Add Profiles
You now can add profiles to the rules that you want to use. Several default profiles have been created by Ubuntu so that you can add those profiles for applications that you want to use.
sudo ufw allow Apache
Rule added
sudo ufw status
Status: active
To Action From
– —— —-
22/tcp ALLOW 192.68.5.0/24
Apache ALLOW Anywhere
iptables -L
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp – 192.68.5.0/24 anywhere tcp dpt:ssh
ACCEPT tcp – anywhere anywhere tcp dpt:www /* ‘dapp_Apache’ */
Here are examples of the application profiles. This lists three apache profiles, Apache, Apache Secure and Apache Full.
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp
[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp
[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
Two profiles for Postfix Mail Server.
[Postfix]
title=Mail server (SMTP)
description=Postfix is a high-performance mail transport agent
ports=25/tcp
[Postfix Submission]
title=Mail server (Submission)
description=Postfix is a high-performance mail transport agent
ports=587/tcp
Profile for SSH
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp
As they are the profiles do not provide much savings in construction. But you could create your own profile that was more complex and provide it on a number of servers.
Create a Company Profile
Move into the applications directory.
cd /etc/ufw/applications.d
Create a profile for your company and call it a name that you can access it on. Here the profile is called “Server”.
[Server]
title=Company Profile
description=Profile for all company web servers..
ports=25,80,443,8504,8505/tcp
sudo ufw allow Server
Rule added
sudo ufw status
Status: active
To Action From
– —— —-
22/tcp ALLOW 192.68.5.0/24
Anywhere DENY 192.168.4.0/24
Server ALLOW Anywhere
Use an iptables command to verify it was created in the ufw-user.
sudo iptables -L -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp – 192.68.5.0/24 0.0.0.0/0 tcp dpt:22
DROP all – 192.168.4.0/24 0.0.0.0/0
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 25,80,443,8504,8505 /* ‘dapp_Server’ */
This allows you to create a profile for your company and role it out to all servers.
Port 25 mail
Port 80 web
Port 443 secure web
Port 8504 company port for SSH
Port 8505 webmin
The illustration shows that you can make changes to default ports like SSH on 22 or Webmin on port 10000 to help protect your server. Your port choices may be different on these applications.
{ 1 comment }
hello! I write from Venezuela and no speak english. EXCUSEME!!!
I want block aplications (the access to Internet) whith ufw, but I can’t.
for example I use:
sudo ufw default deny outgoing
and I use this perfil for firefox in /etc/ufw/applications.d
[FIREFOX]
title=Navegador Web firefox
description=Navegador Web firefox
ports=80,8080/tcp
and then I do:
sudo ufw allow out to any app firefox
but that does not work
and I do not want anything like this:
sudo ufw allow out 80 (I know what work)
I only wish that firefox have internet access, and other programs that I choose
{ 1 trackback }