{"id":1605,"date":"2021-03-25T15:55:24","date_gmt":"2021-03-25T15:55:24","guid":{"rendered":"https:\/\/dft.wiki\/?p=1605"},"modified":"2025-08-22T05:59:44","modified_gmt":"2025-08-22T09:59:44","slug":"ufw-and-shorewall-cheat-sheet","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1605","title":{"rendered":"UFW and Shorewall Cheat Sheet"},"content":{"rendered":"<p><strong>UFW<\/strong> [<a href=\"https:\/\/launchpad.net\/ufw\">Link<\/a>] is my recommendation for Firewall on Linux.<\/p>\n<p>The firewalls will basically create rules on the IPTables and NetFilter. UFW makes it very simple to set up, maintain, and visualize those rules.<\/p>\n<p><strong>UFW Install<\/strong><\/p>\n<pre>sudo apt update\r\nsudo apt install ufw -y<\/pre>\n<p><strong>UFW Basics<\/strong><\/p>\n<pre>sudo ufw <strong>status<\/strong>\r\nsudo ufw status <strong>numbered<\/strong>\r\nsudo ufw <strong>delete<\/strong> 5\r\nsudo ufw <strong>enable<\/strong>\r\nsudo ufw <strong>disable<\/strong>\r\nsudo ufw <strong>limit<\/strong> 22\r\n<span class=\"token function\">sudo<\/span> ufw limit <strong><span class=\"token function\">ssh<\/span><\/strong>\r\nsudo ufw <strong>allow<\/strong> 80\r\nsudo ufw allow <strong>http\r\n<\/strong>sudo ufw allow <strong>60000:65000\/tcp comment \"Port Range\"<\/strong>\r\nsudo ufw <strong>deny<\/strong> 80\r\nsudo ufw <strong>delete<\/strong> deny 80<\/pre>\n<p><strong>UFW Expressions<\/strong><\/p>\n<pre>sudo ufw <strong>allow <\/strong>proto tcp <strong>from<\/strong> 10.10.10.1 <strong>to <\/strong>20.20.20.2<strong> port<\/strong> 80\r\nsudo ufw allow <strong>proto <\/strong>tcp<strong> from <\/strong>any<strong> to <\/strong>any<strong> port <\/strong>80,443\r\n<span class=\"token function\">sudo<\/span> ufw <strong>deny out<\/strong> <span class=\"token number\">21\r\nsudo ufw <strong>deny out from<\/strong> 10.10.10.1\r\nsudo ufw deny out <strong>from<\/strong> 10.10.10.1 <strong>to<\/strong> any <strong>port<\/strong> 21\r\n<\/span><span class=\"token function\">sudo<\/span> ufw <strong>deny <span class=\"token keyword\">in<\/span> on<\/strong> eth0 <strong>from<\/strong> 10.10.10.1\r\nsudo ufw deny in on eth0 from <strong>10.10.10.0\/24<\/strong><\/pre>\n<p><strong>Shorewall<\/strong> [<a href=\"https:\/\/shorewall.org\/\">Link<\/a>] is another open-source firewall that manipulates the IPTables to apply the desired rules.<\/p>\n<p>It seems to be more popular on RedHat \/ CentOS and its usage is much more complicated through configuration files.<\/p>\n<p><strong>Shorewall Install<\/strong><\/p>\n<pre>sudo apt update\r\nsudo apt install shorewall shorewall-init -y<\/pre>\n<p><strong>Shorewall Configuration<\/strong><\/p>\n<p>The configuration directory <strong>\/etc\/shorewall\/<\/strong> comes not configured and based on what type of firewall will be implemented copy the examples file from the documentation directory:<\/p>\n<pre>sudo cp \/usr\/share\/doc\/shorewall\/examples\/<strong>one<\/strong>-interface\/* \/etc\/shorewall\/\r\nsudo cp \/usr\/share\/doc\/shorewall\/examples\/<strong>two<\/strong>-interfaces\/* \/etc\/shorewall\/\r\nsudo cp \/usr\/share\/doc\/shorewall\/examples\/<strong>three<\/strong>-interfaces\/* \/etc\/shorewall\/<\/pre>\n<p>For the case of two interfaces, where the Shorewall will not be standalone but will route traffic between LAN and WAN.<\/p>\n<p><strong>Define the zones<\/strong><\/p>\n<pre>sudo nano \/etc\/shorewall\/zones<\/pre>\n<p>See the following lines:<\/p>\n<pre>fw firewall\r\n<strong>net<\/strong> ipv4\r\n<strong>loc<\/strong> ipv4<\/pre>\n<ul>\n<li><strong>net<\/strong>\u00a0is the WAN (e.g. Internet)<\/li>\n<li><strong>loc<\/strong> is the LAN (e.g. Local)<\/li>\n<\/ul>\n<p><strong>Configure the interfaces<\/strong><\/p>\n<pre>sudo nano \/etc\/shorewall\/interfaces<\/pre>\n<p>Shall look like:<\/p>\n<pre>net          NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=<strong>eth0<\/strong>\r\nloc          LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=<strong>eth1<\/strong><\/pre>\n<p><strong>Set up the policies<\/strong><\/p>\n<pre>sudo nano \/etc\/shorewall\/policy<\/pre>\n<p>To