====== Firewall ====== ===== Introduction ===== This document guides you to setup a simple network firewall with UFW ''Uncomplicated Firewall'' on your Khadas SBC. ===== Preparation ===== 1. Open the kernel modules configuration file ```shell $ sudo vi /etc/modules-load.d/modules.conf ``` And add the necessary network related kernel modules at the bottom of the file. ``` ip_tables nf_tables nf_conntrack iptable_filter iptable_nat iptable_mangle iptable_raw xt_tcp xt_udp xt_LOG xt_limit xt_conntrack xt_addrtype xt_nat xt_MASQUERADE ``` 2. Create symbolic link to ''iptables-legacy'' instead of ''iptables'' ```shell $ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy $ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy ``` 3. Open the UFW configuration file ```shell $ sudo vi /etc/default/ufw ``` And disable IPv6 ``` IPV6=no ``` 4. Create a directory to configure UFW ```shell $ sudo mkdir -p /etc/systemd/system/ufw.service.d ``` 5. Create a UFW override configuration file ''/etc/systemd/system/ufw.service.d/override.conf'' to launch the firewall after networking is enabled. ```txt [Unit] After=network.target Requires=network.target ``` 6. Restart the firewall service ```shell $ sudo systemctl restart ufw $ sudo systemctl enable ufw ``` 7. Restart the system ```shell $ sync $ sudo reboot now ``` The firewall is now configured and will be enabled on system startup. ===== Usage ===== By default, the firewall will block all the ports from incoming or outgoing data. To enable a open a particular port to allow data you need to ```shell $ sudo ufw allow ``` To disable a open a particular port to allow data you need to ```shell $ sudo ufw deny ``` After any firewall rule changes, make sure you reload the rules ```shell $ sudo ufw reload ``` You can check the status of the firewall and what ports are allowed or denied ```shell $ sudo ufw status ``` You can enable the firewall to startup: ```shell $ sudo ufw enable ``` or disable the firewall ```shell $ sudo ufw disable ``` By default when enabled the firewall will deny the port used for SSH, if working with your device in headless mode it is advised to allow the SSH service before you enable the firewall to avoid conflict. ```shell $ sudo ufw disable $ sudo ufw allow ssh $ sudo ufw enable ``` ===== Further Reading ===== [[https://help.ubuntu.com/community/UFW | UFW]]