Linux - UFWファイアウォールの設定 (ufw) (Linux - UFW Firewall Setup (ufw))

字幕表動画を再生する

please go to the line the computer guy dot com, in order to view schematics, code and Maur for the projects that you are learning about.
Welcome back.
So in today's video, I'm going to show you how to use U F W in order to try to help secure your Atlantic server so you have W stands for uncomplicated firewall on.
So this is the firewall software that is built in a standard to Ruben to now, and you can also install it on other distributions of Lennox if you like.
As with all things in the Lenox world, there are a hell of a lot of firewall options out there.
I'm going to show you you have W because it's quote unquote, uncomplicated is relatively easy to use.
It's built into a bun, too.
You can run it on most distributions of Lennox, and therefore it's a good default standard to show you how to use.
But again, there's other firewalls off we're out there.
That may be better for whatever application that you're trying to accomplish.
Now, when you're talking about firewall software again in the security world, it's important to understand is that different types of software do different types of things in order to provide security for your server.
So anti virus software that looks for things like viruses it's important.
Understand all that firewall software does, is it simply allows or denies access to particular networking ports on your server?
Eso.
Different networking protocols require different ports.
Eso HTTP requires port 80 FTP Republican requires port 21 or possibly 20.
Sshh requires Port 22.
So, basically, by allowing or denying access to those particular ports, you either allow or deny access from the outside world to your system.
On those ports.
Doing blanket blocks generally isn't the greatest policy in the world.
Like doing a blanket block of sssh.
Doing a blanket block of ah of Port 22 may not really making a lot of sense in the security.
The world of security, basically, with the ideas.
If you're going to do a blanket block of a service, well, then why not simply remove that service from your server?
If you're going to a blanket block of sssh for everybody in the entire world coming over through the network, then the question is, Well, why don't you just disable that s s a service or simply uninstalled the SS service where the firewall really becomes powerful is because you can go in and you can specify things such as certain I P addresses are able to have access to serve imports or even certain entire sub nets can have access to certain ports.
So let's say you need to use sshh in order to remotely and minister your server.
Now you don't want to do a blanket block of sshh because if you have to remotely administer your server and you block all I P addresses from being able to remote remotely administer your server, that means you'll de facto not be able to connect it, sir.
So that's not good.
But you don't necessarily want S H to be open to the entire world because the people in China, Norway and who's Becca Stan will try to be trying to hack into your system.
So one of things that you can deal with U of W.
Is you can say I want my specific I P address to be able to access SS eight on the server, but literally nobody else.
So this may be valuable, especially in a business environment suit.
Let's say you have a server room.
You know, a few Lennox Potts is running that server room and you want to be able to sshh end to those legs boxes again just to do basic administration.
Take a look at basic log files.
Well, what you can dio is you can allow access for your specific I p address to use s s sake to those Lennox boxes.
So that allows you to be a bit remotely administer those systems even within the within the building.
But again, people from the outside world or other I p addresses in the building that literally will not be able to access the S s exports.
So these are the kinds of things you need to be thinking about when you're dealing with security and you're when you're dealing with fire walls again is the best, most appropriate way to go about security.
If you're going to blanket block a port on a server, then one of questions you should ask yourself is Then why is that service even installed on the server in the first place?
Maybe instead of worrying about the blanket block, maybe simply uninstalling that service would be the better way to go.
So what I'm going to show you how to do today is I'm going to show you how to enable you have w on a bond to again you have w comes with your bond to you so you don't even have to install it.
I'm going to show you how to look at the status of U F.
W.
I'm going to show you how to add rules too.
You have w delete rules from U F W and basically give you the over of view of how to use this in the real world.
Now one of the corpse that I'm gonna tell you again.
We talked about uncomplicated fire off again.
When you get the networking world, when you start layering technologies onto it on top of each other, uncomplicated again becomes the eye of the beholder.
Now, one of the things that I had to do in order to make the eyepiece specific rules actually work on the virtual machine that I'm showing you is I actually had to use a hardwired connection.
So again, I use ah Mac operating system.
I have virtual box installed on that Mac operating system.
And then I have you been to within a virtual machine within virtual box now something that was very interesting with us.
And again.
