Firewall Usage
Firewall Support
The standard firmware released by Neardi typically does not meet the requirements for running ufw. If needed, you can enable the relevant kernel configurations using the SDK, recompile, and flash the kernel to support ufw.
The following example is based on Neardi Ubuntu 20.04, and the kernel configuration part is universal!
Check Kernel Configuration
cd kernel
ARCH=arm64 make menuconfig
Enable the following configurations in the kernel for network filtering and firewall support:
CONFIG_NETFILTER: This is the basic framework for network filtering and must be enabled.
CONFIG_NF_CONNTRACK: Enable network connection tracking support.
CONFIG_NETFILTER_XT_*: Enable various netfilter extensions, including mark, addrtype, conntrack, etc.
CONFIG_IP_VS_*: Enable IP Virtual Server support for load balancing.
CONFIG_IP_NF_IPTABLES: Enable iptables support.
CONFIG_IP_NF_FILTER: Enable IP packet filtering.
CONFIG_IP_NF_NAT: Enable Network Address Translation (NAT) support.
CONFIG_IP_NF_TARGET_*: Enable various iptables targets such as MASQUERADE, NETMAP, REDIRECT, etc.
CONFIG_BRIDGE: If you are using bridge networking, this option should also be enabled.
In make menuconfig, you can use the / key to search for the above configurations and follow the prompts to enable them. Ensure all related configurations are marked as <*> (built into the kernel) or
Save the kernel configuration:
ARCH=arm64 make savedefconfig
This will generate a defconfig file in the SDK root directory.
Replace the config:
cp defconfig arch/arm64/configs/rockchip_linux_defconfig
Then compile the kernel in the kernel directory:
cd ..
./build.sh kernel
For users unfamiliar with menuconfig, you can directly modify the following file, verified on RK3568:
+++ b/kernel/arch/arm64/configs/rockchip_linux_defconfig
@@ -99,13 +99,21 @@ CONFIG_SYN_COOKIES=y
# CONFIG_IPV6_SIT is not set
CONFIG_NETFILTER=y
+CONFIG_BRIDGE_NETFILTER=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_TFTP=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_IP_VS=y
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_RR=y
+CONFIG_IP_VS_NFCT=y
+CONFIG_NETFILTER_NETLINK_ACCT=y
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NETFILTER_NETLINK_OSF=y
CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_NETDEV=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_IP_VS=y
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_MANGLE=y
+CONFIG_BRIDGE=y
+CONFIG_CGROUP_NET_PRIO=y
CONFIG_CAN=y
CONFIG_CAN_ROCKCHIP=y
CONFIG_CANFD_ROCKCHIP=y
Install UFW
sudo apt install ufw
In the /etc/default/ufw configuration file, change IPV6=yes to IPV6=no.
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
-IPV6=yes
+IPV6=no
Basic Commands
Check UFW status:
sudo ufw status
Enable UFW:
sudo ufw enable
Disable UFW:
sudo ufw disable
Allow a specific port:
sudo ufw allow PORT_NUMBER
Deny a specific port:
sudo ufw deny PORT_NUMBER
Allow a specific IP address:
sudo ufw allow from IP_ADDRESS
Deny a specific IP address:
sudo ufw deny from IP_ADDRESS
For more advanced features and commands of UFW, refer to: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands