Working with the ufw configuration files

You can find the ufw firewall rules in the /etc/ufw directory. As you can see, the rules are stored in several different files:

donnie@ubuntu-ufw:/etc/ufw$ ls -l
total 48
-rw-r----- 1 root root  915 Aug  7 15:23 after6.rules
-rw-r----- 1 root root 1126 Jul 31 14:31 after.init
-rw-r----- 1 root root 1004 Aug  7 15:23 after.rules
drwxr-xr-x 3 root root 4096 Aug  7 16:45 applications.d
-rw-r----- 1 root root 6700 Mar 25 17:14 before6.rules
-rw-r----- 1 root root 1130 Jul 31 14:31 before.init
-rw-r----- 1 root root 3467 Aug 11 11:36 before.rules
-rw-r--r-- 1 root root 1391 Aug 15  2017 sysctl.conf
-rw-r--r-- 1 root root  313 Aug 11 11:37 ufw.conf
-rw-r----- 1 root root 3014 Aug 11 11:37 user6.rules
-rw-r----- 1 root root 3012 Aug 11 11:37 user.rules
donnie@ubuntu-ufw:/etc/ufw$

At the bottom of the list, you'll see the user6.rules and user.rules files. You can't hand-edit either of these two files. You'll be able to save the files after you've made the edits, but when you use sudo ufw reload to load the new changes, you'll see that your edits have been deleted. Let's look into the user.rules file to see what we can see there.

At the top of the file, you'll see the definition for the iptables filter table, as well as the list of its associated chains:

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
. . .
. . .

Next, in the ### RULES ### section, we have the list of rules that we created with the ufw command. Here's what our rules for opening the DNS ports look like:

### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 53 -j ACCEPT
-A ufw-user-input -p udp --dport 53 -j ACCEPT

As you can see, ufw is really just iptables at its core.

Below the ### RULES ### section, we can see the rules for logging messages about any packets that the firewall has blocked:

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10

-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10

-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10

-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10

-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10

### END LOGGING ###

These messages get sent to the /var/log/kern.log file. So that we don't overwhelm the logging system when lots of packets are getting blocked, we'll only send three messages per minute to the log file, with a burst rate of 10 messages per minute. Most of these rules will insert a [UFW BLOCK] tag in with the log message, which makes it easy for us to find them. The last rule creates messages with a [UFW ALLOW] tag, and curiously enough, the INVALID rule doesn't insert any kind of tag.

Lastly, we have the rate-limiting rules, which allow only three connections per user, per minute:

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###

Any packets that exceed that limit will be recorded in the /var/log/kern.log file with the [UFW LIMIT BLOCK] tag.

The /etc/ufw user6.rules file looks pretty much the same, except that it's for IPv6 rules. Any time you create or delete a rule with the ufw command, it will modify both the user.rules file and the user6.rules file.

To store rules that will run before the rules in the user.rules and user6.rules files, we have the before.rules file and the before6.rules file. To store rules that will run after the rules in the user.rules and user6.rules files, we have – you guessed it – the after.rules file and the after6.rules file. If you need to add custom rules that you can't add with the ufw command, just hand-edit one of these pairs of files. (We'll get to that in a moment.)

If you look at the before and after files, you'll see where so much has already been taken care of for us. This is all the stuff that we had to do by hand with iptables/ip6tables.

However, as you might know, there is one slight caveat to all this ufw goodness. You can perform simple tasks with the ufw utility, but anything more complex requires you to hand-edit a file. (This is what I meant when I said that ufw is almost no fuss, no muss.) For example, in the before files, you'll see that one of the rules for blocking invalid packets has already been implemented. Here's the code snippet from the before.rules file, which you'll find near the top of the file:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

The second of these two rules actually drops the invalid packets, and the first rule logs them. But as we've already seen in An overview of iptables section  this one particular DROP rule doesn't block all of the invalid packets. And, for performance reasons, we'd rather have this rule in the mangle table, instead of in the filter table where it is now. To fix that, we'll edit both of the before files. Open the /etc/ufw/before.rules file in your favorite text editor and look for the following pair of lines at the very bottom of the file:

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Just below the COMMIT line, add the following code snippet to create the mangle table rules:

# Mangle table added by Donnie
*mangle
:PREROUTING ACCEPT [0:0]
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
COMMIT

Now, we'll repeat this process for the /etc/ufw/before6.rules file. Then, we'll reload the rules with the following command:

sudo ufw reload

By using the iptables -L and ip6tables -L commands, you'll see the new rules show up in the mangle table, just where we want them to be.

上一章目录下一章