how do you create an app profile for ufw?

Question

Ufw has a command that lists out profiles to which you can further explore their profile definitions

$ ufw app list

And

$ ufw app PROFILE {app profile title}

I was wondering how you can create a profile for an undefined program, like virtual box and have that profile run the same definitions I have given iptables for my Ubuntu distro.

---

Not only am I trying to use Ubuntus firewall to service my virtual machine. I am also sincerely curious as how to create a profile for an application that doesn't come with one.

Answer 1

To answer the real question, about how to create your own application file, you only need to know that it is using windows INI file format.

[appname]
title=1-liner here
description=a longer line here
ports=1,2,3,4,5,6,7,8,9,10,30/tcp|50/udp|53

The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. You have to split the protocol sections up with |.

So, for a real-life set of examples I made:

[puppet]
title=puppet configuration manager
description=Puppet Open Source from http://www.puppetlabs.com/
ports=80,443,8140/tcp
[AMANDA]
title=AMANDA Backup
description=AMANDA the Advanced Maryland Automatic Network Disk Archiver
ports=10080

You can list multiple versions of the app in a single file, like this one from apache:

===start of apache2.2-common file===
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp
[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp
[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
===end of file===

Once you have defined your application file, put it in /etc/ufw/applications.d, then tell ufw to reload the application definitions with

ufw app update appname
ufw app info appname

Use it with something like:

ufw allow from 192.168.1.10 to any app amanda
ufw allow amanda

assuming 192.168.1.10 is the IP of your amanda server.

Answer 2

It's actually all there in the manpage under the "Application Integration" section.

The basic syntax is:

ufw allow <app_name>

Or you can use the extended syntax to be more specific:

ufw allow from <some_address> to any app <app_name>

The manpage specifically says not to specify a port number:

You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.

This probably means it will let <app_name> use whatever port it wants to..

Other useful commands:

ufw app info <app_name>

Which lists the information on <app_name>'s profile.

ufw app update <app_name>  

Which updates <app_name>'s profile. You can use all to update all application profiles.

You can use the:

ufw app update --add-new <app_name>  

command to add a new profile for <app_name> and update it, following the rules you set out with ufw app default <policy>.

App profiles are stored in /etc/ufw/applications.d and sometimes /etc/services.

For more information see man ufw.