mikaela.github.io/_posts/2015-06-12-ufw.md

---
layout: post
comments: true
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
category: [english]
tags: [english]
redirect_from: /ufw/
---

*This post describes my UFW config and is here so I find it from somewhere
 and with hope that I am told if someone notices something terriby insecure
 here and is able to offer suggestions.*

Having firewall is important as you aren't always in your trusted home
network and with IPv6 your devices have public IPv6 addresses.

This post first has list of commands, then explanations.

```
ufw limit 22
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw allow 113
ufw allow 631
ufw allow 5060
ufw allow 5353/udp
ufw allow 17500/tcp
ufw allow 60000:61000/udp
```

* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
  and it's the first command as you don't want to lock yourself out of
  your host when you enable the firewall.
* Deny incoming connections unless the port has been whitelisted.
* Allow all outgoing connections, keeping list of authorized ports would be
  too much for me.
* Start ufw on boot and now (I am not sure if this step is required, but
  better safe than sorry).
* Put the firewall in force.
* 113/ident — Allow identd to be reached, probably all my hosts run it for
  IRC.
    * If some host doesn't run it use `ufw reject 113` so the IRC server
      asking for your ident is replied "Connection refused" and the
      connecting happens faster as you aren't force to wait for timeout.
        * I am not sure if this is faster than running ident, but my
          recommendation is to allow it if you run it and otherwise reject.
          Deny forces you to wait for timeout as your firewall says
          nothing.
* 631/cups — Allow access to cups for printer sharing
* 5060/sip — VoIP, in this case Linphone
* 5353/mdns/Avahi — used for `.local` addresses
* 17500/Dropbox — which I use everywhere
* 60000:61000/mosh — I feel this is the most insecure part of this setup
  and there should be something bettter instead of this.

*If some host doesn't run some of the mentioned service, it's not open in
the firewall.*
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`---`
			`layout: post`
			`comments: true`
			`title: "My ufw (Ubuntu/Uncomplicated Firewall) config"`
			`category: [english]`
			`tags: [english]`
			`redirect_from: /ufw/`
			`---`

			`*This post describes my UFW config and is here so I find it from somewhere`
			`and with hope that I am told if someone notices something terriby insecure`
			`here and is able to offer suggestions.*`

			`Having firewall is important as you aren't always in your trusted home`
			`network and with IPv6 your devices have public IPv6 addresses.`

			`This post first has list of commands, then explanations.`

			```
			`ufw limit 22`
			`ufw default deny incoming`
			`ufw default allow outgoing`
			`systemctl enable ufw && systemctl start ufw`
			`ufw enable`
			`ufw allow 113`
			`ufw allow 631`
ufw: add linphone 2015-06-28 12:27:20 +02:00			`ufw allow 5060`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`ufw allow 5353/udp`
			`ufw allow 17500/tcp`
			`ufw allow 60000:61000/udp`
			```

			`* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port`
			`and it's the first command as you don't want to lock yourself out of`
			`your host when you enable the firewall.`
			`* Deny incoming connections unless the port has been whitelisted.`
			`* Allow all outgoing connections, keeping list of authorized ports would be`
			`too much for me.`
			`* Start ufw on boot and now (I am not sure if this step is required, but`
			`better safe than sorry).`
			`* Put the firewall in force.`
			`* 113/ident — Allow identd to be reached, probably all my hosts run it for`
			`IRC.`
ufw: tell users who don't run identd to reject 113 2015-07-06 14:26:49 +02:00			* If some host doesn't run it use `ufw reject 113` so the IRC server
			`asking for your ident is replied "Connection refused" and the`
			`connecting happens faster as you aren't force to wait for timeout.`
			`* I am not sure if this is faster than running ident, but my`
			`recommendation is to allow it if you run it and otherwise reject.`
			`Deny forces you to wait for timeout as your firewall says`
			`nothing.`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`* 631/cups — Allow access to cups for printer sharing`
ufw: add linphone 2015-06-28 12:27:20 +02:00			`* 5060/sip — VoIP, in this case Linphone`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			* 5353/mdns/Avahi — used for `.local` addresses
			`* 17500/Dropbox — which I use everywhere`
			`* 60000:61000/mosh — I feel this is the most insecure part of this setup`
			`and there should be something bettter instead of this.`

			`*If some host doesn't run some of the mentioned service, it's not open in`
			`the firewall.*`