So, I know that I can do ufw allow from tun0 to tun0 port 36892 but is it possible to do something similar while using a UFW profile for multiple ports like
ports=tun0;36892|tun0;23976|tun0;19827?
In this case assume that tun0 is 10.8.0.1.
Asked
Active
Viewed 9,393 times
1 Answers
3
The general answer
I'm afraid adding network interface into an application profile is not possible, because under the 'Application Integration' section in UFW's manual page for the syntax is written:
Syntax for the application profiles is a simple .INI format:
[<name>] title=<title> description=<description> ports=<ports>
And there is not presented an interface directive.
Create Rules manually
According to the question There are two approaches to allow TCP and UDP simultaneously:
Add rules for each port separately:
sudo ufw allow in on tun0 to any port 36892 sudo ufw allow in on tun0 to any port 23976 sudo ufw allow in on tun0 to any port 19827Add rules for each protocol separately:
sudo ufw allow in on tun0 to any port 36892,23976,19827 proto tcp sudo ufw allow in on tun0 to any port 36892,23976,19827 proto udp
To allow access only from a specific address, add from 10.8.0.xxx to the declaration - for example:
sudo ufw allow in on tun0 from 10.8.0.110 to any port 36892,23976,19827 proto tcp
- More examples: UFW Essentials: Common Firewall Rules and Commands.
Create Application profile and create Rules based on it
Let's create a new profile file, called custom.ufw.profile, located in /etc/ufw/applications.d/. The content of this file could looks as this:
[CustomApp 1 Full]
title=The first Custom Application
description=Custom Application Description
ports=36892|23976|19827
[CustomApp 1 TCP]
title=The first Custom Application - TPC only
description=Custom Application Description
ports=36892,23976,19827/tcp
[CustomApp 1 UDP]
title=The first Custom Application - UDP only
description=Custom Application Description
ports=36892,23976,19827/udp
We can check if the syntax is correct via the command
ufw app info "app name":$ sudo ufw app info "CustomApp 1 Full" Profile: CustomApp 1 Full Title: The first Custom Application Description: Custom Application Description Ports: 36892 23976 19827
Now we can create new rule based on this profile:
sudo ufw allow in on tun0 to any app "CustomApp 1 Full"
Check if the rule looks correctly:
$ sudo ufw status numbered | grep CustomApp [10] CustomApp 1 Full on tun0 ALLOW IN Anywhere [20] CustomApp 1 Full (v6) on tun0 ALLOW IN Anywhere (v6)
Create custom command to automate the rules enable/disable process
If we intend to have a way for fast enable or disable couple of UFW rules we can create custom command for this purpose. We can use a function that could looks something like this:
function ufw-custom {
if ! ufw_loc="$(type -p "ufw")" || [ -z "$ufw_loc" ]; then
printf "\nUFW is not installed yet.\n\n"
elif [ "$1" = "enable" ]; then
sudo ufw allow in on tun0 to any port 36892
sudo ufw allow in on tun0 to any port 23976
sudo ufw allow in on tun0 to any port 19827
echo ""
sudo ufw reload
echo ""
sudo ufw status numbered
elif [ "$1" = "disable" ]; then
sudo ufw delete allow in on tun0 to any port 36892
sudo ufw delete allow in on tun0 to any port 23976
sudo ufw delete allow in on tun0 to any port 19827
echo ""
sudo ufw reload
echo ""
sudo ufw status numbered
else
echo ""
sudo ufw status numbered
printf "Use 'ufw-custom enable' or 'ufw-custom disable'.\n\n"
fi
}
export -f ufw-custom
Place these lines into the end of ~/.bashrc file and then source ~/.bashrc. Now we have a custom command called ufw-custom which can handle enable or disable as arguments. For example, to enable the rules, use:
ufw-custom enable
pa4080
- 30,621