One of those weird quirks in the networking world is if I allowed everybody in the world toe have access to a certain port when I was on my WiFi connection.
So basically I used WiFi, and I simply use the brake adapter within virtual box to use WiFi.
So when I use my WiFi networking card within my Mac book Pro, um, and I allowed everybody access to certain import 22 21.
Whatever else that worked throughout my network, my Mac pro who connected the virtual machine, the Mac Book Pro could connect to the virtual machine.
Everybody could connect to the virtual machine.
The weird part Waas is that if I specified a specific I P addresses.
So I said, I only want this I P address to be able to connect to the Lenox server for this particular pork, and I was using the WiFi network hard in the Mac book Pro that literally did not work.
It failed completely.
My eye Mac Pro could not connect to it the Mac book Pro the host machine itself could not.
To the virtual machine, it did not work at all What I found.
I honestly I'm not sure why, But when I use a thunderbolt, a wired network connection and I start using that as the network card for that bridged adapter in the virtual machine, then all of us, when I typed in the specific I p address then that actually did work.
So this is just something to realize If you're using U F W on its own boxes, you have your own physical server.
You install loop onto onto that physical server and then you start playing around with U F.
W and networking.
You should have no issues at all.
I will tell you if you're doing these demonstrations.
If you're doing these labs in a virtualized environment, especially once you start dealing with the firewalls and specific rules and firewalls, you may have to do some additional troubleshooting to try to figure out what the hell is going on.
Literally took me about 30 minutes to figure out the solution for this, actually make the lab work.
And so I just realized you're using virtual box.
We're being more effusion or parallels or anything like that.
If you're using that bridge network connection literally.
What adapter you're using from your physical computer may cause you issues with how the firewall works.
So that's that's just one of those warnings is just one of the warnings again, once we start getting a little deeper in with these classes, that is simply the fact of the matter is, is your particular environment.
You may run into specific quirks, and you may have to trouble shoot those courts.
And I can't necessarily tell you what all the answers, maybe because I'm sitting here talking into again.
So anyways, with that, let's go over to the computer and we'll go with this demonstration and I'll show you how you F W works on a bun.
So here we are at my Mac book pro again, as I thought about before, I have virtual box installed.
I just want to go over to the settings for a second show.
You click here on settings for the virtual machine.
We go over to the network.
We can now see that I still have the bridge did after, So this is still the bridge did after setting that I've been using for these last few demonstrations.
But if we go down here to the name, we have a thunderbolt, eh?
Fernet versus the WiFi.
So again, for me to be able to do the demonstrations that I'm showing you today, I needed a hardwire network connection If I tried to use the WiFi and after for the Bridget adapter, it just it just failed out.
I really honestly can't tell you why.
So this might be something you have to go in trouble.
Shoot.
So if you're having issues, try to do use a wired network connection under braking adapter and see if that works for you, eh?
So with that, let's go over to the U Bahn to serving.
Running about to 18.4 point three.
Lt s of basically any amount to that you use.
This should work for you.
It's worked for about 10 years and should work for 10 more again.
If you're using Scent OS or another Lennox distribution, you can literally just you can install you f w and then everything else that I show you should work.
Let me log in.
We're gonna go to Bob.
And 123456 on.
We're going to hit, Enter and we're here.
So let me clear the screen.
And there we go.
So here we are at the standard command line.
Now, one of things that I want to do is I just want to bring up files illa here.
So just to kind of show you from from a networking standpoint to show you how this works.
Eso Currently I can put in 10 014 That is the I.
P.
Address of the soup on the server.
I can put in the name Bob.
I put in a password.
123456 And so this is the whole FTP set up.
But I did a different demonstration.
I can You quick connect is gonna ask me.
It's not secure.
I'm just going to say OK, this is a lab environment.
Okay, so now we can see that I was able to connect to the to the FTP server.
No big deal, No problem.
So there is no firewall at this point.
I can connect s.
So then what we're gonna do now is we're gonna do sudo so super user do and then I just want to check the status of U F W so used put in U F W.
And then we can ask what the status of U F.
W is put in the password on 23456 And we can see that the status for U.
F.
W is currently inactive.
So right at this point, I have no firewall running.
So sssh works perfectly.
FTP worst perfect play.
Any other network service that I would put on the suit bone to box would function.
