{ "content": [ { "type": "text", "text": "# ufw-framework (man)\n\n## NAME\n\nufw-framework - using the ufw framework\n\n## DESCRIPTION\n\nufw provides both a command line interface and a framework for managing a netfilter firewall.\nWhile the ufw command provides an easy to use interface for managing a firewall, the ufw\nframework provides the administrator methods to customize default behavior and add rules not\nsupported by the command line tool. In this way, ufw can take full advantage of Linux netfil‐\nter's power and flexibility.\n\n## Sections\n\n- **NAME**\n- **DESCRIPTION**\n- **OVERVIEW**\n- **BOOT INITIALIZATION**\n- **RULES FILES**\n- **MODULES**\n- **KERNEL PARAMETERS**\n- **IPV6**\n- **EXAMPLES** (4 subsections)\n- **CONNECTION HELPERS**\n- **NOTES**\n- **SEE ALSO**\n- **AUTHOR**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "ufw-framework", "section": "", "mode": "man", "summary": "ufw-framework - using the ufw framework", "synopsis": null, "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "As mentioned, ufw loads its rules files into the kernel by using the iptables-restore and", "ip6tables-restore commands. Users wanting to add rules to the ufw rules files manually must", "be familiar with these as well as the iptables and ip6tables commands. Below are some common", "examples of using the ufw rules files. All examples assume IPv4 only and that DEFAULTFOR‐", "WARDPOLICY in /etc/default/ufw is set to DROP.", "To allow IP masquerading for computers from the 10.0.0.0/8 network on eth1 to share the sin‐", "gle IP address on eth0:", "Edit /etc/ufw/sysctl.conf to have:", "net.ipv4.ipforward=1", "Add to the end of /etc/ufw/before.rules, after the *filter section:", "*nat", ":POSTROUTING ACCEPT [0:0]", "-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE", "COMMIT", "If your firewall is using IPv6 tunnels or 6to4 and is also doing NAT, then you should not", "usually masquerade protocol '41' (ipv6) packets. For example, instead of the above,", "/etc/ufw/before.rules can be adjusted to have:", "*nat", ":POSTROUTING ACCEPT [0:0]", "-A POSTROUTING -s 10.0.0.0/8 ! --protocol 41 -o eth0 -j MASQUERADE", "COMMIT", "Add the ufw route to allow the traffic:", "ufw route allow in on eth1 out on eth0 from 10.0.0.0/8", "To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2:", "Edit /etc/ufw/sysctl.conf to have:", "net.ipv4.ipforward=1", "Add to the end of /etc/ufw/before.rules, after the *filter section:", "*nat", ":PREROUTING ACCEPT [0:0]", "-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \\", "--to-destination 10.0.0.2:80", "COMMIT", "Add the ufw route rule to allow the traffic:", "ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp", "To block RFC1918 addresses going out of eth0:", "Add the ufw route rules to reject the traffic:", "ufw route reject out on eth0 to 10.0.0.0/8", "ufw route reject out on eth0 to 172.16.0.0/12", "ufw route reject out on eth0 to 192.168.0.0/16", "This example combines the other examples and demonstrates a simple routing firewall. Warning:", "this setup is only an example to demonstrate the functionality of the ufw framework in a con‐", "cise and simple manner and should not be used in production without understanding what each", "part does and does not do. Your firewall will undoubtedly want to be less open.", "This router/firewall has two interfaces: eth0 (Internet facing) and eth1 (internal LAN). In‐", "ternal clients have addresses on the 10.0.0.0/8 network and should be able to connect to any‐", "where on the Internet. Connections to port 80 from the Internet should be forwarded to", "10.0.0.2. Access to ssh port 22 from the administrative workstation (10.0.0.100) to this ma‐", "chine should be allowed. Also make sure no internal traffic goes to the Internet.", "Edit /etc/ufw/sysctl.conf to have:", "net.ipv4.ipforward=1", "Add to the end of /etc/ufw/before.rules, after the *filter section:", "*nat", ":PREROUTING ACCEPT [0:0]", ":POSTROUTING ACCEPT [0:0]", "-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \\", "--to-destination 10.0.0.2:80", "-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE", "COMMIT", "Add the necessary ufw rules:", "ufw route reject out on eth0 to 10.0.0.0/8", "ufw route reject out on eth0 to 172.16.0.0/12", "ufw route reject out on eth0 to 192.168.0.0/16", "ufw route allow in on eth1 out on eth0 from 10.0.0.0/8", "ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp", "ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp" ], "see_also": [ { "name": "ufw", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ufw/8/json" }, { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" }, { "name": "ip6tables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip6tables/8/json" }, { "name": "iptables-restore", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables-restore/8/json" }, { "name": "ip6tables-restore", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip6tables-restore/8/json" }, { "name": "sysctl", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sysctl/8/json" }, { "name": "sysctl.