1UFW FRAMEWORK(8)                  April 2014                  UFW FRAMEWORK(8)
2
3
4

NAME

6       ufw-framework - using the ufw framework
7

DESCRIPTION

9       ufw provides both a command line interface and a framework for managing
10       a netfilter firewall. While the ufw command provides  an  easy  to  use
11       interface  for  managing  a  firewall,  the  ufw framework provides the
12       administrator methods to customize default behavior and add  rules  not
13       supported  by  the  command  line  tool. In this way, ufw can take full
14       advantage of Linux netfilter's power and flexibility.
15
16

OVERVIEW

18       The framework provides boot time initialization, rules files for adding
19       custom  rules, a method for loading netfilter modules, configuration of
20       kernel parameters and configuration of IPv6. The framework consists  of
21       the following files:
22
23       /usr/libexec/ufw/ufw-init
24              initialization script
25
26       /etc/ufw/before.init
27              initialization  customization  script run before ufw is initial‐
28              ized
29
30       /etc/ufw/after.init
31              initialization customization script run after ufw is initialized
32
33       /etc/ufw/before[6].rules
34              rules file containing rules evaluated before UI added rules
35
36       /var/lib/ufw/user[6].rules
37              rules file containing UI added rules (managed with the ufw  com‐
38              mand)
39
40       /etc/ufw/after[6].rules
41              rules file containing rules evaluated after UI added rules
42
43       /etc/default/ufw
44              high level configuration
45
46       /etc/ufw/sysctl.conf
47              kernel network tunables
48
49       /etc/ufw/ufw.conf
50              additional high level configuration
51
52

BOOT INITIALIZATION

54       ufw is started on boot with /usr/libexec/ufw/ufw-init. This script is a
55       standard SysV style initscript used by the ufw command and  should  not
56       be  modified.  The  /etc/before.init and /etc/after.init scripts may be
57       used to perform any additional firewall configuration that is  not  yet
58       supported  in ufw itself and if they exist and are executable, ufw-init
59       will execute these scripts. ufw-init will exit with error if either  of
60       these  scripts  exit  with error. ufw-init supports the following argu‐
61       ments:
62
63       start: loads the firewall
64
65       stop:  unloads the firewall
66
67       restart:
68              reloads the firewall
69
70       force-reload:
71              same as restart
72
73       status:
74              basic status of the firewall
75
76       force-stop:
77              same as stop, except does not check if the firewall  is  already
78              loaded
79
80       flush-all:
81              flushes the built-in chains, deletes all non-built-in chains and
82              resets the policy to ACCEPT
83
84       ufw-init will call before.init and after.init with start, stop,  status
85       and  flush-all,  but typically, if used, these scripts need only imple‐
86       ment start and stop.
87
88       ufw uses many user-defined chains in addition to the built-in  iptables
89       chains. If MANAGE_BUILTINS in /etc/default/ufw is set to 'yes', on stop
90       and reload the built-in chains are flushed. If it is set  to  'no',  on
91       stop  and  reload the ufw secondary chains are removed and the ufw pri‐
92       mary chains are flushed. In  addition  to  flushing  the  ufw  specific
93       chains,  it  keeps the primary chains in the same order with respect to
94       any other user-defined chains that may have been added. This allows for
95       ufw to interoperate with other software that may manage their own fire‐
96       wall rules.
97
98       To ensure your firewall is loading on boot,  you  must  integrate  this
99       script into the boot process. Consult your distribution's documentation
100       for the proper way to modify your boot process if ufw  is  not  already
101       integrated.
102
103

RULES FILES

105       ufw  is  in part a front-end for iptables-restore, with its rules saved
106       in        /etc/ufw/before.rules,        /etc/ufw/after.rules        and
107       /var/lib/ufw/user.rules.  Administrators can customize before.rules and
108       after.rules as desired  using  the  standard  iptables-restore  syntax.
109       Rules  are  evaluated  as follows: before.rules first, user.rules next,
110       and after.rules last. IPv6 rules are evaluated in the  same  way,  with
111       the  rules  files  named  before6.rules,  user6.rules and after6.rules.
112       Please note that ufw status only shows rules added with ufw and not the
113       rules found in the /etc/ufw rules files.
114
115       Important:  ufw only uses the *filter table by default. You may add any
116       other tables such as *nat, *raw and *mangle as desired. For each  table
117       a corresponding COMMIT statement is required.
118
119       After  modifying  any of these files, you must reload ufw for the rules
120       to take effect.  See the EXAMPLES section  for  common  uses  of  these
121       rules files.
122
123

MODULES

125       Netfilter has many different connection tracking modules. These modules
126       are aware of the underlying protocol and  allow  the  administrator  to
127       simplify  his  or her rule sets. You can adjust which netfilter modules
128       to load by adjusting IPT_MODULES in /etc/default/ufw. Some popular mod‐
129       ules to load are:
130
131         nf_conntrack_ftp
132         nf_nat_ftp
133         nf_conntrack_irc
134         nf_nat_irc
135         nf_conntrack_netbios_ns
136         nf_conntrack_pptp
137         nf_conntrack_tftp
138         nf_nat_tftp
139
140

KERNEL PARAMETERS

142       ufw  will  read  in  /etc/ufw/sysctl.conf on boot when enabled.  Please
143       note  that  /etc/ufw/sysctl.conf  overrides  values   in   the   system
144       systcl.conf  (usually  /etc/sysctl.conf). Administrators can change the
145       file used by modifying /etc/default/ufw.
146
147

