흙수저의 엔지니어링

최신 우분투에는 ufw가 기본인데, 기존 OS에는 없는 곳도 있군요.

ufw를 사용하는 방법 공유합니다.

[root@mydata ~]# ufw
-bash: ufw: command not found
[root@mydata ~]# uname -a
Linux mydata 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@mydata ~]#
[root@mydata ~]#
[root@mydata ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@mydata ~]# yum install ufw
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
epel/x86_64/metalink                                                                                                                                                           | 5.6 kB  00:00:00
 * base: mirror.navercorp.com
 * epel: ftp.riken.jp
 * extras: mirror.navercorp.com
 * updates: mirror.navercorp.com
base                                                                                                                                                                           | 3.6 kB  00:00:00
epel                                                                                                                                                                           | 4.3 kB  00:00:00
extras                                                                                                                                                                         | 2.9 kB  00:00:00
ius                                                                                                                                                                            | 1.3 kB  00:00:00
mysql-connectors-community                                                                                                                                                     | 2.6 kB  00:00:00
mysql-tools-community                                                                                                                                                          | 2.6 kB  00:00:00
mysql56-community                                                                                                                                                              | 2.6 kB  00:00:00
updates                                                                                                                                                                        | 2.9 kB  00:00:00
(1/8): extras/7/x86_64/primary_db                                                                                                                                              | 253 kB  00:00:00
(2/8): ius/x86_64/primary                                                                                                                                                      |  40 kB  00:00:00
(3/8): mysql-connectors-community/x86_64/primary_db                                                                                                                            | 114 kB  00:00:00
(4/8): epel/x86_64/group                                                                                                                                                       | 399 kB  00:00:00
(5/8): mysql-tools-community/x86_64/primary_db                                                                                                                                 |  98 kB  00:00:00
(6/8): updates/7/x86_64/primary_db                                                                                                                                             |  27 MB  00:00:00
(7/8): epel/x86_64/updateinfo                                                                                                                                                  | 1.0 MB  00:00:01
(8/8): epel/x86_64/primary_db                                                                                                                                                  | 8.7 MB  00:00:05
ius                                                                                                                                                                                           159/159
Resolving Dependencies
--> Running transaction check
---> Package ufw.noarch 0:0.35-9.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================================================================
 Package                                      Arch                                            Version                                             Repository                                     Size
======================================================================================================================================================================================================
Installing:
 ufw                                          noarch                                          0.35-9.el7                                          epel                                          220 k

Transaction Summary
======================================================================================================================================================================================================
Install  1 Package

Total download size: 220 k
Installed size: 905 k
Is this ok [y/d/N]: y
Downloading packages:
ufw-0.35-9.el7.noarch.rpm                                                                                                                                                      | 220 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ufw-0.35-9.el7.noarch                                                                                                                                                              1/1
  Verifying  : ufw-0.35-9.el7.noarch                                                                                                                                                              1/1

Installed:
  ufw.noarch 0:0.35-9.el7

Complete!
[root@mydata ~]#

네이버클라우드에서 Platform의 "Classic" 버전은 outbound 정책 설정이 없네요.

(제가 못 찾는 거라면, 방법 좀 알려주세요~)

대체방안으로 linux의 iptables로 해봤는데, 양방향 설정이 아니라 너무 어렵더라구요.

그래서 ufw 서비스를 활용해 보려고 합니다.

[작업 근거]

인증기준: ISMS 인증 2.6.2 정보시스템 접근

ㅇ 주요 확인사항

서버, 네트워크시스템 등 정보시스템에 접근을 허용하는 사용자, 접근제한 방식, 안전한
접근수단 등을 정의하여 통제하여야 한다.

  - 정보시스템의 사용목적과 관계 없는 서비스를 제거하고 있는가?

설정은 모든 outbound는 차단하고, dns Port만 Open 했습니다.

아래처럼 한다면 inbound 정책은 전부 허용, oubound 정책은 dns 53 제외 전부 차단 됩니다.

root@mydata:~# ufw disable
root@mydata:~# ufw default deny outgoing
root@mydata:~# ufw allow out to any port 53
root@mydata:~# ufw enable

통신 테스트 화면

root@mydata:~# ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
53                         ALLOW OUT   Anywhere

root@mydata:~#
root@mydata:~#
root@mydata:~#
root@mydata:~#
root@mydata:~#
root@mydata:~# curl www.naver.com
^C
root@mydata:~# ufw allow out to any port 80
Rule added
Rule added (v6)
root@mydata:~# ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
53                         ALLOW OUT   Anywhere
80                         ALLOW OUT   Anywhere
80 (v6)                    ALLOW OUT   Anywhere (v6)

root@mydata:~# curl www.naver.com
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center> NWS </center>
</body>
</html>
root@mydata:~#

사용명령어 예제

[root@mydata ~]# ufw allow out to 1.1.1.1
[root@mydata ~]# ufw status numbered
[root@mydata ~]# ufw status verbose
[root@mydata ~]# ufw delete 2
[root@mydata ~]# ufw delete 2
[root@mydata ~]# ufw allow from 1.1.1.1
[root@mydata ~]# ufw allow 8080
[root@mydata ~]# ufw allow out to any port 80
[root@mydata ~]# ufw default allow incoming
[root@mydata ~]# ufw default deny outgoing