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sysctl.conf/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 7, "subsections": [] }, { "name": "OVERVIEW", "lines": 32, "subsections": [] }, { "name": "BOOT INITIALIZATION", "lines": 43, "subsections": [] }, { "name": "RULES FILES", "lines": 16, "subsections": [] }, { "name": "MODULES", "lines": 20, "subsections": [] }, { "name": "KERNEL PARAMETERS", "lines": 5, "subsections": [] }, { "name": "IPV6", "lines": 5, "subsections": [] }, { "name": "EXAMPLES", "lines": 6, "subsections": [ { "name": "IP Masquerading", "lines": 23 }, { "name": "Port Redirections", "lines": 16 }, { "name": "Egress filtering", "lines": 8 }, { "name": "Full example", "lines": 32 } ] }, { "name": "CONNECTION HELPERS", "lines": 40, "subsections": [] }, { "name": "NOTES", "lines": 18, "subsections": [] }, { "name": "SEE ALSO", "lines": 4, "subsections": [] }, { "name": "AUTHOR", "lines": 5, "subsections": [] } ], "sections": { "NAME": { "content": "ufw-framework - using the ufw framework\n", "subsections": [] }, "DESCRIPTION": { "content": "ufw provides both a command line interface and a framework for managing a netfilter firewall.\nWhile the ufw command provides an easy to use interface for managing a firewall, the ufw\nframework provides the administrator methods to customize default behavior and add rules not\nsupported by the command line tool. In this way, ufw can take full advantage of Linux netfil‐\nter's power and flexibility.\n\n", "subsections": [] }, "OVERVIEW": { "content": "The framework provides boot time initialization, rules files for adding custom rules, a\nmethod for loading netfilter modules, configuration of kernel parameters and configuration of\nIPv6. The framework consists of the following files:\n\n/lib/ufw/ufw-init\ninitialization script\n\n/etc/ufw/before.init\ninitialization customization script run before ufw is initialized\n\n/etc/ufw/after.init\ninitialization customization script run after ufw is initialized\n\n/etc/ufw/before[6].rules\nrules file containing rules evaluated before UI added rules\n\n/etc/ufw/user[6].rules\nrules file containing UI added rules (managed with the ufw command)\n\n/etc/ufw/after[6].rules\nrules file containing rules evaluated after UI added rules\n\n/etc/default/ufw\nhigh level configuration\n\n/etc/ufw/sysctl.conf\nkernel network tunables\n\n/etc/ufw/ufw.conf\nadditional high level configuration\n\n", "subsections": [] }, "BOOT INITIALIZATION": { "content": "ufw is started on boot with /lib/ufw/ufw-init. This script is a standard SysV style\ninitscript used by the ufw command and should not be modified. The /etc/before.init and\n/etc/after.init scripts may be used to perform any additional firewall configuration that is\nnot yet supported in ufw itself and if they exist and are executable, ufw-init will execute\nthese scripts. ufw-init will exit with error if either of these scripts exit with error.\nufw-init supports the following arguments:\n\nstart: loads the firewall\n\nstop: unloads the firewall\n\nrestart:\nreloads the firewall\n\nforce-reload:\nsame as restart\n\nstatus:\nbasic status of the firewall\n\nforce-stop:\nsame as stop, except does not check if the firewall is already loaded\n\nflush-all:\nflushes the built-in chains, deletes all non-built-in chains and resets the policy to\nACCEPT\n\nufw-init will call before.init and after.init with start, stop, status and flush-all, but\ntypically, if used, these scripts need only implement start and stop.\n\nufw uses many user-defined chains in addition to the built-in iptables chains. If MAN‐\nAGEBUILTINS in /etc/default/ufw is set to 'yes', on stop and reload the built-in chains are\nflushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and\nthe ufw primary chains are flushed. In addition to flushing the ufw specific chains, it keeps\nthe primary chains in the same order with respect to any other user-defined chains that may\nhave been added. This allows for ufw to interoperate with other software that may manage\ntheir own firewall rules.\n\nTo ensure your firewall is loading on boot, you must integrate this script into the boot\nprocess. Consult your distribution's documentation for the proper way to modify your boot\nprocess if ufw is not already integrated.