Enhancements to the masquerading ufw example
Stefan Bader
stefan.bader at canonical.com
Fri Oct 7 13:16:18 UTC 2011
https://help.ubuntu.com/10.10/serverguide/C/firewall.html
Hi,
while I did a firewall setup myself, I felt that (while it is working) the ufw
masquerading example could be made better.
In the example it is suggested to change the DEFAULT_FORWARD_POLICY to "ACCEPT".
While this works, it causes the firewall to be much more open as one likely
intends to because that will allow any packets to be routed from the external
interface into the internal network.
So I would propose to change the example to leave the default policy to be DROP
and ask people to add the following lines somewhere inside the "*filter" section
of /etc/ufw/before.rules:
# Allow all packets from the internal network to be forwarded
-A ufw-before-forward -s 192.168.0.0/24 -o eth0 -j ACCEPT
# Allow packets of established connections to be forwarded inside
-A ufw-before-forward -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -i
eth0 -j ACCEPT
Actually this is sort of derivable from the iptables example and the comment in
the last paragraph of the ufw example, but I think it could help to have the
example produce a more locked down result. Does that sound reasonable?
Please cc, me on replies since I am not subscribed to ubuntu-doc.
Thanks,
Stefan
More information about the ubuntu-doc
mailing list