{"id":15731,"date":"2023-09-21T17:12:16","date_gmt":"2023-09-21T23:12:16","guid":{"rendered":"https:\/\/sada.services\/?p=15731"},"modified":"2023-11-07T18:36:56","modified_gmt":"2023-11-08T00:36:56","slug":"linux-instalacion-y-configuracion-de-firewall-ufw","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=15731","title":{"rendered":"LINUX: Instalaci\u00f3n y Configuraci\u00f3n de Firewall UFWd"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Guia: <a href=\"https:\/\/www.cyberciti.biz\/faq\/set-up-a-firewall-with-ufw-on-debian-12-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.cyberciti.biz\/faq\/set-up-a-firewall-with-ufw-on-debian-12-linux\/<\/a><\/li>\n\n\n\n<li>Actualizamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update\napt upgrade<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Instalamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install ufw -y\n\n\/\/ Verificar\nufw version\n\n\/\/ Resultado\nufw 0.36.2\nCopyright 2008-2023 Canonical Ltd.<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ahora debemos habiltar el servicio<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/habilitar\nufw enable\n\n\/\/Deshabilitar\nufw disable<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Respuesta, nos muestra un mensaje que debemos confirmar<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Command may disrupt existing ssh connections. Proceed with operation (y|n)? y\nFirewall is active and enabled on system startup<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ahora poemos verificar el estado, reinicar y demas<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/***************************\n\/\/ Consultar estado\n\/\/***************************\nsystemctl status ufw.service\n\n\/\/***************************\n\/\/ Detener Servicio\n\/\/***************************\nufw disable\n\n\n\/\/***************************\n\/\/verbose: Lista Reglas\n\/\/***************************\nufw status\n\n\/\/---------------------------\n\/\/ Respuesta\n\/\/---------------------------\n\n\n\/\/***************************\n\/\/verbose: Lista Reglas\n\/\/***************************\nufw status verbose\n\n\/\/---------------------------\n\/\/ Respuesta\n\/\/---------------------------\nStatus: active\nLogging: on (low)\nDefault: deny (incoming), allow (outgoing), disabled (routed)\nNew profiles: skip\n\n\/\/***************************\n\/\/numbered: Lista Reglas\n\/\/***************************\nsudo ufw status numbered\n\n\/\/---------------------------\n\/\/ Respuesta\n\/\/---------------------------\nStatus: active<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ahora le aplicamos las reglas necesarias<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Ejemplos de Reglas<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">SSH<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Habilitar ssh en puerto defecto<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow ssh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Habilitar si esta en un puerto distinto<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 44\/tcp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">HTTP \/ HTTPS 80\/443<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Habilitamos los defectos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow http\nufw allow https<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Otros<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>De una red a otra por un puerto espec\u00edfico<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow proto tcp from 103.1.2.3 to 139.144.1.2 port 22\n\nufw allow from 192.168.100.52 proto tcp to any port<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Comandos<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Consultar reglas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consultar reglas agregadas<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw show added<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Consultar Politicas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ejecutamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>grep -i '^default_' \/etc\/default\/ufw<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>DEFAULT_INPUT_POLICY=\"DROP\"\nDEFAULT_OUTPUT_POLICY=\"ACCEPT\"\nDEFAULT_FORWARD_POLICY=\"DROP\"\nDEFAULT_APPLICATION_POLICY=\"SKIP\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Cambiar Politicas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Puede utilizar<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw default default allow|deny|reject &#91;incoming|outgoing|routed]<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ejemplos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw default deny incoming\nufw default allow outgoing<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explicaci\u00f3n de las politicas<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"663\" height=\"273\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2023\/09\/Seleccion_695.png\" alt=\"\" class=\"wp-image-15738\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2023\/09\/Seleccion_695.png 663w, https:\/\/sada.services\/wp-content\/uploads\/2023\/09\/Seleccion_695-300x124.png 300w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Permitir Una IP o red a Todo<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/IP\nufw allow from 1.2.3.4\n\n\/\/RED\nufw allow from 192.168.2.0\/24<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">IP a HTTP \/ HTTPS<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from 1.2.3.4 to any port 80\nufw allow from 1.2.3.4 to any port 443<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Multiples puertos<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow proto tcp from 1.2.3.4 to any port 22,80,443\n\nufw allow from 192.168.100.52 proto tcp to any port 80,443<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Rango de puertos<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 3000:4000\/tcp\nufw allow 3000:4000\/udp<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Bloquear una IP, RED o Puerto Ataque<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Drop<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw deny from 1.2.3.4\nufw deny from 192.168.5.0\/24\nufw deny 23\/tcp<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reject<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw reject from 1.2.3.4\nufw reject from 192.168.5.0\/24\nufw reject 23\/tcp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Bloquear Puerto<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>Puerto completo\nufw deny 25\n\n\/\/red\nufw deny proto tcp from 192.168.1.0\/24 port 25<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Bloquear todo<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw deny all<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Proteger fuerza bruta<\/h3>\n\n\n\n<p>The ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate 6 or more connections within 30 seconds. Typical usage is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw limit ssh\/tcp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Eliminar regla<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Listamos la reglas<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw status numbered<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Indicamos el numero de regla a eliminar<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw status numbered<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verificar<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw status numbered<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Establecer el orden como deben ejecutarse las reglas<\/h2>\n\n\n\n<p>It\u2019s crucial to understand the sequence of ufw rules in the system table, which includes PREROUTING, INPUT, FORWARD, OUTPUT, FORWARD, and POSTROUTING. The order of these rules determines which rule will be executed first when a packet matches. Therefore, it\u2019s possible to add a rule at a specific location using ufw to ensure it\u2019s applied correctly. The syntax is:<br>sudo ufw insert [position] [rule] Where, the&nbsp;position&nbsp;is the position of the rule in the chain. The position can be a number, such as 1. The&nbsp;rule&nbsp;is the rule that you want to insert or delete. The rule can be a simple rule, such as allow ssh, or a more complex rule as per your needs<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw insert 1 allow 25\/tcp<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Podemos crear as\u00ed la reglas para que se inserte de primero <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw prepend deny from 1.2.3.4<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Habilitar aplicaci\u00f3n: NFS para montar discos<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Listar aplicaciones<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw app list<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Habilitar NFS<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw app info NFS<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deshabilitar<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw delete allow NFS<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Ver puertos escuchando<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw show listening<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ejemplos de Reglas SSH HTTP \/ HTTPS 80\/443 Otros Comandos Consultar reglas Consultar Politicas Cambiar Politicas Permitir Una IP o red a Todo IP a HTTP \/ HTTPS Multiples puertos Rango de puertos Bloquear una IP, RED o Puerto Ataque Bloquear Puerto Bloquear todo Proteger fuerza bruta The ufw supports connection rate limiting, which is [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[227,567],"tags":[168,569,568],"class_list":["post-15731","post","type-post","status-publish","format-standard","hentry","category-linux","category-ufw","tag-firewall","tag-gufw","tag-ufw"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15731"}],"version-history":[{"count":16,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15731\/revisions"}],"predecessor-version":[{"id":16016,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15731\/revisions\/16016"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}