helpful links:

Instructions:

  • Add to /etc/apt/sources.list (note: not required for squeeze):
deb http://ftp.uwsg.indiana.edu/linux/debian/ testing main
deb-src http://ftp.uwsg.indiana.edu/linux/debian/ testing main
  • Create an /etc/apt/preferences (note: not required for squeeze):
Package: *
Pin: release a=testing
Pin-Priority: 99

Package: ufw
Pin: release a=testing
Pin-Priority: 999
  • aptitude install ufw (note: under lenny, this will pull in python-central from testing, which is fine) - it'll also install python deps
  • add configuration files for apps in /etc/ufw/applications.d – for example, here's /etc/ufw/applications.d/flexlm-ansys.ufw.profile:
[FlexLM-ANSYS]
title=FlexLM Server for ANSYS
description=Proprietary license server for ANSYS products
ports=1055,44315,2325/tcp

… and here's /etc/ufw/applications.d/flexlm-altera.ufw.profile, which includes UDP ports:

[FlexLM-Altera]
title=FlexLM Server for Altera
description=Proprietary license server for Altera products
ports=5285,51187/tcp|48849/udp

Note: These were later changed when (a.) I discovered that UDP ports don't seem to be necessary and (b.) I pinned the vendor daemon ports to specific values - previously, they changed on each boot, which was a problem for the firewall. It doesn't seem to be possible to pin the UDP ports down, which is why we're not using them.

  • I grabbed the configuration files for openssh-server and samba (ecelicense only) from their Ubuntu lucid packages
  • ufw app list and ufw app info FlexLM-ANSYS allow you to make sure your files are being parsed properly
  • allow openssh from everywhere for admin purposes: ufw allow OpenSSH
  • allow flexlm services only from PUC subnets: ufw allow from 205.215.64.0/18 to any app FlexLM-ANSYS && ufw allow from 69.51.160.0/19 to any app FlexLM-ANSYS
  • repeat last step for all services, including Samba (ecelicense only) and other non-flexlm license servers
  • if you happen to change the ports used in a file in /etc/ufw/applications.d, it doesn't seem to update dynamically. Instead, you have to delete the rule and recreate it. e.g. ufw delete allow from 205.215.64.0/18 to any app FlexLM-Maple && ufw delete allow from 69.51.160.0/19 to any app FlexLM-Maple && ufw allow from 205.215.64.0/18 to any app FlexLM-Maple && ufw allow from 69.51.160.0/19 to any app FlexLM-Maple
  • on emslicense (a.k.a. emsghost), we receive some strange requests from ANSYS clients on TCP port 7723. These fill up the logs and may cause the clients to pause waiting on a response. Let's explicitly close the ports instead of leaving them stealthed. – ufw reject proto tcp from 205.215.64.0/18 to any port 7723 && ufw reject proto tcp from 69.51.160.0/19 to any port 7723
  • On ecelicense, we keep receiving queries on the default flexlm ports (on which we aren't running servers). These are coming from all over the place, so it's probably badly-designed software. Let's explicitly close those ports too. – ufw reject proto tcp from 205.215.64.0/18 to any port 27003:27009 && ufw reject proto tcp from 69.51.160.0/19 to any port 27003:27009
  • We get scanned occasionally on emsghost too… closing ports there too – ufw reject proto tcp from 205.215.64.0/18 to any port 27002:27009 && ufw reject proto tcp from 69.51.160.0/19 to any port 27002:27009
  • ufw enable turns this thing on and sets it up to start on boot
  • The rules you define seem to end up in /lib/ufw/user.rules – this seems like a weird place to me, but whatever
  • ufw status verbose will allow you to verify that everything is running properly – make sure that the default incoming policy is deny and the default outgoing policy is allow
  • ufw show raw seems to be the only parameter for the show command… I even checked the source. I guess that's designed that way for future expansion or something. Anyway, that gives you the iptables summary of what's going on… including handy pkts/bytes data on rule usage.
computer/ufw_firewall_on_debian.txt · Last modified: 2011/02/09 00:35 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS