how do you create an app profile for ufw?
Ufw has a command that lists out profiles to which you can further explore their profile definitions
$ ufw app list
And
$ ufw app PROFILE {app profile title}
I was wondering how you can create a profile for an undefined program, like virtual box and have that profile run the same definitions I have given iptables for my Ubuntu distro.
Not only am I trying to use Ubuntus firewall to service my virtual machine. I am also sincerely curious as how to create a profile for an application that doesn't come with one.
To answer the real question, about how to create your own application file, you only need to know that it is using windows INI file format (yuck).
[appname]
title=1-liner here
description=a longer line here
ports=1,2,3,4,5,6,7,8,9,10,30/tcp|50/udp|53
The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. You have to split the protocol sections up with |.
So, for a real-life set of examples I made:
[puppet]
title=puppet configuration manager
description=Puppet Open Source from http://www.puppetlabs.com/
ports=80,443,8140/tcp
[AMANDA]
title=AMANDA Backup
description=AMANDA the Advanced Maryland Automatic Network Disk Archiver
ports=10080
You can list multiple versions of the app in a single file, like this one from apache:
===start of apache2.2-common file===
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp
[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp
[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
===end of file===
Once you have defined your application file, put it in /etc/ufw/applications.d
, then tell ufw to reload the application definitions with
ufw app update appname
ufw app info appname
Use it with something like:
ufw allow from 192.168.1.10 to any app amanda
ufw allow amanda
assuming 192.168.1.10 is the IP of your amanda server.
It's actually all there in the manpage under the "Application Integration" section.
The basic syntax is:
ufw allow <app_name>
Or you can use the extended syntax to be more specific:
ufw allow from <some_address> to any app <app_name>
The manpage specifically says not to specify a port number:
You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.
This probably means it will let <app_name>
use whatever port it wants to..
Other useful commands:
ufw app info <app_name>
Which lists the information on <app_name>
's profile.
ufw app update <app_name>
Which updates <app_name>
's profile. You can use all
to update all application profiles.
You can use the:
ufw app update --add-new <app_name>
command to add a new profile for <app_name>
and update it, following the rules you set out with ufw app default <policy>
.
App profiles are stored in /etc/ufw/applications.d
and sometimes /etc/services
.
For more information see man ufw
.