------------------------------------------------------------
revno: 3660
committer: Adam Sommer <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Wed 2008-02-13 22:48:48 -0500
message:
ufw IP Masquerading section adjustments, based on feedback from Jamie
Strandboge.
modified:
generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml'
--- a/generic/server/C/security.xml 2008-02-13 05:29:08 +0000
+++ b/generic/server/C/security.xml 2008-02-14 03:48:48 +0000
@@ -371,13 +371,13 @@
</para>
</sect2>
<sect2 id="firewall-ufw" status="review">
- <title>UFW - Uncomplicated Firewall</title>
+ <title>ufw - Uncomplicated Firewall</title>
<para>
- The default firewall configuration tool for Ubuntu is
<application>UFW</application>. Developed to ease iptables firewall
configuration
- UFW provides a user friendly way to create a IPv4 or IPv6
host-based firewall.
+ The default firewall configuration tool for Ubuntu is
<application>ufw</application>. Developed to ease iptables firewall
configuration,
+ <application>ufw</application> provides a user friendly way to
create an IPv4 or IPv6 host-based firewall.
</para>
<para>
- <application>UFW</application> by default is initially disabled.
From the UFW man page:
+ <application>ufw</application> by default is initially disabled.
From the <application>ufw</application> man page:
</para>
<para>
<quote>
@@ -385,12 +385,12 @@
</quote>
</para>
<para>
- The following are some examples of how to use
<application>UFW</application>:
+ The following are some examples of how to use
<application>ufw</application>:
</para>
<itemizedlist>
<listitem>
<para>
- First, <application>UFW</application> needs to be enabled.
From a terminal prompt enter:
+ First, <application>ufw</application> needs to be enabled.
From a terminal prompt enter:
</para>
<screen>
<command>sudo ufw enable</command>
@@ -398,7 +398,7 @@
</listitem>
<listitem>
<para>
- To open a port, ssh in this example:
+ To open a port (ssh in this example):
</para>
<screen>
<command>sudo ufw allow 22</command>
@@ -414,7 +414,7 @@
</listitem>
<listitem>
<para>
- To remove a rule use delete then the rule name:
+ To remove a rule, use delete followed by the rule:
</para>
<screen>
<command>sudo ufw delete deny 22</command>
@@ -422,11 +422,11 @@
</listitem>
<listitem>
<para>
- It is also possible to only open a port to specific hosts or
networks. The following example allows ssh access
- only from host 192.168.0.2:
+ It is also possible to allow access from specific hosts or
networks to a port. The following example allows ssh access
+ from host 192.168.0.2 to any ip address on this host:
</para>
<screen>
-<command>sudo ufw allow proto tcp from 192.168.0.2 to 192.168.0.1 port
22</command>
+<command>sudo ufw allow proto tcp from 192.168.0.2 to any port 22</command>
</screen>
<para>
Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access
from the entire subnet.
@@ -434,7 +434,7 @@
</listitem>
<listitem>
<para>
- <application>UFW</application> can be disabled by:
+ <application>ufw</application> can be disabled by:
</para>
<screen>
<command>sudo ufw disable</command>
@@ -443,12 +443,12 @@
</itemizedlist>
<note>
<para>
- If the port you want to open or close is defined in
<filename>/etc/services</filename> you can use the port name instead of the
number.
- Using the example above replace <emphasis>22</emphasis> with
<emphasis>ssh</emphasis>.
+ If the port you want to open or close is defined in
<filename>/etc/services</filename>, you can use the port name instead of the
number.
+ In the above examples, replace <emphasis>22</emphasis> with
<emphasis>ssh</emphasis>.
</para>
</note>
<para>
- This is a short example of using <application>UFW</application>
please refer to the UFW man page for more information.
+ This is a quick introduction to using
<application>ufw</application>. Please refer to the
<application>ufw</application> man page for more information.
</para>
</sect2>
<sect2 id="ip-masquerading" status="complete">
@@ -469,33 +469,39 @@
Connection Sharing.
</para>
<sect3 id="ip-masquerade-ufw" status="review">
- <title>UFW Masquerading</title>
+ <title>ufw Masquerading</title>
<para>
- IP Masquerading can be achieved using custom
<application>UFW</application> rules. This is possible because the current
- back-end for UFW is <application>iptables-restore</application>
with the rules files located in
+ IP Masquerading can be achieved using custom
<application>ufw</application> rules. This is possible because the current
+ back-end for <application>ufw</application> is
<application>iptables-restore</application> with the rules files located in
<filename>/etc/ufw/*.rules</filename>. These files are a great
place to add legacy iptables rules used
- without UFW, and rules that are more network gateway or bridge
related.
+ without <application>ufw</application>, and rules that are more
network gateway or bridge related.
</para>
<para>
The rules are split into two different files, rules that should
be executed before
- UFW command line rules, and rules that are executed after UFW
command line rules.
+ <application>ufw</application> command line rules, and rules that
are executed after <application>ufw</application> command line rules.