allow traffic from LAN-to-WAN but refuse traffic from WAN-to-LAN the policy must look like the following:<\/p>\n<pre><strong>loc          net          ACCEPT<\/strong>\r\n<strong>net          all          DROP<\/strong>            $LOG_LEVEL\r\n<strong>all          all          REJECT<\/strong>          $LOG_LEVEL<\/pre>\n<p><strong>Manage the rules<\/strong><\/p>\n<pre>sudo nano \/etc\/shorewall\/rules<\/pre>\n<p>By default the rules are:<\/p>\n<pre>######################################################################################################################################################################################################\r\n#<strong>ACTION<\/strong>         <strong>SOURCE<\/strong>          <strong>DEST<\/strong>            <strong>PROTO<\/strong>   <strong>DEST<\/strong>    <strong>SOURCE<\/strong>          ORIGINAL        RATE            USER\/   MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER\r\n#                                                       <strong>PORT<\/strong>    <strong>PORT(S)<\/strong>         DEST            LIMIT           GROUP\r\n?SECTION ALL\r\n?SECTION ESTABLISHED\r\n?SECTION RELATED\r\n?SECTION INVALID\r\n?SECTION UNTRACKED\r\n?SECTION NEW\r\n\r\n#       Don't allow connection pickup from the net\r\nInvalid(<strong>DROP<\/strong>)   <strong>net<\/strong>             <strong>all<\/strong>             <strong>tcp<\/strong>\r\n\r\n#       Accept DNS connections from the firewall to the network\r\nDNS(<strong>ACCEPT<\/strong>)     <strong>$FW<\/strong>             <strong>net<\/strong>\r\n\r\n#       Accept SSH connections from the local network for administration\r\nSSH(<strong>ACCEPT<\/strong>)     <strong>loc<\/strong>             <strong>$FW<\/strong>\r\n\r\n#       Allow Ping from the local network\r\nPing(<strong>ACCEPT<\/strong>)    <strong>loc<\/strong>             <strong>$FW<\/strong>\r\n\r\n# Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..\r\nPing(<strong>DROP<\/strong>)      <strong>net<\/strong>             <strong>$FW<\/strong>\r\n<strong>ACCEPT<\/strong>          <strong>$FW<\/strong>             <strong>loc<\/strong>             <strong>icmp<\/strong>\r\n<strong>ACCEPT<\/strong>          <strong>$FW<\/strong>             <strong>net<\/strong>             <strong>icmp<\/strong><\/pre>\n<p><strong>Port Forwarding<\/strong><\/p>\n<pre><strong>DNAT     <\/strong>       <b>net<\/b>             <strong>loc:10.0.0.1       tcp    <span style=\"color: #008000;\">80<\/span><\/strong><\/pre>\n<p>Note: it will listen and forward to the same port <strong><span style=\"color: #008000;\">80<\/span><\/strong>.<\/p>\n<pre><strong>DNAT     <\/strong>       <b>net<\/b>             <strong>loc:10.0.0.1:<span style=\"color: #ff6600;\">80<\/span>    tcp    <span style=\"color: #ff0000;\">8080<\/span><\/strong><\/pre>\n<p>Note: it will listen on port <span style=\"color: #ff0000;\"><strong>8080<\/strong><\/span> but will forward to port <span style=\"color: #ff6600;\"><strong>80<\/strong><\/span>.<\/p>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p>Check out <strong>CSF<\/strong> (Config Server Firewall) [<a href=\"https:\/\/configserver.com\/configserver-security-and-firewall\/\">Link<\/a>]. It is a free and advanced firewall for most Linux distributions that features UI integration for cPanel, DirectAdmin, and Webmin.<\/p>\n<p>For full control of inbound and outbound connections per process and\/or per source\/destination in a desktop environment, check out <strong>OpenSnitch<\/strong> [<a href=\"https:\/\/github.com\/evilsocket\/opensnitch\">Link<\/a>].<\/p>\n","protected":false},"excerpt":{"rendered":"<p>UFW [Link] is my recommendation for Firewall on Linux. The firewalls will basically create rules [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-1605","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1605"}],"version-history":[{"count":8,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1605\/revisions"}],"predecessor-version":[{"id":5144,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1605\/revisions\/5144"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}