60

Ufw has a command that lists out profiles to which you can further explore their profile definitions

$ ufw app list

And 

$ ufw app PROFILE {app profile title}

I was wondering how you can create a profile for an undefined program, like virtual box and have that profile run the same definitions I have given iptables for my Ubuntu distro.

Not only am I trying to use Ubuntus firewall to service my virtual machine. I am also sincerely curious as how to create a profile for an application that doesn't come with one.

Andrea Corbellini
  • 16,166
Miphix
  • 1,078

2 Answers2

72

To answer the real question, about how to create your own application file, you only need to know that it is using windows INI file format.

[appname]
title=1-liner here
description=a longer line here
ports=1,2,3,4,5,6,7,8,9,10,30/tcp|50/udp|53

The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. You have to split the protocol sections up with |.

So, for a real-life set of examples I made:

[puppet]
title=puppet configuration manager
description=Puppet Open Source from http://www.puppetlabs.com/
ports=80,443,8140/tcp


[AMANDA]
title=AMANDA Backup
description=AMANDA the Advanced Maryland Automatic Network Disk Archiver
ports=10080

You can list multiple versions of the app in a single file, like this one from apache:

===start of apache2.2-common file===
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp


[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp


[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp


===end of file===

Once you have defined your application file, put it in /etc/ufw/applications.d, then tell ufw to reload the application definitions with

ufw app update appname
ufw app info appname

Use it with something like:

ufw allow from 192.168.1.10 to any app amanda
ufw allow amanda

assuming 192.168.1.10 is the IP of your amanda server.

Paradoxis
  • 113
user207998
  • 966
  • your syntax for combining udp and tcp is wrong. It should be xx/tcp|yy/udp. In other words, the separation between protocols should be a pipe, not a comma like in your example – Hilikus Jul 07 '15 at 05:24
  • My example wasn't trying to combine them, it is a simple list of this-port-on-udp, some-other-port-on-tcp. – user207998 Aug 14 '15 at 16:51
  • 1
    I just tried using netstat to find the application name...is that right? It worked for me at least. Is it case sensitive? I'm not really sure what the relationship is between the "appname" in the application file vs. the title vs. the process name, etc. – intcreator Mar 08 '18 at 22:50
  • Netstat just lists the process name connected to a particular port. This doesn't necessarily match the name of the application. For example, the postfix application launches a variety of processes, including the 'master' process that opens port 25. I name the ufw app config file based on, say, the package name, ie 'Postfix' or 'AMANDA'. Within the config file there are one or more app definitions that represent ports opened by that package. There can be multiples, see the 'postfix' package as an example. There the app names vary based on how postfix was configured. – user207998 Mar 24 '18 at 16:52
  • 3
    for multiple tcp ports, is it as the former or the latter? xx/tcp,xy/tcp,xz/tcp or xx/tcp|xy/tcp|xz/tcp – errolflynn May 21 '19 at 16:45
  • I can confirm that the port syntax is incorrect. Ports are delimited with pipes, not just protocols: ports=1|2|3|4|5/udp|6/udp|7|8/tcp|9/tcp|10|30/tcp|50/udp|53 – Micah Henning May 14 '20 at 00:15
  • 1
    Examples of the syntax taken directly from "man ufw" and the APPLICATION INTEGRATION section: [SomeService] title=Some title description=Some description ports=12/udp|34|56,78:90/tcp 
       In the above example, 'SomeService' may be used in  app  rules  and  it
   specifies  UDP  port  12,  TCP  and UDP on port 34 and TCP ports 56 and
   78-90 inclusive.  The syntax in my original answer is tested and CORRECT.
     – user207998 Oct 24 '22 at 19:25
  • The port specification seems to be consistent; just needs a little more verbosity. The pipes separate port lists followed by a protocol. So 1,2/tcp means port 1 and 2 are both TCP. To specify another port list with a different protocol, use the pipe. 1,2/tcp|3,4/udp. – Gerard ONeill Sep 03 '24 at 18:10
  • I wanted to enable multiple ports for both TCP and UDP and the comma didn't worked. So used the pipe and worked as expected. – Sergey Ponomarev Oct 19 '24 at 13:34
  • Good remark from @intcreator: the doc never explains what the name is used for. Does it means renaming a evil process OpenSSH will allow it to use port 22, or renaming it firefox will allow it to exfilter data using https? – etham Feb 12 '25 at 16:11
  • Ok,I think I understood : as ufw is just a frontend to iptables, per app profiles just open the given ports, but do not imply checking which app is using these ports. – etham Feb 12 '25 at 16:24
18

It's actually all there in the manpage under the "Application Integration" section.

The basic syntax is:

ufw allow <app_name>

Or you can use the extended syntax to be more specific:

ufw allow from <some_address> to any app <app_name>

The manpage specifically says not to specify a port number:

You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.

This probably means it will let <app_name> use whatever port it wants to..

Other useful commands:

ufw app info <app_name>

Which lists the information on <app_name>'s profile.

ufw app update <app_name>

Which updates <app_name>'s profile. You can use all to update all application profiles.

You can use the:

ufw app update --add-new <app_name>

command to add a new profile for <app_name> and update it, following the rules you set out with ufw app default <policy>.

App profiles are stored in /etc/ufw/applications.d and sometimes /etc/services.

For more information see man ufw.

MestreLion
  • 20,785
Seth
  • 59,442
  • 44
  • 149
  • 201
  • Yes, you don't specify a port in the 'ufw allow' syntax because the protocol is supposedly specified, if necessary, in the app definition file itself. – user207998 Jul 17 '19 at 22:41
  • /etc/services seems to be just the list of common network services and their standard ports (as assigned by IANA), so other than being a reference it's not directly usable as an UFW application profile – MestreLion Oct 05 '22 at 17:42
  • The original question was asking how to create a custom application definition, not how to use an existing pre-defined ufw application already present. /etc/services is a unix-standard file that lists ports and what protocol they provide, not what application provides them, and usually lists a lot of services that aren't even present on the host in question. It's a standard OS resource, not a configuration file. – user207998 Oct 24 '22 at 19:32