I wouldn't have to do any further configurations, but we're worried about security here, so let's actually enable you f w So what we're gonna do is gonna do super User D'oh!
Do you have a W?
And then it's simply a again.
We do not have to install you f w at all.
It's already built in Thio to 18.4.
Then we're gonna hit enter.
And so now firewall is active and enabled on the system.
If we go back here and if you're quick connect again, we can see is trying to connect up here and basically it is now failing out because you f W is now running Ugo and use a different user name.
What's a Tim?
123456 way Quick Connect is now trying to connect, and it is failing.
It is unable to connect because U F W is now running.
So that's one of the first things to remember whenever you enable you have w is you have w by default denies all incoming connections.
So if we use the command so weaken d'oh dio su do you f w And then we could do something called status and then verbose.
So when we're dealing with status and u F W, there's a couple of different statuses questions.
Basically, you can ask commands so we simply just plug in.
Status itself is going to tell you whether it's active or inactive.
We do status verbose.
What that's going to do is is going to give us a bunch more information about what's going on with the status of you have done.
So we're going to click on this, and so we're going to see Okay, so the status is active.
Logging is on just low, so it does do some long.
We're not gonna worry about that today.
Uh, default.
So the default when you turn on a u f w is deny all incoming.
So this is very inboard right of you.
If you have a web server and you enable you have w know what, he's going to be able to get to that web server until you start allowing poor 80 to actually have access to the web site.
So this is one of the ways that you can screw yourself up Really bad is you decide to secure your Lennox box, you enable you have W.
And then basically all networking service is, unless you've actually allowed them, will no longer works.
If you have S S h and ftp an SMTP and http, all those networking protocols you have to go in and you actually have to specifically allow those so that people can have access from the outside world.
So just remember that by default, all incoming connections will be blocked.
All outgoing connection.
So this is updates getting to the Internet.
That's everything.
So anything going out will work.
Then there's ah routed so you can actually route I p traffic through your Lennox box you can actually use your Lennox boxes a router that is disabled by default.
And that is not something that we're going to be worried about.
Today s So basically we're sitting here, we can say, OK, so all incoming connections are denied, so that's not really gonna work for us.
So we just want to allow.
So let's say I want to be alone.
I want to be a bit allow FTP connections.
So for that, all I do is I do sue do so.
Super user dio u f w And then I can simply do allow so allow and then 21 so soon?
Oh, you have.
Have you allow port 21?
I can hit inner That rule has been added.
We go back to sue, do you f w status verbose.
We can now see that deny all incoming but for port 21 allow in from anywhere.
So again, this is important thing to think about From a security standpoint, this literally means anybody that has a network connection that can actually get to your server over the network.
We will be able to access port 21.
So come over here again.
We put in Bob again.
We put in 123456 Again we enter and there we go.
Now we're able to get into the FTP connection.
No big deal.
But let's say if we want to go over into sshh So let's say bring up terminal.
So this is the cool thing.
So I could do a s s es as I showed you before that I knew Bob at 10.
101.4.
So this is the user account name that we along into you with us.
Shh.
This is the I P.
Address.
And then I hit inner and you can see basically now it's failing out.
This should be This should be instantaneous.
As soon as I do.
S s a kind of hit inner eye should be connected.
It's going to fail out.
The reason is, is because we have open port 21.
So we're allowing port 21 toe have access.
But that's it.
We have an open port 20 to import 22 is four ss age.
So what we can dio is we can also do something such as allow from a specific I p address.
So Let's go and take a look at the I P address for our particular machine here so we could go to system preferences.
We could go to network, and then we can see our i p address.
So 10.0 dot 1.19.
So I want to allow traffic to port 22 for 10 not zero, not 1 19 So what I do here is a new super user do again?
Sue u f w Right.
And then we're gonna say is allow from 10.0 dot one that night.
19 and then this is kind of weird.
It's to any port 22.
Um and this is kind of like Lennox Programmer wording.
So basically, this is all this.
Makes sense.
So you have w allow from this I p address and then to any port 22.
That's a little confusing, but you gotta plug all that.
So basically, what you're saying here is allow from $10.019 19 to port 22 you just gotta put that any there s so it works.
They were going hit.
