Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should also modify the before.rules config #21

Open
xbeta opened this issue Aug 2, 2015 · 10 comments · May be fixed by #39
Open

Should also modify the before.rules config #21

xbeta opened this issue Aug 2, 2015 · 10 comments · May be fixed by #39
Labels
enhancement help wanted
Milestone
4.1.0

Comments

@xbeta
Copy link

xbeta commented Aug 2, 2015

From UFW guide:
https://help.ubuntu.com/community/UFW#Advanced_Syntax
@tersmitten
Copy link
Member

That would make a nice addition. Feel free to open a pull request.

@xbeta
Copy link
Author

xbeta commented Aug 8, 2015

@tersmitten can you keep it open until we send in a PR?

@tersmitten
Copy link
Member

Sure

@tersmitten tersmitten reopened this Aug 9, 2015
@tersmitten tersmitten mentioned this issue Jan 7, 2019
Open
@NanoPish
Copy link

I want to add this feature to the project, how would you do it ?
An array of strings parameter to be added at the bottom of before files, before the ending COMMIT line ?

@tersmitten
Copy link
Member

I'll have a look next week

@tersmitten
Copy link
Member

Maybe something like this?

# git diff
diff --git a/defaults/main.yml b/defaults/main.yml
index 37730c6..e9d0ccd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,3 +23,15 @@ ufw_etc_default_ipt_modules:
   - nf_conntrack_ftp
   - nf_nat_ftp
   - nf_conntrack_netbios_ns
+
+ufw_etc_ufw_after_manage: false
+ufw_etc_ufw_after6_rules: []
+ufw_etc_ufw_after_rules: []
+
+ufw_etc_ufw_before_manage: false
+ufw_etc_ufw_before6_rules: []
+ufw_etc_ufw_before_rules: []
+
+ufw_etc_ufw_user_manage: false
+ufw_etc_ufw_user6_rules: []
+ufw_etc_ufw_user_rules: []

@tersmitten
Copy link
Member

With some really simple templates like this: https://github.com/Oefenweb/ansible-dnsmasq/blob/master/templates/etc/dnsmasq.conf.j2

@tersmitten
Copy link
Member

Which are only templated when ufw_etc_ufw_*_manage: true

@tersmitten
Copy link
Member

tersmitten commented Apr 14, 2020
edited
Loading

Configuration can be done like this:

ufw_etc_ufw_before_manage: true
ufw_etc_ufw_before6_rules:
  - |
    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    #   ufw6-before-input
    #   ufw6-before-output
    #   ufw6-before-forward
    #

    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw6-before-input - [0:0]
    :ufw6-before-output - [0:0]
    :ufw6-before-forward - [0:0]
    # End required lines


    # allow all on loopback
    -A ufw6-before-input -i lo -j ACCEPT
    -A ufw6-before-output -o lo -j ACCEPT

    # drop packets with RH0 headers
    -A ufw6-before-input -m rt --rt-type 0 -j DROP
    -A ufw6-before-forward -m rt --rt-type 0 -j DROP
    -A ufw6-before-output -m rt --rt-type 0 -j DROP

    # quickly process packets for which we already have a connection
    -A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
    -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

    # ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
    -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
    # codes 0 and 1
    -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
    # codes 0-2
    -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
    # IND solicitation
    -A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    # IND advertisement
    -A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    # MLD query
    -A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
    # MLD report
    -A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
    # MLD done
    -A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
    # MLD report v2
    -A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
    # SEND certificate path solicitation
    -A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    # SEND certificate path advertisement
    -A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    # MR advertisement
    -A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
    # MR solicitation
    -A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
    # MR termination
    -A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

    # ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
    -A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
    -A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
    # codes 0 and 1
    -A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
    # codes 0-2
    -A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
    -A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
    -A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
    # IND solicitation
    -A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    # IND advertisement
    -A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    # MLD query
    -A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
    # MLD report
    -A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
    # MLD done
    -A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
    # MLD report v2
    -A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
    # SEND certificate path solicitation
    -A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    # SEND certificate path advertisement
    -A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    # MR advertisement
    -A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
    # MR solicitation
    -A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
    # MR termination
    -A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

    # ok icmp codes for FORWARD (rfc4890, 4.3.1)
    -A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
    -A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
    # codes 0 and 1
    -A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
    # codes 0-2
    -A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
    -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
    -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
    # ok icmp codes for FORWARD (rfc4890, 4.3.2)
    # Home Agent Address Discovery Reques
    -A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
    # Home Agent Address Discovery Reply
    -A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
    # Mobile Prefix Solicitation
    -A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
    # Mobile Prefix Advertisement
    -A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT

    # allow dhcp client to work
    -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

    # allow MULTICAST mDNS for service discovery
    -A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT

    # allow MULTICAST UPnP for service discovery
    -A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT

    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT
ufw_etc_ufw_before_rules:
  - |
    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    #   ufw-before-input
    #   ufw-before-output
    #   ufw-before-forward
    #

    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines


    # allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -o lo -j ACCEPT

    # quickly process packets for which we already have a connection
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

    # ok icmp codes for INPUT
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

    # ok icmp code for FORWARD
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

    # allow dhcp client to work
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

    #
    # ufw-not-local
    #
    -A ufw-before-input -j ufw-not-local

    # if LOCAL, RETURN
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

    # if MULTICAST, RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

    # if BROADCAST, RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

    # all other non-local packets are dropped
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP

    # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

    # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT

@tersmitten tersmitten added this to the 4.1.0 milestone Apr 21, 2020
@tersmitten tersmitten mentioned this issue Jun 29, 2020
Closed
@niftylettuce
Copy link

Yeah that would work perfectly!

@tersmitten tersmitten linked a pull request Jun 30, 2020 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
4.1.0
Development

Successfully merging a pull request may close this issue.

WIP - Should also modify the before.rules config Oefenweb/ansible-ufw
4 participants
@niftylettuce @xbeta @tersmitten @NanoPish