2015-06-12 18:06:17 +02:00
|
|
|
---
|
|
|
|
|
layout: post
|
|
|
|
|
comments: true
|
|
|
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
|
|
|
category: [english]
|
|
|
|
|
tags: [english]
|
|
|
|
|
redirect_from: /ufw/
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
*This post describes my UFW config and is here so I find it from somewhere
|
|
|
|
|
and with hope that I am told if someone notices something terriby insecure
|
|
|
|
|
here and is able to offer suggestions.*
|
|
|
|
|
|
|
|
|
|
Having firewall is important as you aren't always in your trusted home
|
|
|
|
|
network and with IPv6 your devices have public IPv6 addresses.
|
|
|
|
|
|
2017-05-27 11:00:07 +02:00
|
|
|
*Threat model: service I am not aware of or that I accidentally make
|
|
|
|
|
listen wider than intended and with UFW I am aware of what ports are
|
|
|
|
|
allowed. I assume any host is going to move randomly and not
|
|
|
|
|
whitelisting only from certain addresses as that address can be
|
|
|
|
|
encountered anywhere.*
|
|
|
|
|
|
2015-06-12 18:06:17 +02:00
|
|
|
This post first has list of commands, then explanations.
|
|
|
|
|
|
|
|
|
|
```
|
2015-09-19 12:46:51 +02:00
|
|
|
ufw allow 22/tcp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw default deny incoming
|
|
|
|
|
ufw default allow outgoing
|
|
|
|
|
systemctl enable ufw && systemctl start ufw
|
|
|
|
|
ufw enable
|
2015-09-01 07:38:39 +02:00
|
|
|
ufw reject 113/tcp
|
2017-05-27 11:00:07 +02:00
|
|
|
ufw allow 631
|
|
|
|
|
ufw allow 5353/udp
|
2015-09-23 08:37:32 +02:00
|
|
|
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw allow 60000:61000/udp
|
|
|
|
|
```
|
|
|
|
|
|
2017-05-27 11:00:07 +02:00
|
|
|
* 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
|
2015-09-19 12:46:51 +02:00
|
|
|
* previously I used `ufw limit` but it seems to be too oversensitive,
|
|
|
|
|
just use SSHGuard.
|
2015-06-12 18:06:17 +02:00
|
|
|
* Deny incoming connections unless the port has been whitelisted.
|
2015-09-06 12:04:16 +02:00
|
|
|
* Allow all outgoing connections, keeping list of authorized ports would
|
|
|
|
|
be too much for me.
|
2015-06-12 18:06:17 +02:00
|
|
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
|
|
|
|
better safe than sorry).
|
|
|
|
|
* Put the firewall in force.
|
2015-09-01 07:38:39 +02:00
|
|
|
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
|
|
|
|
113. This makes ident checking IRC servers connect faster as they don't
|
|
|
|
|
have to timeout. If you run shell server (for IRC purpouses) you should
|
2017-05-27 11:00:07 +02:00
|
|
|
allow this instead. And if you don't use IRC or don't care about having
|
|
|
|
|
to wait for the check to timeout, don't do this as you may leave
|
|
|
|
|
yourself visible to random port scanners.
|
|
|
|
|
* 631 both/cups — Allow access to cups for printer sharing.
|
|
|
|
|
* 5353 UDP/mdns/Avahi — used for `.local` addresses.
|
|
|
|
|
* 9091 TCP/transmission web interface and also example on how to allow
|
|
|
|
|
access to port only from specific addresses, only for devices that
|
|
|
|
|
aren't going anywhere and if IPv6 isn't cared about. (TODO: How to do
|
|
|
|
|
it IPv6? I have faint idea of UFW not supporting it).
|
2017-06-04 11:20:45 +02:00
|
|
|
* Transmission file transfer uses TCP and DHT UDP. Default port for
|
|
|
|
|
both is: 51413. [Source](https://trac.transmissionbt.com/ticket/2265)
|
2015-09-01 07:38:39 +02:00
|
|
|
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
2017-05-27 11:00:07 +02:00
|
|
|
setup and there should be something bettter instead of this. As
|
|
|
|
|
something evil could run and listen on these ports.
|
2015-06-12 18:06:17 +02:00
|
|
|
|
|
|
|
|
*If some host doesn't run some of the mentioned service, it's not open in
|
|
|
|
|
the firewall.*
|