Enter Rule added again, we're gonna go back to Sue do u f w status verbose.
We go back, and now we take a look at the rule.
And so to port 22 action allow in from 10 0 Not one that 19.
So I could go back here to my terminal.
So this is my host machine.
I get out of this, that I can try this again.
So sssh, Bob at $10 0 not one.
Not for I hit inner key that quick.
It asked me for my password.
I get in and now I'm actually in the machine.
Right?
So that's how you both are able to allow a specific port to be open to the entire world.
And that's also how you allow a port to be open to a specific I p address on so you can put multiple.
You can do multiple rules.
So if you want it multiple individual be computers.
To be able to connect Thio to port 22 you could simply go back here and you could simply add, you know, whatever I p addresses you want you hit, enter, it's clear the screen.
And then if we go back and we do soo, do you f W status Bos again.
We can see now Port 20 to allow in $10.0 not 1 19 and port 20 to allow in $10 0 not 1 22 So that's how you can go, like so if you have multiple machines in your environment Now, one of the questions is, Well, what about just adding an entire sub net?
So So you have something like a web service.
You have a Web server that you want people in your company toe have access to.
But you don't want people from the outside world have access to so basically, you could do more or less the same A cup a cup, man, that looks a lot the same and allow access for an entire sub net to a particular pork.
So again, let's say Port 22 again.
So we're gonna do is gonna say, Super user do Soo, do you f w you're gonna say allow And then we're gonna say from And now here we're going to give a sub net.
We're gonna give a network instead of a specific I p address.
And so we're gonna say 10 0.0 dot 1.0.
So again, so for the whole sub net.
It's gonna be zero.
You're not gonna put a specific I P address here.
Then you're going to forward slash and then you're going to give whatever the subject mask it's so if it's a Class C, it's a slash 24.
It's a Class B is a slash 16 of his class A.
It's a slash eight, and you were doing some wacky as something that, even in your environment, will be a slash however many octet you're using in order to create your subnet mask from there just to do in any port 22 just like we did before.
So, basically, this is the difference between a specific I p address and a subnet mask.
So you do 10.0 that 1.0 that represents this entire network at a slash 24 to any port 22 we hit.
Enter Rule added, we go backs, you do, uh, w status for boats and we take a look.
And okay, so now we can see again poor 20 to the specific I P addresses are able to have access on then for port 22.
You can also do for this entire sub net right now.
Beyond that, instead of putting a specific poor, you can also use the name of the service that you do have to know what the name of the service's s.
So let's say we want to allow access to FTP.
So instead of saying port 21 we simply want to say F T P s.
You could do Sue Dio Oh, you f w allow.
And then instead of saying a specific poor, we can simply put FTP here we can hit, enter The rule has been added.
We go back and we take a look at the status again, and now we can see the port 21.
So these these have been added here, So that's that's using FTP instead of using the actual port number 21 you can use that for f D.
P can use that for SS eight.
You can use that for http, I would argue, especially if you're new.
You should figure out what port numbers the actual numbers you need for any particular service and plug in those particular numbers in.
I think that will work better for you, but you can plug in again.
You can plug in the service.
They m f d p s s h whatever else.
Now the question then becomes How about deleting?
Right?
So we got all of these rules in here.
What about if we no longer want $10.0 not 1 19 to be able to have access to the server, clear the screen again.
And so then what we can do here is we're going to use a different status.
We're gonna use a difference that Sue do u F w at us and then we're going to use number as the option.
That's what this is going to do is going to show us all the rules.
But it's going to show us with a number beside.
So the first rule is one.
The second rule is too so on and so forth.
So basically, I'm looking at these rules and I want $10.
01 down 19.
I no longer want this person have access.
So what I can then do is I can use the number to delete that.
So what I do is I do sue, do you f w delete.
And then I say space too.
So whatever.
Whatever number rule that ISS.
I plugged that number in here.
I hit inner deleting.
Say yes.
And then if we go back and we take a look at the status again, we can see that 10.0, not one down 19 is no longer there s So that's the basic of how this works.
So you can open up a port for anybody in the world who has a network connection that can connect to your server.
You can open her up for a specific I P addresses.
You can open it up for a specific sub nets.
You can open up again.
You can put in multiple rules.
