I have not been writing anything new for my blog for a while. Today I decided to write something as I noticed misconfiguration on my Linux Ubuntu UFW firewall. When I was fixing this issue, then I discovered a way to write firewall rules for UFW which should better suit my requirements. First of all, I will describe my configuration:
- I have a laptop with Linux Ubuntu 20 installed on it for day today usage;
- I have two connection methods to the Internet (network card: en0 built-in network card to connect to the network with a cable, network card: usb0 which appears when I am connecting to the Internet by sharing the Internet through my phone using a USB cable, this method of connection is providing DNS service on additional IP which is created by the connection method);
- I have a home router which is providing the Internet and DNS service IPs. The laptop is connecting to the home router via network cable;
- I believe both connection methods could work in parallel as network cards are in separate networks, but I do not use those in parallel as there is no need to, so I cannot say that for sure;
- I will slightly change IPs due to security reasons;
- The laptop has no services on it that one needs to access from outside.
Here are basic commands to manage the UFW firewall:
a. start/stop firewall enable/disable autostart after OS reboot
sudo ufw enable
sudo ufw disable
b. get status information from firewall
sudo ufw status
sudo ufw status numbered # This option lists numbered fw rules
c. if we would like to delete fw rule “4”
sudo ufw delete 4
d. we need to set up a default fw policy
sudo ufw default deny incoming # do not allow any incoming traffic
sudo ufw default deny outgoing # do not allow any outgoing traffic
Connecting to the Internet via Phone usb0 192.168.nn.0/24:
sudo ufw allow out on usb0 log proto tcp from 192.168.nn.0/24 to any port 443 # https
sudo ufw allow out on usb0 log proto tcp from 192.168.nn.0/24 to any port 80 # http
sudo ufw allow out on usb0 log proto udp from 192.168.nn.0/24 to 192.168.nn.0/24 port 53 # DNS service mobile
sudo ufw allow out on usb0 log proto udp from 192.168.nn.0/24 to 192.168.nn.0/24 port 67 # DHCP service mobile
Connecting to the internet via Ethernet and router en0:
sudo ufw allow out on en0 log proto tcp from 192.168.mm.0/24 to any port 443 # https
sudo ufw allow out on en0 log proto tcp from 192.168.mm.0/24 to any port 80 # http
sudo ufw allow out on en0 log proto udp from 192.168.mm.0/24 to ii1.ii2.ii3.0/24 port 53 # dns1
sudo ufw allow out on en0 log proto udp from 192.168.mm.0/24 to ii1.ii2.ii4.0/24 port 53 # dns2
sudo ufw allow out on en0 log proto udp from 192.168.mm.0/24 to 192.168.mm.1 port 67 # DHCP
You can read more about Private network address ranges here:
| https://en.wikipedia.org/wiki/Private_network |
In conclusion I have default fw policy plus 9 rules described above and I can change my connection methods if I need to.
If you would like that described above configuration works as expected, then you have to disable ipv6. I managed to do that only adjusting grub configuration:
cat /etc/default/grub | grep GRUB_CMDLINE_LINUX
…
GRUB_CMDLINE_LINUX_DEFAULT=”ipv6.disable=1 quiet splash”
GRUB_CMDLINE_LINUX=”ipv6.disable=1″
…
After adjusting parameters:
run ‘update-grub’
reboot
Kastanis 24x7x365 