UFW
---
https://wiki.ubuntu.com/UbuntuFirewall


What's in a name?
-----------------
What does it mean?  I like 'Uncomplicated Firewall', but really, it's up to
you. :)  If you like it, you might pick 'Universal Firewall', 'Ultimate
Firewall', or considering its current state, 'Unfinished Firewall'. If you are
not a fan, perhaps 'Unbearable Firewall'.


Install
-------
python ./setup.py install --root=PREFIX

Eg:
python ./setup.py install --root=/


Basic Layout
------------
/usr/sbin/ufw 			is the UI for people (have different backends)
/etc/defaults/ufw 		high level configuration
/etc/ufw/before[6].rules 	rules evaluated before UI added rules
/etc/ufw/after[6].rules 	rules evaluated after UI added rules
/var/lib/ufw/user[6].rules	UI added rules (not to be modified)
/etc/ufw/sysctl.conf 		kernel network tunables
/etc/init.d/ufw			start script


Usage
-----
ufw enable|disable 		turn firewall on and off (including at boot)
ufw default allow|deny		updates default policy
ufw logging on|off		updates backend logging (*.rules)
ufw status			displays firewall status (user.rules only)
ufw allow|deny RULE		add RULE to firewall


Chains
------
ufw uses several chains to allow ease of use and flexibility. The chains are
organized as follows:

INPUT -> ufw-before-input -> ufw-user-input -> ufw-after-input
OUTPUT -> ufw-before-output -> ufw-user-output -> ufw-after-output
FORWARD -> ufw-before-forward -> ufw-user-forward -> ufw-after-forward

The 'before' chains are setup in 'before.rules', the 'after' chains in
'after.rules' and the 'user' chains are maintained by ufw. If an administrator
wants to add rules manually, the rules should be added to 'before.rules' and
'after.rules'.

There is some default configuration in both 'before.rules' and 'after.rules',
and this configuration is not displayed with 'ufw status' (but can always
be viewed with 'iptables -L -n' or 'iptables -L [chain] -n'. See the iptables
man page for details.


Remote Management
-----------------
On /etc/init.d/ufw start and 'ufw enable' the chains are flushed, so ssh will
drop. This is needed so ufw is in a consistent state. Once the ufw is 'enabled'
it will insert rules into the existing chains, and therefore not flush the
chains (but will when modifying a rule or changing the default policy).

You can insert rules before enabling the firewall however, so it is often
a good idea to to:
$ sudo ufw allow proto tcp from any to any port 22
$ sudo ufw enable

In this case, the chains are still flushed, but the ssh port will be open
after enabling the firewall.


IPV6
----
ufw has support for IPv6, but it is disabled by default.  To enable, modify
/etc/default/ufw (or wherever this is installed) to have:

IPV6=yes

Then do:
# ufw disable
# ufw enable


Testing
-------
$ mkdir -p /tmp/ufw/usr /tmp/ufw/etc
$ python ./setup.py install --root=/tmp/ufw

The edit /tmp/ufw/usr/sbin/ufw to have (since it's installed in /tmp):
disable_checks = True

Now do:
$ /tmp/ufw/usr/sbin/ufw help

Here is a command to do it all at once:
$ rm -rf /tmp/ufw && mkdir -p /tmp/ufw/usr /tmp/ufw/etc && python ./setup.py install --root=/tmp/ufw && sed -i 's/disable_checks = False/disable_checks = True/' /tmp/ufw/usr/sbin/ufw

Can also just run from the source directory:
$ ./run_tests.sh -s

Or for the root tests (these will modify your existing firewall and insert
kernel modules, so they require root privileges and aren't run by default):
$ sudo ./run_tests.sh -s root


(C) 2008 Canonical Ltd.
