it's a raspberry pi
Setups & configurations
Raspberry Pi sftp
Raspberry Pi exploring
Raspberry Pi ufw firewall
Raspberry Pi fail2ban
Apache http ram cache
Apache cgi, perl
Apache php5, mySQL
Apache error handling
Apache access log file
Server usage reports
Server referrer spam
Server management
Server .htaccess handling
Tailor shop
✂ Embroidery & pennantWe got some boring movies
🎥 CinematiqueRegarding unity3d
🙂 In-game char icons
Social news aggregation
🌍 Windward #redditDeveloper briefing
☸ Dev's changelogCommand & parameter
🎥 Dev's yt channel
🛠 Windward modding
📂 Windward class list
Official Windward wiki
🛠 Wiki @gamepediaJunk does not deliver mail
✉ Private message✉ Discuss with Commento
⚖ Legal policy
Subscribe RSS feed📊 Server analysis
No ads, no trackers,
no web beacons
Get the weather widget
🌤 Weather code snippetHotchpotch of weblinks
📖 Yellow pagesRaspberry Pi | Install & configure the socalled ufw
| Uncomplicated firewall
ufw
is a front end application for iptables
.
Here you get the basic handling to your personal firewall - but effective one - to IPv4 & IPv6.
The ufw
is a comfortable command line application for managing your personal iptables
rules in Linux.
All rules are processed in the order of the configuration file(s) from the top to the bottom.
The paths to the file locations are /lib/ufw & /etc/ufw .
ufw
is not installed by default with Debian Raspbian. So start your terminal program preferred PuTTy.
Do not close the terminal program until we have your firewall configured & activated.
gufw
(universe, optional graphical user interface)
user@raspberry:~ $ sudo su
root@raspberry:# apt install ufw gufw
The firewall is not enabled yet. Primarily we set our own rules.
At first we allow access from your entire home subnet - this is not an essential act, but in case something went wrong with your firewall configuration so we have some precaution. We grant every single computer in your home network. Note that 192.168.x.x/24 may vary from router to router. Consult your modem / router UI to get the correct subnet address or simply use the command ifconfig (Linux) or ipconfig (MS Windows) in terminal.
root@raspberry:# ufw allow from 192.168.0.0/24 to any
Make setting up your firewall easier is to define two default rules for allowing and denying incoming & outgoing connections.
root@raspberry:# ufw default deny incoming
root@raspberry:# ufw default allow outgoing
As next we open the standard ports for the protocols to ftp / sftp, http, https (SSL if required) and ssh (access by terminal, command line).
root@raspberry:# ufw allow 21/tcp
root@raspberry:# ufw allow 22/tcp
root@raspberry:# ufw allow 80/tcp
root@raspberry:# ufw allow 443/tcp
In case you have MySQL or a game server presently running you have to open the specific ports as well.
Now proof your own configuration.
Let us fire up the brickwall.
root@raspberry:# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Probably you have to close and restart the terminal program for SSH connections to your Raspberry Pi.
root@raspberry:# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW 192.168.0.0/24
21/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere (v6)
22/tcp ALLOW Anywhere (v6)
80/tcp ALLOW Anywhere (v6)
443/tcp ALLOW Anywhere (v6)
Something or more went wrong? Got new ideas? No problem.
Just reset your personal settings and start from the beginning.
root@raspberry:# ufw disable
root@raspberry:# ufw reset
ufw
Uncomplicated firewall | deny or reject access clients unwanted
Very effective to defeat and minimize referral spam / referrer spamming.
That is quit simple. The demonstration shows you how to block a single IP and a IP-range/subnet.
root@raspberry:# ufw deny from 46.95.148.45 to any
Instead of deny you can also use reject. deny
will keep the program waiting until the connection attempt times out, some short time later. reject
will produce an immediate and very informative "Connection refused" message to the client.
A refused connection lets people know that it is your policy decision.
root@raspberry:# ufw deny from 46.95.148.45 to any
root@raspberry:# ufw reject from 178.137.0.0/16 to any
Rule added
After making changes, reload ufw
.
root@raspberry:# ufw reload
Firewall reloaded
root@raspberry:# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW 192.168.0.0/24
21/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
Anywhere DENY 46.95.148.45
Anywhere REJECT 178.137.0.0/16
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere (v6)
22/tcp ALLOW Anywhere (v6)
80/tcp ALLOW Anywhere (v6)
443/tcp ALLOW Anywhere (v6)
...
You have to have to set the rules to 80/tcp
& 443/tcp
after the IP adresses.
Now in the shortest story.
- At first set the new rules for all the IP adresses you want to ban (deny, reject)
- Then delete the rules to
80/tcp
&443/tcp
(see below how to do so) - Renew both rules by the commands
ufw allow 80/tcp
&ufw allow 443/tcp
- Command "ufw reload"
- Command "ufw status verbose" to see if everything is fine with you
What happens with an existing rule?
Skipping adding existing rule
How to remove a rule from ufw
root@raspberry:# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.0.0/24
[ 2] 21/tcp ALLOW IN Anywhere
[ 3] 22/tcp ALLOW IN Anywhere
[ 4] Anywhere DENY IN 46.95.148.45
[ 5] Anywhere REJECT IN 178.137.0.0/16
[ 6] 80/tcp ALLOW IN Anywhere
[ 7] 443/tcp ALLOW IN Anywhere
...
root@raspberry:# ufw delete 6
Deleting:
allow 80/tcp
Proceed with operation (y|n)? y
root@raspberry:# ufw reload
Firewall reloaded
How to disable ufw
root@raspberry:# ufw disable
dnslytics - Ultimate online investigation tool.
Remark: the free usage has a limit per day, just erase cookies and go ahead with a new IP address then.
Logging
Log levels can be set to off | low | medium | high . The default setting is low
The path to the logging file is /var/log/ufw.log
root@raspberry:# ufw logging medium
Logging enabled
Troubleshooting | No access to Raspberry Pi
What a pity. You enabled ufw
and forgot to allow something or did the setup in a wrong sequence.
Identify /etc/ufw/ufw.conf on the (micro)SD-card and set ENABLED=yes to ENABLED=no . Administrative rights is needed to do so. Next time boot ufw
is inactive.
# /etc/ufw/ufw.conf
#
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low
❶ Method in Linux Ubuntu or similar
Take the (micro)SD-card out from your Raspberry Pi and put the card in an internal or external card reader connected to a desktop, laptop or whatever. Browse with the file manager e.g. Nautilus
to the directory /etc/ufw
and choose by the right mouse-button Open in Terminal
. Log in as superuser with your Linux password and not with your Raspberry password.
user@ubuntu:/media/user/27840c60-cecb- ... 28231c/etc/ufw$ sudo su
[sudo] Password for user:
root@ubuntu:/media/user/27840c60-cecb- ... 28231c/etc/ufw# nano ufw.conf
Mod and save the file Crtl O and close Crtl X . That's it. Back with the card and fire up your Raspberry Pi.
❷ Method in MS Windows
Rules out since MS Windows can't read debianized
SD-cards. You'll see some files for boot needed.
❸ Method in Mac OSx
Sorry, I have no clue about Mac OSx. Probably possible somehow.
05-Jun 2018