Enhancements to the masquerading ufw example

[Stefan Bader]

https://help.ubuntu.com/10.10/serverguide/C/firewall.html

Hi,

while I did a firewall setup myself, I felt that (while it is working) the ufw
masquerading example could be made better.

In the example it is suggested to change the DEFAULT_FORWARD_POLICY to "ACCEPT".
While this works, it causes the firewall to be much more open as one likely
intends to because that will allow any packets to be routed from the external
interface into the internal network.

So I would propose to change the example to leave the default policy to be DROP
and ask people to add the following lines somewhere inside the "*filter" section
of /etc/ufw/before.rules:

# Allow all packets from the internal network to be forwarded
-A ufw-before-forward -s 192.168.0.0/24 -o eth0 -j ACCEPT
# Allow packets of established connections to be forwarded inside
-A ufw-before-forward -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -i
eth0 -j ACCEPT

Actually this is sort of derivable from the iptables example and the comment in
the last paragraph of the ufw example, but I think it could help to have the
example produce a more locked down result. Does that sound reasonable?

Please cc, me on replies since I am not subscribed to ubuntu-doc.

Thanks,
Stefan