\n\n", "subsections": [] }, "RULES FILES": { "content": "ufw is in part a front-end for iptables-restore, with its rules saved in /etc/ufw/be‐\nfore.rules, /etc/ufw/after.rules and /etc/ufw/user.rules. Administrators can customize be‐‐\nfore.rules and after.rules as desired using the standard iptables-restore syntax. Rules are\nevaluated as follows: before.rules first, user.rules next, and after.rules last. IPv6 rules\nare evaluated in the same way, with the rules files named before6.rules, user6.rules and af‐‐\nter6.rules. Please note that ufw status only shows rules added with ufw and not the rules\nfound in the /etc/ufw rules files.\n\nImportant: ufw only uses the *filter table by default. You may add any other tables such as\n*nat, *raw and *mangle as desired. For each table a corresponding COMMIT statement is re‐\nquired.\n\nAfter modifying any of these files, you must reload ufw for the rules to take effect. See\nthe EXAMPLES section for common uses of these rules files.\n\n", "subsections": [] }, "MODULES": { "content": "Netfilter has many different connection tracking modules. These modules are aware of the un‐\nderlying protocol and allow the administrator to simplify his or her rule sets. You can ad‐\njust which netfilter modules to load by adjusting IPTMODULES in /etc/default/ufw. Some popu‐\nlar modules to load are:\n\nnfconntrackftp\nnfnatftp\nnfconntrackirc\nnfnatirc\nnfconntracknetbiosns\nnfconntrackpptp\nnfconntracktftp\nnfnattftp\nnfconntracksane\n\nUnconditional loading of connection tracking modules (nfconntrack*) in this manner is dep‐\nrecated. ufw continues to support the functionality but new configuration should only contain\nthe specific modules required for the site. For more information, see CONNECTION HELPERS.\n\n", "subsections": [] }, "KERNEL PARAMETERS": { "content": "ufw will read in /etc/ufw/sysctl.conf on boot when enabled. Please note that\n/etc/ufw/sysctl.conf overrides values in the system systcl.conf (usually /etc/sysctl.conf).\nAdministrators can change the file used by modifying /etc/default/ufw.\n\n", "subsections": [] }, "IPV6": { "content": "IPv6 is enabled by default. When disabled, all incoming, outgoing and forwarded packets are\ndropped, with the exception of traffic on the loopback interface. To adjust this behavior,\nset IPV6 to 'yes' in /etc/default/ufw. See the ufw manual page for details.\n\n", "subsections": [] }, "EXAMPLES": { "content": "As mentioned, ufw loads its rules files into the kernel by using the iptables-restore and\nip6tables-restore commands. Users wanting to add rules to the ufw rules files manually must\nbe familiar with these as well as the iptables and ip6tables commands. Below are some common\nexamples of using the ufw rules files. All examples assume IPv4 only and that DEFAULTFOR‐\nWARDPOLICY in /etc/default/ufw is set to DROP.\n", "subsections": [ { "name": "IP Masquerading", "content": "To allow IP masquerading for computers from the 10.0.0.0/8 network on eth1 to share the sin‐\ngle IP address on eth0:\n\nEdit /etc/ufw/sysctl.conf to have:\nnet.ipv4.ipforward=1\n\nAdd to the end of /etc/ufw/before.rules, after the *filter section:\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n\nIf your firewall is using IPv6 tunnels or 6to4 and is also doing NAT, then you should not\nusually masquerade protocol '41' (ipv6) packets. For example, instead of the above,\n/etc/ufw/before.rules can be adjusted to have:\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.0.0.0/8 ! --protocol 41 -o eth0 -j MASQUERADE\nCOMMIT\n\nAdd the ufw route to allow the traffic:\nufw route allow in on eth1 out on eth0 from 10.0.0.0/8\n" }, { "name": "Port Redirections", "content": "To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2:\n\nEdit /etc/ufw/sysctl.conf to have:\nnet.ipv4.ipforward=1\n\nAdd to the end of /etc/ufw/before.rules, after the *filter section:\n*nat\n:PREROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \\\n--to-destination 10.0.0.2:80\nCOMMIT\n\nAdd the ufw route rule to allow the traffic:\nufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp\n\n" }, { "name": "Egress filtering", "content": "To block RFC1918 addresses going out of eth0:\n\nAdd the ufw route rules to reject the traffic:\nufw route reject out on eth0 to 10.0.0.0/8\nufw route reject out on eth0 to 172.16.0.0/12\nufw route reject out on eth0 to 192.168.0.0/16\n\n" }, { "name": "Full example", "content": "This example combines the other examples and demonstrates a simple routing firewall. Warning:\nthis setup is only an example to demonstrate the functionality of the ufw framework in a con‐\ncise and simple manner and should not be used in production without understanding what each\npart does and does not do. Your firewall will undoubtedly want to be less open.