[Novalug] ufw applications.d syntax

Mark Smith mark@winksmith.com
Tue Sep 14 22:16:18 EDT 2010


worked like a charm.

On Tue, Sep 14, 2010 at 01:39:12PM -0700, Jason Kohles wrote:
> The files in applications.d don't specify allow/deny rules, and they don't include any information about networks or hosts, they only specify information about what ports and protocols an application uses, so that you can specify firewall rules without having to figure out what ports you need.
> 
> So, for example, if you have this in applications.d (and you presumably do have something like this, based on the ufw output):
> 
> [Dovecot Secure IMAP]
> title=Dovecot Secure IMAP
> description=A secure IMAP server
> ports=993/tcp
> 
> Then you can use that to make it easier to punch holes in the firewall, like so:
> 
> ufw allow from 192.168.1.0/24 to any app dovecot
> ufw allow from 192.168.2.0/24 to any app dovecot
> ufw allow from 192.168.3.0/24 to any app dovecot
> 
> 
> More Info:
> 
> https://wiki.ubuntu.com/UncomplicatedFirewall
> http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw.8.html
> http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw-framework.8.html
> https://help.ubuntu.com/10.04/serverguide/C/firewall.html
> 
> On Sep 14, 2010, at 4:01 PM, Mark Smith wrote:
> 
> > first i've seen it too, but it comes with ubuntu so i thought
> > i'd give it a go.
> > 
> > the "allow" command doesn't seem to permit the syntax you suggested.
> > 
> > 
> > On Tue, Sep 14, 2010 at 10:32:09AM -0400, James Ewing Cottrell 3rd wrote:
> >> How about just Annexing another /24 and saying
> >> 
> >> Dovecot Secure IMAP ALLOW 192.168.1.0/22
> >> 
> >> Or just use iptables to firewall things and run UFW wide open, or
> >> maybe with all of 192.168.
> >> 
> >> BTW, are you sure that this file supports netmasks? Some apps only
> >> support globbing as in
> >> 
> >> Dovecot Secure IMAP ALLOW 192.168.1.*
> >> Dovecot Secure IMAP ALLOW 192.168.2.*
> >> Dovecot Secure IMAP ALLOW 192.168.3.*
> >> 
> >> I dunno what UFW is, so I couldn't say.
> >> 
> >> JIM
> >> 
> >> On 9/13/2010 4:38 AM, Mark Smith wrote:
> >>> i can represent three CIDR/24 blocks for networks which i can accept
> >>> all kinds of requests.  i think the ufw concept of applications is kinda
> >>> neat too.  i was hoping someone here had a handle on how to update the
> >>> /etc/ufw/applications.d/* files to accept ports from several different
> >>> networks.  it doesn't seem to support it.
> >>> 
> >>> for instance, it woudl be nice to make this:
> >>> 
> >>> 	To                         Action      From
> >>> 	--                         ------      ----
> >>> 	Dovecot Secure IMAP        ALLOW       Anywhere
> >>> 
> >>> into this:
> >>> 
> >>> 	To                         Action      From
> >>> 	--                         ------      ----
> >>> 	Dovecot Secure IMAP        ALLOW       192.168.1.0/24
> >>> 	Dovecot Secure IMAP        ALLOW       192.168.2.0/24
> >>> 	Dovecot Secure IMAP        ALLOW       192.168.3.0/24
> >>> 
> >>> the documention isn't really straight forward in this regard.
> >>> seems like you can't do it.  i'm setup already in the fw department.
> > 
> > -- 
> > Mark Smith
> > mark@winksmith.com
> > mark@tux.org
> > _______________________________________________
> > Novalug mailing list
> > Novalug@calypso.tux.org
> > http://calypso.tux.org/mailman/listinfo/novalug
> 
> _________________________________________________________
> Jason Kohles, RHCA
> Palantir Technologies | Forward Deployed Engineer 
> jkohles@palantir.com | 703.957.5784
> _________________________________________________________
> 



-- 
Mark Smith
mark@winksmith.com
mark@tux.org



More information about the Novalug mailing list