You can put in specific I P addresses and a couple of sub nets and do a whole bunch of other fancy things.
And so that's the basic idea of how you have w works now for here.
When I added the FTP when I said f t p versus a specific port number, it added his TCP.
So you can actually specify TCP and UDP those air those particular protocols.
I would not worry about it this point.
If you're walking this particular video, get simply allow whatever port you want to allow.
And then that's something to learn about later.
But yet, but that's basically the basic of it.
Now, at the end, let's say you go through all of this and you're like, Okay, this is fun.
I've been doing I've been doing all this stuff, but now I have a massive list of all of these different rules.
I want to get rid of them.
What you can actually do is you can simply use the reset command.
So if you use the reset command that will delete all the rules and actually disable, you have W So you soon do you f w reset, We hit.
Enter, you say yes, and now it's done.
Eso you do, sue, do you f w we go back to status, we can see the status is now inactive.
Clear the screen on, then.
If I do say sue, do u f w enable at this point, it'll now enable you do sue do you f w status for boasts.
And now we can see that all of those rules that I created during this demonstration have gone away.
And so that's how basic, basic under idea of how to use a U F W as a firewall on your Lennox server.
And it's simply away again to secure things such as the S s s S s A is an invaluable tool, but it is also a massive security hole.
Again, things like ftp ftv could be a great tool.
Could be a massive security hole.
So by adding those to your server, but then locking them down so that they can only work for specific I p addresses.
That's a way that you can gain access to your server.
You can gain functionality for your server at the same time, not compromising security to such a horrible degree.
So there you go.
There's a basic overview of how to use U F w on your Lennox server and an idea of why firewalls are important on your Lennox boxes again.
The great thing about Lennox boxes is you can create what we call a headless boxes.
So what head less boxes mean is you simply have your machine running.
You literally don't have a keyboard, you don't have a mouse, you don't have a monitor.
Plug into it.
It's just off seating and 1/4 somewhere and then use something like s S h an FTP to go.
And actually, Minister, it s Oh, that's a great That's a great thing about the Lenox world.
But if you don't lock down as a sage, ftp, whatever other protocols were using with something like a firewall, that could be an absolutely massive vulnerability for your system.
And so, by using the firewall, this is a way to give yourself remote access to the system, but then also trying to lock down the security a little bit.
So you know, hackers can't come in and cause an absolute mess.
Now I will warn you with this.
You know what I showed you with U F W If everything is working out how it's supposed to work, if your network is working how it's supposed to work, all the routing is doing what it's supposed to dio then learning you f w should be relatively simple, right?
Basically, you're just using I P addresses.
Here you have a have a basic understanding of sub net masks and, you know, figure out what the port numbers are.
But again, this is where things can start to get very complicated.
if you don't have a network that's working perfectly correctly, or if you're running into some courts again in order to show you the demonstration that I showed you today, for whatever reason, whatever reason, I had to connect my Thunderbolt Network adapter into my mouth.
But pro connected hardwired to the physical network.
And then once I did that, then the specific I P address rules would work.
But I'm telling you, before I did that when I was using my wife, I, as the brig adapter for this virtual machine again if I opened the poor completely to the entire world, if I did allow for 22 that's all I did that that worked fine.
All my computers were able to access the virtual machine as soon as I said allow from, you know, whatever the I P addresses to the specific pork whenever you had that specific I P address or specific sum that mask in there, it just simply would not work when I use the brakes adapter for my wireless card.
And so it only works if I used the hardwire connection.
So this is where we start getting into the world where The basic concept of what I'm showing you is simple, and you can explain it a couple of minutes.
But if you start having any problems that there has to be any kind of trouble shooting, that's where things can get a little bit complicated.
And that's why you have to have a broader view of technology environment.
So at this point, not only do you have to understand Lennox, but you also have to understand the basics of networking again.
Default gateways, D.
N S I.
P addresses what these things actually are.
You know what a sudden that mask is howto find these types of things because in order to go any further, you will have to be ableto know that information and be able to do your own troubleshooting to figure out why something isn't working.
But anyways, you have.
W itself is pretty simple.
There are other firewall.
There's other firewall options out there, but this is a nice, basic simple one that that you can use, especially in the beginning, when you're just trying to spend something up and play around with it.