How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server

Introduction

One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.
To this end, UFW is a considerably easier-to-use alternative.

What is UFW?

UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.

Before We Get Started

First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:

sudo aptitude install ufw

or

sudo apt-get install ufw

Check the Status

You can check the status of UFW by typing:

sudo ufw status

Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:

Status: active

To               Action      From
--               ------      ----
22               ALLOW       Anywhere

Using IPv6 with UFW

If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:

sudo vi /etc/default/ufw

Then make sure "IPV6" is set to "yes", like so:

IPV6=yes

Save and quit. Then restart your firewall with the following commands:

sudo ufw disable
sudo ufw enable

Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.

Set Up Defaults

One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:

sudo ufw default deny incoming

and

sudo ufw default allow outgoing

Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:

sudo ufw default deny outgoing

Allow Connections

The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:

sudo ufw allow ssh

As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:

sudo ufw allow 22/tcp

This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:

sudo ufw allow 2222/tcp

Other Connections We Might Need

Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:
sudo ufw allow www or sudo ufw allow 80/tcp sudo ufw allow ftp or sudo ufw allow 21/tcp
You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.

Port Ranges

You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:

sudo ufw allow 1000:2000/tcp

If you want UDP:

sudo ufw allow 1000:2000/udp

IP Addresses

You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:

sudo ufw allow from 192.168.255.255

Denying Connections

Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:

sudo ufw allow 80/tcp

would allow access to port 80 while:

sudo ufw deny 80/tcp

would deny access to port 80.

Deleting Rules

There are two options to delete rules. The most straightforward one is to use the following syntax:

sudo ufw delete allow ssh

As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:

sudo ufw delete allow 80/tcp

or

sudo ufw delete allow 1000:2000/tcp

This can get tricky when you have rules that are long and complex.
A simpler, two-step alternative is to type:

sudo ufw status numbered

which will have UFW list out all the current rules in a numbered list. Then, we issue the command:

sudo ufw delete [number]

where “[number]” is the line number from the previous command.

Turn It On

After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):

sudo ufw enable

You should see the command prompt again if it all went well. You can check the status of your rules now by typing:

sudo ufw status

or

sudo ufw status verbose

for the most thorough display.
To turn UFW off, use the following command:

sudo ufw disable

Reset Everything

If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:

sudo ufw reset

Conclusion

You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.

 

Article Submitted by: Shaun Lewis

 

Source : https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

XenServer 6.2: How to set up passthrough of a PCI or PCI-Express device

 This is done by logging in as the root user to your XenServer system via SSH. To see the PCI devices available to your system, enter the following command:

lspci

Here is an example result:

00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890 Northbridge only dual slot (2×16) PCI-e GFX Hydra part (rev 02) 00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD/ATI] RD990 I/O Memory Management Unit (IOMMU) 00:02.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890 PCI to PCI bridge (PCI express gpp port B) 00:09.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890 PCI to PCI bridge (PCI express gpp port H) 00:0a.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890 PCI to PCI bridge (external gfx1 port A) 00:0b.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890 PCI to PCI bridge (NB-SB link) 00:0c.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] RD890S PCI Express bridge for GPP2 port 1 00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [AHCI mode] 00:12.0 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB OHCI0 Controller 00:12.1 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0 USB OHCI1 Controller 00:12.2 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB EHCI Controller 00:13.0 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB OHCI0 Controller 00:13.1 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0 USB OHCI1 Controller 00:13.2 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB EHCI Controller 00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD/ATI] SBx00 SMBus Controller (rev 3d) 00:14.1 IDE interface: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 IDE Controller 00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 LPC host controller 00:14.4 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] SBx00 PCI to PCI Bridge 00:14.5 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB OHCI2 Controller 00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 0 00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 1 00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 2 00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 3 00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 4 00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 5 00:19.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 0 00:19.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 1 00:19.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 2 00:19.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 3 00:19.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 4 00:19.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 5 00:1a.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 0 00:1a.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 1 00:1a.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 2 00:1a.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 3 00:1a.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 4 00:1a.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 5 00:1b.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 0 00:1b.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 1 00:1b.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 2 00:1b.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 3 00:1b.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 4 00:1b.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 15h Processor Function 5 01:01.0 VGA compatible controller: ASPEED Technology, Inc. ASPEED Graphics Family (rev 10) 01:03.0 Multimedia audio controller: C-Media Electronics Inc CMI8788 [Oxygen HD Audio] 02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection 03:00.0 Multimedia controller: Philips Semiconductors SAA7164 (rev 81) 04:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection 05:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection 06:00.0 InfiniBand: Mellanox Technologies MT26418 [ConnectX VPI PCIe 2.0 5GT/s – IB DDR / 10GigE] (rev b0)

As you might guess from some of the lines, it’s an AMD server. You’ll notice some USB controllers, likely a SATA controller and any PCI or PCI Express add-in cards (usually at the bottom). In this example we will pass through a digital TV card to a VM so we can record free-to-air TV. The controller here is the fourth-last entry:

03:00.0 Multimedia controller: Philips Semiconductors SAA7164 (rev 81)

It’s a Digital Now PCI-E card – as you can see there’s no mention of the brand in the chipset that the system can see, so you may have to make an educated guess (or do some research as to what’s actually used in the card) to determine which one you want. Making note of the above line, we now edit /boot/extlinux.conf:

vi /boot/extlinux.conf

In our example system it looks like this:

# location mbr serial 0 115200 default xe prompt 1 timeout 50 label xe # XenServer kernel mboot.c32 append /boot/xen.gz mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 console=vga vga=mode-0x0311 — /boot/vmlinuz-2.6-xen root=LABEL=root-ckwntldj ro xencons=hvc console=hvc0 console=tty0 quiet vga=785 splashi  — /boot/initrd-2.6-xen.img label xe-serial # XenServer (Serial) kernel mboot.c32 append /boot/xen.gz com1=115200,8n1 console=com1,vga mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 — /boot/vmlinuz-2.6-xen root=LABEL=root-ckwntldj ro console=tty0 xencons=hvc console=hvc0 — /boot/initrd-2.6-xen.img label safe # XenServer in Safe Mode kernel mboot.c32 append /boot/xen.gz nosmp noreboot noirqbalance acpi=off noapic mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M com1=115200,8n1 console=com1,vga — /boot/vmlinuz-2.6-xen nousb root=LABEL=root-ckwntldj ro console=tty0 xencons=hvc console=hvc0 — /boot/initrd-2.6-xen.img label fallback # XenServer (Xen 4.1.5 / Linux 2.6.32.43-0.4.1.xs1.8.0.835.170778xen) kernel mboot.c32 append /boot/xen-4.1.5.gz mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 — /boot/vmlinuz-2.6.32.43-0.4.1.xs1.8.0.835.170778xen root=LABEL=root-ckwntldj ro xencons=hvc console=hvc0 console=tty0 — /boot/initrd-2.6.32.43-0.4.1.xs1.8.0.835.170778xen.img label fallback-serial # XenServer (Serial, Xen 4.1.5 / Linux 2.6.32.43-0.4.1.xs1.8.0.835.170778xen) kernel mboot.c32 append /boot/xen-4.1.5.gz com1=115200,8n1 console=com1,vga mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 — /boot/vmlinuz-2.6.32.43-0.4.1.xs1.8.0.835.170778xen root=LABEL=root-ckwntldj ro console=tty0 xencons=hvc console=hvc0 — /boot/initrd-2.6.32.43-0.4.1.xs1.8.0.835.170778xen.img

