Firewall – How to Create an App Profile for UFW

firewalliptablesufw

Ufw has a command that lists out profiles to which you can further explore their profile definitions

$ ufw app list

And

$ ufw app PROFILE {app profile title}

I was wondering how you can create a profile for an undefined program, like virtual box and have that profile run the same definitions I have given iptables for my Ubuntu distro.


Not only am I trying to use Ubuntus firewall to service my virtual machine. I am also sincerely curious as how to create a profile for an application that doesn't come with one.

Best Answer

To answer the real question, about how to create your own application file, you only need to know that it is using windows INI file format (yuck).

[appname]
title=1-liner here
description=a longer line here
ports=1,2,3,4,5,6,7,8,9,10,30/tcp|50/udp|53

The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. You have to split the protocol sections up with |.

So, for a real-life set of examples I made:

[puppet]
title=puppet configuration manager
description=Puppet Open Source from http://www.puppetlabs.com/
ports=80,443,8140/tcp

[AMANDA]
title=AMANDA Backup
description=AMANDA the Advanced Maryland Automatic Network Disk Archiver
ports=10080

You can list multiple versions of the app in a single file, like this one from apache:

===start of apache2.2-common file===
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp

===end of file===

Once you have defined your application file, put it in /etc/ufw/applications.d, then tell ufw to reload the application definitions with

ufw app update appname
ufw app info appname

Use it with something like:

ufw allow from 192.168.1.10 to any app amanda
ufw allow amanda

assuming 192.168.1.10 is the IP of your amanda server.

Related Question