4

After googling several sites and browsing through the [man page][1], I still come up short with an exact definition of the syntax of the application profiles for ufw rules.

All examples you find of the web are really simple ones and don't reflect a little more complexity than simply opening a port.

Specifically, I need to allow my ufw to accept incoming and outgoing connections on a variety of ports, tcp and udp mixed, on specific interfaces to and from specified IP addresses.

Assume the following example:

Allow incoming connections on eth0 from 1.1.1.1:12345 tcp and 2.2.2.2:54321 udp allow outbound connections via eth1 to 3.3.3.3:11111 tcp and udp

While the syntax for defining such rules on the console is really simple, I have found no example or specification of how to define such rules in an app profile.

Xenonite
  • 95

2 Answers2

3

Apparently, there is no way to specify IP addresses and interfaces in application profiles.

The field parsing function and the test suite for app profiles do not include any other fields apart from:

  • title
  • description
  • ports

A very likely reason is that application profiles should specify — from an app vendor's perspective — what the application requires in order to work. This can be expressed in ports and protocols. The IP addresses and interfaces, however, are client-dependent and will vary on every system on which the respective app is installed. Hence, it doesn't make sense to bake that into profiles.

slhck
  • 235,242
2

As a complement to the great accepted answer: while application profiles are limited to ports (and their protocols), you can add more filters when you apply an app profile to ufw.

In your example, let's say you've created 2 app profiles in /etc/ufw/applications.d:

[First]
Title=eth0 rules
Description=Rules for eth0 interface (1.1.1.1 and 2.2.2.2)
ports=12345/tcp|54321/udp

[Second]
Title=eth1 rules
Description=Rules for eth1 interface (3.3.3.3)
ports=11111

Now instead of applying such "apps" with just:

sudo ufw allow app First
sudo ufw allow app Second

You apply them as:

sudo ufw allow in on eth0 from 1.1.1.1 to any app First
sudo ufw allow in on eth0 from 2.2.2.2 to any app First
sudo ufw allow in on eth1 from 3.3.3.3 to any app Second
MestreLion
  • 3,045
  • 4
  • 29
  • 23