Advanced Features
There are a number of advanced features you should be aware of so that you can manipulate the firewall to do what you need for your business. You can add rules and options that are not provided for in the user interface.
The first file you can manage is the /etc/default/ufw. This file includes default policies which you can change. Notice that INPUT and FORWARD are “DROP” to protect your system. If you alter the OUTPUT you will need to create rules to allow connections going out. If you are not using FTP or IRC you could remove them from the IPT_MODULES.
/etc/default/ufw
IPV6=no
DEFAULT_INPUT_POLICY=”DROP”
DEFAULT_OUTPUT_POLICY=”ACCEPT”
DEFAULT_FORWARD_POLICY=”DROP”
DEFAULT_APPLICATION_POLICY=”SKIP”
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES=”nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc”
There is a set of rules that get executed before all other rules in /etc/ufw/before.rules. These are called before.rules and there is one for IPV$ and one for IPV6. You could run custom rules here by inserting them in this file. The current rules for the loopback, state rules, icmp rules are also located here if you need to modify them. You will also find after rules in /etc/ufw/after.rules as well.
In the before.rules you will see this line that you need to uncomment to allow dhclient to work.
/etc/ufw/before.rules
#-A ufw-before-input -p udp –sport 67 –dport 68 -j ACCEPT
You can disable the ping option by commenting this line in before.rules.
-A ufw-before-input -p icmp –icmp-type echo-request -j ACCEPT
If you need to modify kernel parameters you can edit /etc/ufw/sysctl.conf.
Here is a list of the default settings. If you were using the Ubuntu server as a firewall protecting an internal network you would need to uncomment the ip_forwad option to allow forwarding traffic from one network card to another.
/etc/ufw/sysctl.conf
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800
The /etc/ufw/ufw.conf provides a way to manage if you want the UFW to start on boot and the log level.
/etc/ufw/ufw.conf
# set to yes to start on boot
ENABLED=yes
# set to one of ‘off’, ‘low’, ‘medium’, ‘high’
LOGLEVEL=low
After modifying text files, activate the new settings by stopping and starting the firewall:
sudo ufw disable
sudo ufw enable
{ 1 trackback }