</para>
<itemizedlist>
- <listitem>
- <para>
- The first step to enabling IP Masquerading is to edit
<filename>/etc/sysctl.conf</filename> and uncomment the following line
- to enable IPv4 packet forwarding:
- </para>
+ <listitem>
+ <para>
+ First, packet forwarding needs to be enabled in
<application>ufw</application>. Two configuration files will need to be
adjusted, in
+ <filename>/etc/default/ufw</filename> change the
<emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>:
+ </para>
+<programlisting>
+DEFAULT_FORWARD_POLICY="ACCEPT"
+</programlisting>
+ <para>
+ Then edit <filename>/etc/ufw/sysctl.conf</filename> and
uncomment:
+ </para>
<programlisting>
net.ipv4.ip_forward=1
</programlisting>
- <para>
- If you wish to enable IPv6 forwarding also uncomment:
- </para>
+ <para>
+ Similarly, for IPv6 forwarding uncomment:
+ </para>
<programlisting>
-net.ipv6.ip_forward=1
+net.ipv6.conf.default.forwarding=1
</programlisting>
- </listitem>
+ </listitem>
<listitem>
<para>
Now we will add rules to the
<filename>/etc/ufw/before.rules</filename> file. The default rules only
configure the <emphasis>filter</emphasis>
@@ -505,9 +511,7 @@
<programlisting>
# nat Table rules
*nat
-:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
@@ -516,30 +520,29 @@
COMMIT
</programlisting>
<para>
- The comments were added to match the existing ones, but are
not strictly necessary. However, it is good practice to document which
- configuration lines accomplish what.
+ The comments are not strictly necessary, but it is considered
good practice to document your configuration. Also, when modifying
+ any of the <emphasis>rules</emphasis> files in <filename
class="directory">/etc/ufw</filename>, make sure these lines are the last
+ line for each table modified:
</para>
- </listitem>
- <listitem>
- <para>
- Next, a rule needs to be added to the
<emphasis>filter</emphasis> table to enable forwarding. Add the following to
the top of the
- <emphasis>required lines</emphasis> section:
- </para>
+
<programlisting>
-:FORWARD ACCEPT [0:0]
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
</programlisting>
</listitem>
<listitem>
<para>
- Finally, restart <application>UFW</application> to enable the
newly configured rules:
+ Finally, disable and re-enable <application>ufw</application>
to apply the changes:
</para>
<programlisting>
-<command>sudo /etc/init.d/ufw restart</command>
+<command>sudo ufw disable && sudo ufw enable</command>
</programlisting>
</listitem>
</itemizedlist>
<para>
- IP Masquerading should now be enabled, and all filtering rules
can be configured using UFW.
+ IP Masquerading should now be enabled. You can also add any
additional FORWARD rules
+ to the <filename>/etc/ufw/before.rules</filename>. It is
recommended that these additional
+ rules be added to the <emphasis>ufw-before-forward</emphasis>
chain.
</para>
</sect3>
<sect3 id="ip-masquerading-iptables" status="review">
@@ -548,10 +551,28 @@
<application>iptables</application> can also be used to enable
masquerading.
</para>
<itemizedlist>
+ <listitem>
+ <para>
+ Similar to <application>ufw</application>, the first step is to
enable IPv4 packet forwarding by editing
+ <filename>/etc/sysctl.conf</filename> and uncomment the
following line
+ </para>
+<programlisting>
+net.ipv4.ip_forward=1
+</programlisting>
+ <para>
+ If you wish to enable IPv6 forwarding also uncomment:
+ </para>
+<programlisting>
+net.ipv6.conf.default.forwarding=1
+</programlisting>
+ </listitem>
<listitem>
<para>
- The first step is to turn on IP forwarding in
<filename>/etc/sysctl.conf</filename> the same as above.
+ Next, execute the <application>sysctl</application> command
to enable the new settings in the configuration file:
</para>
+<screen>
+<command>sudo sysctl -p</command>
+</screen>
</listitem>
<listitem>
<para>
@@ -617,16 +638,16 @@
that decides the fate of the packet, such as ACCEPT, DROP, or
REJECT).
</para>
<para>
- If you are using <application>UFW</application> you can turn on
logging by entering the following from a terminal:
+ If you are using <application>ufw</application>, you can turn on
logging by entering the following in a terminal:
</para>
<screen>
<command>sudo ufw logging on</command>
</screen>
<para>
- To turn logging off simply replace <emphasis
role="italic">on</emphasis> with <emphasis role="italic">off</emphasis> in the
above command.
+ To turn logging off in <application>ufw</application>, simply
replace <emphasis role="italic">on</emphasis> with <emphasis
role="italic">off</emphasis> in the above command.
</para>
<para>
- Using <application>iptables</application> enter:
+ If using <application>iptables</application> instead of
<application>ufw</application>, enter:
</para>
<screen>
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG
--log-prefix "NEW_HTTP_CONN: "
@@ -703,7 +724,7 @@
<listitem>
<para>
The <ulink url="https://wiki.ubuntu.com/UbuntuFirewall";>Ubuntu
Firewall</ulink> wiki page contains information on the development
- of <application>UFW</application>.
+ of <application>ufw</application>.
</para>
</listitem>
<listitem>
--
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy
You are receiving this branch notification because you are subscribed to it.
--
ubuntu-doc-commits mailing list
ubuntu-doc-commits@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits
