IPsets with UFW

This is an example that lets you use UFW (https://wiki.ubuntu.com/UncomplicatedFirewall) and IPsets to dynamically whitelist IPs for a common host-based firewall.

This is achieved in only a few steps:

Install the Knocknoc Agent on the UFW host and enrol it into the Knocknoc server. Follow these steps.
Edit the IPSet names, as you will likely want others (knoc_ssh/knoc_https are created by default). Do this by editing /opt/knocknoc-agent/etc/ipset.list and then restarting with systemctl restart create-ipsets
Edit your UFW rules files to make use of the IPSets (/etc/ufw/after.rules).
You're done!

1. Install the Knocknoc Agent

Install the Knocknoc Agent, which creates basic IPSets for you along with a startup script to initiate them on boot. These IPSets are editable as noted above.

2. Integrating IPset with UFW

For integrating the ipset with UFW, you will typically use direct iptables rules. However, UFW does not directly support ipset in its regular configuration files, so you'll have to add these rules in the after.rules file for them to be applied with UFW.

Add Rules to UFW's after.rules

Edit the /etc/ufw/after.rules file to add your custom iptables rules referencing the ipset.

# At the end of /etc/ufw/after.rules

-A ufw-after-input -m set --match-set knocknoc src -p tcp --dport 22 -j ACCEPT

COMMIT

This rule will allow SSH connections on port 22 for IP addresses that are in the knocknoc IPset.

Notes and Considerations

Testing: Always test firewall and startup scripts in a controlled environment before deploying them on a production server. "Cutting your hands off" is too easy if you are not careful! Try it first with a port other than SSH, eg: 8000, and use Netcat in listen mode to verify access.
Order of Execution: The systemd script needs to execute before UFW starts, hence the Before=ufw.service directive. Ensure that the network is available before the script runs.

With this setup, your system will create and populate the ipset at startup, and UFW will utilize these sets to allow traffic as specified. This approach provides a balance between the simplicity of UFW and the power of ipset and iptables. Always ensure to test and verify your configuration in a safe environment before applying it to a live system.

Use cases (overview)

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

VPN and ransomware

High security subnets and JIT network access

Financial services data partner, secure web upload

Web applications (layer-7 filtering)

Remote desktop, simple small business example

Firewall Manager access (IT MSP)

Ivanti Connect Secure

Video

VOIP

AWS infrastructure

Azure Portal

Licensing Knocknoc

SaaS deployment

Server installation (on premise)

Agent installation

Knocker - a cli utility for agents

Knocknoc client (scriptable login)

Create users

Create groups

Admins

Settings

Updates and upgrades

BYO PostgreSQL

Allowlist (EDLs)

IPSet (Linux Netfilter/IPTables)

Palo Alto

Fortigate Address Groups (Fortinet)

FortiManager

Cisco (SFMC/Firepower)

Sophos (UTM)

Sophos (SFOS/XGS)

Juniper SRX

HAProxy

HAProxy + KAT

Microsoft Entra

Microsoft Azure NSG

AWS (EC2) Security Groups

AWS WAF Ipset

IPsets with UFW

IPsets with Shorewall

Mikrotik RouterOS

Nginx

Apache Webserver

Custom Script

Local Authentication (MFA included)

SAML

SAML principles and terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

Grant and revoke process

Click to grant/revoke

Grant duration (access period override)

Auto-browse Knocs

VPNs, internal addresses and access

Additional client IP addresses

LOOTOTL - Last One Out Turn Off The Lights

User authentication

Manage user sessions

Allowlist/EDL access

Agent registration

Time for NTP

LDAP troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

Debugging & log levels

IPsets with UFW

1. Install the Knocknoc Agent

2. Integrating IPset with UFW

Add Rules to UFW's after.rules