IPV6

149       IPv6 is enabled by default. When disabled, all incoming,  outgoing  and
150       forwarded  packets  are  dropped,  with the exception of traffic on the
151       loopback interface.  To adjust this behavior,  set  IPV6  to  'yes'  in
152       /etc/default/ufw. See the ufw manual page for details.
153
154

EXAMPLES

156       As  mentioned,  ufw  loads its rules files into the kernel by using the
157       iptables-restore and ip6tables-restore commands. Users wanting  to  add
158       rules  to  the  ufw rules files manually must be familiar with these as
159       well as the iptables and ip6tables  commands.  Below  are  some  common
160       examples  of  using the ufw rules files.  All examples assume IPv4 only
161       and that DEFAULT_FORWARD_POLICY in /etc/default/ufw is set to DROP.
162
163   IP Masquerading
164       To allow IP masquerading for computers from the 10.0.0.0/8  network  on
165       eth1 to share the single IP address on eth0:
166
167       Edit /etc/ufw/sysctl.conf to have:
168               net.ipv4.ip_forward=1
169
170       Add to the end of /etc/ufw/before.rules, after the *filter section:
171               *nat
172               :POSTROUTING ACCEPT [0:0]
173               -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
174               COMMIT
175
176       If  your  firewall is using IPv6 tunnels or 6to4 and is also doing NAT,
177       then you should not usually masquerade protocol  '41'  (ipv6)  packets.
178       For  example,  instead  of  the  above,  /etc/ufw/before.rules  can  be
179       adjusted to have:
180               *nat
181               :POSTROUTING ACCEPT [0:0]
182               -A POSTROUTING -s 10.0.0.0/8 --protocol ! 41 -o  eth0  -j  MAS‐
183              QUERADE
184               COMMIT
185
186       Add the ufw route to allow the traffic:
187               ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
188
189   Port Redirections
190       To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2:
191
192       Edit /etc/ufw/sysctl.conf to have:
193               net.ipv4.ip_forward=1
194
195       Add to the end of /etc/ufw/before.rules, after the *filter section:
196               *nat
197               :PREROUTING ACCEPT [0:0]
198               -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \
199                 --to-destination 10.0.0.2:80
200               COMMIT
201
202       Add the ufw route rule to allow the traffic:
203               ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
204
205
206   Egress filtering
207       To block RFC1918 addresses going out of eth0:
208
209       Add the ufw route rules to reject the traffic:
210               ufw route reject out on eth0 to 10.0.0.0/8
211               ufw route reject out on eth0 to 172.16.0.0/12
212               ufw route reject out on eth0 to 192.168.0.0/16
213
214
215   Full example
216       This  example  combines  the  other  examples and demonstrates a simple
217       routing firewall. Warning: this setup is only an example to demonstrate
218       the  functionality  of the ufw framework in a concise and simple manner
219       and should not be used in production without  understanding  what  each
220       part  does  and  does not do. Your firewall will undoubtedly want to be
221       less open.
222
223       This router/firewall has two interfaces:  eth0  (Internet  facing)  and
224       eth1  (internal LAN). Internal clients have addresses on the 10.0.0.0/8
225       network and should be able to connect to anywhere on the Internet. Con‐
226       nections  to port 80 from the Internet should be forwarded to 10.0.0.2.
227       Access to ssh port 22 from the administrative workstation  (10.0.0.100)
228       to  this  machine should be allowed. Also make sure no internal traffic
229       goes to the Internet.
230
231       Edit /etc/ufw/sysctl.conf to have:
232                net.ipv4.ip_forward=1
233
234       Add to the end of /etc/ufw/before.rules, after the *filter section:
235               *nat
236               :PREROUTING ACCEPT [0:0]
237               :POSTROUTING ACCEPT [0:0]
238               -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \
239                 --to-destination 10.0.0.2:80
240               -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
241               COMMIT
242
243       Add the necessary ufw rules:
244               ufw route reject out on eth0 to 10.0.0.0/8
245               ufw route reject out on eth0 to 172.16.0.0/12
246               ufw route reject out on eth0 to 192.168.0.0/16
247               ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
248               ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
249               ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp
250
251

NOTES

253       When using ufw with libvirt and bridging, packets may be  blocked.  The
254       libvirt  team  recommends that the following sysctl's be set to disable
255       netfilter on the bridge:
256
257         net.bridge.bridge-nf-call-ip6tables = 0
258         net.bridge.bridge-nf-call-iptables = 0
259         net.bridge.bridge-nf-call-arptables = 0
260
261       Note that the bridge module must be loaded  in  to  the  kernel  before
262       these values are set. One way to ensure this works properly with ufw is
263       to add 'bridge' to IPT_MODULES in /etc/default/ufw, and  then  add  the
264       above rules to /etc/ufw/sysctl.conf.
265
266       Alternatively  to  disabling netfilter on the bridge, you can configure
267       iptables to allow all traffic to be forwarded across  the  bridge.  Eg,
268       add to /etc/ufw/before.rules within the *filter section:
269
270         -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
271
272

SEE ALSO

274       ufw(8),       iptables(8),      ip6tables(8),      iptables-restore(8),
275       ip6tables-restore(8), sysctl(8), sysctl.conf(5)
276
277

AUTHOR

279       ufw is Copyright 2008-2014, Canonical Ltd.
280
281
282       ufw and this manual page was originally  written  by  Jamie  Strandboge
283       <jamie@canonical.com>
284
285
286
287April 2014                                                    UFW FRAMEWORK(8)
Impressum