to disable
255 netfilter on the bridge:
256 net.bridge.bridge-nf-call-ip6tables = 0
258 net.bridge.bridge-nf-call-iptables = 0
259 net.bridge.bridge-nf-call-arptables = 0
260 Note that the bridge module must be loaded in to the kernel before
262 these values are set. One way to ensure this works properly with ufw is
263 to add 'bridge' to IPT_MODULES in /etc/default/ufw, and then add the
264 above rules to /etc/ufw/sysctl.conf.
265 Alternatively to disabling netfilter on the bridge, you can configure
267 iptables to allow all traffic to be forwarded across the bridge. Eg,
268 add to /etc/ufw/before.rules within the *filter section:
269 -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
271
274 ufw(8), iptables(8), ip6tables(8), iptables-restore(8),
275 ip6tables-restore(8), sysctl(8), sysctl.conf(5)
276
279 ufw is Copyright 2008-2014, Canonical Ltd.
280 ufw and this manual page was originally written by Jamie Strandboge
283 <jamie@canonical.com>
284April 2014 UFW FRAMEWORK(8)