\n\nThis router/firewall has two interfaces: eth0 (Internet facing) and eth1 (internal LAN). In‐\nternal clients have addresses on the 10.0.0.0/8 network and should be able to connect to any‐\nwhere on the Internet. Connections to port 80 from the Internet should be forwarded to\n10.0.0.2. Access to ssh port 22 from the administrative workstation (10.0.0.100) to this ma‐\nchine should be allowed. Also make sure no internal traffic goes to the Internet.\n\nEdit /etc/ufw/sysctl.conf to have:\nnet.ipv4.ipforward=1\n\nAdd to the end of /etc/ufw/before.rules, after the *filter section:\n*nat\n:PREROUTING ACCEPT [0:0]\n:POSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT \\\n--to-destination 10.0.0.2:80\n-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n\nAdd the necessary ufw rules:\nufw route reject out on eth0 to 10.0.0.0/8\nufw route reject out on eth0 to 172.16.0.0/12\nufw route reject out on eth0 to 192.168.0.0/16\nufw route allow in on eth1 out on eth0 from 10.0.0.0/8\nufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp\nufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp\n\n" } ] }, "CONNECTION HELPERS": { "content": "Various protocols require the use of netfilter connection tracking helpers to group related\npackets into RELATED flows to make rulesets clearer and more precise. For example, with a\ncouple of kernel modules and a couple of rules, a ruleset could simply allow a connection to\nFTP port 21, then the kernel would examine the traffic and mark the other FTP data packets as\nRELATED to the initial connection.\n\nWhen the helpers were first introduced, one could only configure the modules as part of mod‐\nule load (eg, if your FTP server listened on a different port than 21, you'd have to load the\nnfconntrackftp module specifying the correct port). Over time it was understood that uncon‐\nditionally using connection helpers could lead to abuse, in part because some protocols allow\nuser specified data that would allow traversing the firewall in undesired ways. As of kernel\n4.7, automatic conntrack helper assignment (ie, handling packets for a given port and all IP\naddresses) is disabled (the old behavior can be restored by setting net/netfilter/nfcon‐\nntrackhelper=1 in /etc/ufw/sysctl.conf). Firewalls should now instead use the CT target to\nassociate traffic with a particular helper and then set RELATED rules to use the helper. This\nallows sites to tailor the use of helpers and help avoid abuse.\n\nIn general, to use helpers securely, the following needs to happen:\n\n1. net/netfilter/nfconntrackhelper should be set to 0 (default)\n\n2. create a rule for the start of a connection (eg for FTP, port 21)\n\n3. create a helper rule to associate the helper with this connection\n\n4. create a helper rule to associate a RELATED flow with this connection\n\n5. if needed, add the corresponding nfconntrack* module to IPTMODULES\n\n6. optionally add the corresponding nfnat* module to IPTMODULES\n\nIn general it is desirable to make connection helper rules as specific as possible and ensure\nanti-spoofing is correctly setup for your site to avoid security issues in your ruleset. For\nmore information, see ANTI-SPOOFING, above, and .\n\nCurrently helper rules must be managed in via the RULES FILES. A future version of ufw will\nintroduce syntax for working with helper rules.\n\n", "subsections": [] }, "NOTES": { "content": "When using ufw with libvirt and bridging, packets may be blocked. The libvirt team recommends\nthat the following sysctl's be set to disable netfilter on the bridge:\n\nnet.bridge.bridge-nf-call-ip6tables = 0\nnet.bridge.bridge-nf-call-iptables = 0\nnet.bridge.bridge-nf-call-arptables = 0\n\nNote that the bridge module must be loaded in to the kernel before these values are set. One\nway to ensure this works properly with ufw is to add 'bridge' to IPTMODULES in /etc/de‐\nfault/ufw, and then add the above rules to /etc/ufw/sysctl.conf.\n\nAlternatively to disabling netfilter on the bridge, you can configure iptables to allow all\ntraffic to be forwarded across the bridge. Eg, add to /etc/ufw/before.rules within the *fil‐\nter section:\n\n-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT\n\n", "subsections": [] }, "SEE ALSO": { "content": "ufw(8), iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8), sysctl(8),\nsysctl.conf(5)\n\n", "subsections": [] }, "AUTHOR": { "content": "ufw is Copyright 2008-2021, Canonical Ltd.\n\n\n\nSeptember 2021 UFW FRAMEWORK(8)", "subsections": [] } } } }