initial commit

1 files changed, 220 insertions, 0 deletions

diff --git a/blog/2021-01-07-ufw.org b/blog/2021-01-07-ufw.org
new file mode 100644
index 0000000..0e5e5c3
--- /dev/null
+++ b/blog/2021-01-07-ufw.org
@@ -0,0 +1,220 @@
++++
+date = 2021-01-07
+title = "Secure Your Network with the Uncomplicated Firewall"
+description = "Learn how to use the UFW, one of the simplest and most widely available firewalls on Linux."
+draft = false
++++
+
+## Uncomplicated Firewall
+
+Uncomplicated Firewall, also known as ufw, is a convenient and beginner-friendly
+way to enforce OS-level firewall rules. For those who are hosting servers or any
+device that is accessible to the world (i.e., by public IP or domain name), it's
+critical that a firewall is properly implemented and active.
+
+Ufw is available by default in all Ubuntu installations after 8.04 LTS. For
+other distributions, you can look to install ufw or check if there are
+alternative firewalls installed already. There are usually alternatives
+available, such as Fedora's `firewall` and the package available on most
+distributions: `iptables`. Ufw is considered a beginner-friendly front-end to
+iptables.
+
+[Gufw](https://gufw.org) is available as a graphical user interface (GUI)
+application for users who are uncomfortable setting up a firewall through a
+terminal.
+
+![](https://img.0x4b1d.org/blog/20210107-secure-your-network-with-the-uncomplicated-firewall/gufw.png)
+
+## Getting Help
+
+If you need help figuring out commands, remember that you can run the `--help`
+flag to get a list of options.
+
+```sh
+sudo ufw --help
+```
+
+## Set Default State
+
+The proper way to run a firewall is to set a strict default state and slowly
+open up ports that you want to allow. This helps prevent anything malicious from
+slipping through the cracks. The following command prevents all incoming traffic
+(other than the rules we specify later), but you can also set this for outgoing
+connections, if necessary.
+
+```sh
+sudo ufw default deny incoming
+```
+
+You should also allow outgoing traffic if you want to allow the device to
+communicate back to you or other parties. For example, media servers like Plex
+need to be able to send out data related to streaming the media.
+
+```sh
+sudo ufw default allow outgoing
+```
+
+## Adding Port Rules
+
+Now that we've disabled all incoming traffic by default, we need to open up some
+ports (or else no traffic would be able to come in). If you need to be able to
+`ssh` into the machine, you'll need to open up port 22.
+
+```sh
+sudo ufw allow 22
+```
+
+You can also issue more restrictive rules. The following rule will allow `ssh`
+connections only from machines on the local subnet.
+
+```sh
+sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22
+```
+
+If you need to set a rule that isn't tcp, just append your connection type to
+the end of the rule.
+
+```sh
+sudo ufw allow 1900/udp
+```
+
+## Enable ufw
+
+Now that the firewall is configured and ready to go, you can enable the
+firewall.
+
+```sh
+sudo ufw enable
+```
+
+A restart may be required for the firewall to begin operating.
+
+```sh
+sudo reboot now
+```
+
+## Checking Status
+
+Now that the firewall is enabled, let's check and see what the rules look like.
+
+```sh
+sudo ufw status numbered
+```
+
+```txt
+Status: active
+
+     To                    Action      From
+     --                    ------      ----
+[ 1] 22                    ALLOW IN    Anywhere
+[ 2] 22 (v6)               ALLOW IN    Anywhere (v6)
+```
+
+## Deleting Rules
+
+If you need to delete a rule, you need to know the number associated with that
+rule.
+Let's delete the first rule in the table above.
+You'll be asked to confirm the deletion as part of this process.
+
+```sh
+sudo ufw delete 1
+```
+
+## Managing App Rules
+
+Luckily, there's a convenient way for installed applications to create files
+that ufw can easily implement so that you don't have to search and find which
+ports your application requires. To see if your device has any applications with
+pre-installed ufw rules, execute the following command:
+
+```sh
+sudo ufw app list
+```
+
+The results should look something like this:
+
+```txt
+Available applications:
+    OpenSSH
+    Samba
+    plexmediaserver
+    plexmediaserver-all
+    plexmediaserver-dlna
+```
+
+If you want to get more information on a specific app rule, use the `info`
+command.
+
+```sh
+sudo ufw app info plexmediaserver-dlna
+```
+
+You'll get a blurb of info back like this:
+
+```txt
+Profile: plexmediaserver-dlna
+Title: Plex Media Server (DLNA)
+Description: The Plex Media Server (additional DLNA capability only)
+
+Ports:
+    1900/udp
+    32469/tcp
+```
+
+You can add or delete app rules the same way that you'd add or delete specific
+port rules.
+
+```sh
+sudo ufw allow plexmediaserver-dlna
+```
+
+```sh
+sudo ufw delete RULE|NUM
+```
+
+## Creating App Rules
+
+If you'd like to create you own app rule, you'll need to create a file in the
+`/etc/ufw/applications.d` directory. Within the file you create, you need to
+make sure the content is properly formatted.
+
+For example, here are the contents my `plexmediaserver` file, which creates
+three distinct app rules for ufw:
+
+```config
+[plexmediaserver]
+title=Plex Media Server (Standard)
+description=The Plex Media Server
+ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp
+
+[plexmediaserver-dlna]
+title=Plex Media Server (DLNA)
+description=The Plex Media Server (additional DLNA capability only)
+ports=1900/udp|32469/tcp
+
+[plexmediaserver-all]
+title=Plex Media Server (Standard + DLNA)
+description=The Plex Media Server (with additional DLNA capability)
+ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp|1900/udp|32469/tcp
+```
+
+So, if I wanted to create a custom app rule called "mycustomrule," I'd create a
+file and add my content like this:
+
+```sh
+sudo nano /etc/ufw/applications.d/mycustomrule
+```
+
+```config
+[mycustomrule]
+title=My Custom Rule
+description=This is a temporary ufw app rule.
+ports=88/tcp|9100/udp
+```
+
+Then, I would just enable this rule in ufw.
+
+```sh
+sudo ufw allow mycustomrule
+```