11.4. Packet filter with Univention Firewall#
Univention Firewall integrates a packet filter based on iptables in Univention Corporate Server.
It permits targeted filtering of undesired services and the protection of computers during installations. Furthermore, it provides the basis for complex scenarios, such as firewall rules and application level gateways. All UCS installations include Univention Firewall as standard.
By default, UCS blocks all incoming ports. Every UCS package provides rules, which free up the ports required by the package again. You primarily configure firewall rules through Univention Configuration Registry variables. For information about the definition of packet file rules, see Network packet filter in Univention Developer Reference [3].
In addition, the /etc/security/packetfilter.d/ directory
contains scripts with firewall rules.
The names of all scripts begin with two digits, which allows a
numbered order. The scripts require the executable bit so that UCS can run them.
After changing the packet filter settings, you need to restart the univention-firewall service.
You can deactivate Univention Firewall
by setting the Univention Configuration Registry Variable
security/packetfilter/disabled to true
See also
- netfilter/iptables project homepage - Documentation about netfilter/iptables project
for an overview about available documentation for iptables.
- Iptables Tutorial
a tutorial about iptables from Oscar Andreasson.
- iptables(8) manpage
for information about configuration of firewall rules with iptables.
- Packet Filtering HOWTO
for a how-to about packet filtering with iptables.