Specsheet

ufw — Uncomplicated Firewall rules

The ufw check lists the rules defined in Uncomplicated Firewall (ufw), and asserts that rules are present or missing.

Examples

Check that the firewall allows outbound HTTPS:

[[ufw]]
port = 443
protocol = 'tcp'
allow = 'Anywhere'

List of parameters

parameterstructuredescription
portnumber, or stringThe port, or range of ports, to check.
protocolstringThe protocol of the rule. This can be 'tcp' or 'udp'.
statestringThe state of the rule. This can be 'present' or 'missing'.
allowstringWhether the rule is for allowing or denying.
ipv6booleanWhether to check for IPv6

Running ufw as root

Ordinary users aren't allowed to see the table of firewall rules, so the only way to get at them is to run ufw as root. This causes problems for Specsheet, which runs programs as the same user that runs it.

You can work around this using global options. Either run ufw with sudo separately and point Specsheet to ufw’s output:

$ sudo ufw status > /tmp/ufw_status
$ specsheet spec.toml -O ufw.output=/tmp/ufw/status
$ rm /tmp/ufw_status

Or, if ufw is the only program being overridden, you can avoid creating a temporary file and pipe its output in directly:

$ sudo ufw status | specsheet spec.toml -O ufw.output=-