Rather an intimidating-looking file if you’re new to *nix config files. Fortunately, we can ignore most of this and just pay attention to the last line in the “label xe” section at the top. The line we want to edit is:

append /boot/xen.gz mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 console=vga vga=mode-0x0311 — /boot/vmlinuz-2.6-xen root=LABEL=root-ckwntldj ro xencons=hvc console=hvc0 console=tty0 quiet vga=785 splashi  — /boot/initrd-2.6-xen.img

Looking at the line we wanted from lspci above, we want the number at the front – in this case:

03:00.0

Add the following near the end of the config line – inbetween “splashi” and “—“:

pciback.hide=(03:00.0)

 The line should now read:

append /boot/xen.gz mem=1024G dom0_max_vcpus=4 dom0_mem=4096M,max:4096M watchdog_timeout=300 lowmem_emergency_pool=1M crashkernel=64M@32M cpuid_mask_xsave_eax=0 console=vga vga=mode-0x0311 — /boot/vmlinuz-2.6-xen root=LABEL=root-ckwntldj ro xencons=hvc console=hvc0 console=tty0 quiet vga=785 splashi pciback.hide=(03:00.0) — /boot/initrd-2.6-xen.img

Note the space on either side – one between splashi and the new text and one between the hyphens and the new text. Now run:

extlinux -i /boot

Then shut down any VMs and reboot the server:

reboot

Once it is back up, we need to find the UUID of the virtual machine we want to pass the device through to. Run:

xe vm-list

This will return a result for every VM on the system – it might be quite long! If it is a long list you may wish to pipe it to the less command for easier viewing:

xe vm-list | less

If you aren’t familiar with less you can exit with the “q” key. Sort through the list until you find the VM you want to pass through to. In this example it is:

uuid ( RO)           : 6b664553-6822-b445-5a8c-c10d93c41c4c name-label ( RW): bacchus power-state ( RO): halted

Now we can add the PCI device to the config of this VM:

xe vm-param-set other-config:pci=0/0000:03:00.0 uuid=6b664553-6822-b445-5a8c-c10d93c41c4c

Breaking that down:

xe vm-param-set other-config:pci=0/0000:[PCI address for the device] uuid=[UUID of VM]

Starting the VM – in this case a Windows 7 VM – we can check for the device to see that it has appeared (in this case the drivers were already installed so it has been immediately identified):



Success! In a Linux system you should be able to do:

lspci

 to see the newly passed through hardware.

Source : http://www.sotechdesign.com.au/xenserver-6-2-how-to-set-up-passthrough-of-a-pci-or-pci-express-device/

How to Setup XenServer 6.x to Auto-Start Virtual Machines

Objective

In XenServer versions 6.x, the direct GUI ability to auto-start a Virtual Machine on the startup of XenServer was removed. This article describes how to set Virtual Machines to auto-start.

Requirements

XenServer version 6.x

Background

In XenServer 6.x, the auto-start functionality was removed because it interfered with High Availability (HA) and produced unexpected results during HA functions.

---

Instructions

Setting the XenServer to allow Auto-Start

1. Gather the UUIDs of the pools you wish to auto-start.
   
2. To get the list of the pools on your XenServer, run “xe pool-list”
   
3. Copy the UUID of the pool. If you have just one server, it will still have a pool UUID as noted in the following
   
   
   
4. Then type the following command to set the pool or server to allow auto-start:
   xe pool-param-set uuid=UUID other-config:auto_poweron=true
   Note: Replacing UUID with the UUID of the XenServer or pool.
   

Setting the Virtual Machines to Auto-Start

1. Gather the UUIDs of the Virtual Machine you want to auto-start by running xe vm-list.
   Note: This generates a list of Virtual Machines in your pool or server and their associated UUIDs.
   
2. Copy the UUID of the Virtual Machines you want to auto-start, and run the following command for each Virtual Machine to auto-start:
   xe vm-param-set uuid=UUID other-config:auto_poweron=true
   Note: Replace UUID with the UUID of the Virtual Machine to auto-start. 

 Source : http://support.citrix.com/article/CTX133910