ufw

Bug #1475676
Comment #4

Comment 4 for bug 1475676

Revision history for this message

TomvB (tomvb) wrote on 2019-10-30:

With LXD it is important to fix:

$ cd /etc/ufw
$ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user.rules
$ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user6.rules

Please add NFLOG support.
Unprivileged containers don't have a /dev/kmsg device and access to /proc/kmsg is blocked by the kernel.

### LOGGING ###
-A ufw-after-logging-input -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j NFLOG --nflog-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j NFLOG --nflog-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###

How can I replace the rules in after.rules?