mikaela.github.io/blog/_posts/2015-06-12-ufw.md

---
layout: post
comments: true
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
category: [english]
tags: [english]
redirect_from:
  - /ufw/
  - /english/2015/06/12/ufw.html
robots: noai
---

_This post describes my UFW config and is here so I find it from somewhere and
with hope that I am told if someone notices something terriby insecure here and
is able to offer suggestions. This probably will never be perfect._

Having firewall is important as you aren't always in your trusted home network
(that can also be broken into especially if you have WLAN) and with IPv6 your
devices have public IPv6 addresses. Theoretically your router should include a
firewall, but at least the Huawei mobile broadband routers or MiFis don't
include one (and I might be annoyed by it enough to disable it anyway and
configure everything on host level if it was my network).

_Threat model: service I am not aware of or that I accidentally make listen
wider than intended, with UFW I am aware of what ports are allowed. I assume any
mobile host is going to move randomly and while some whitelists (especially
link-local and IPv4 LANs) will overlap and possibly allow access, it's still
better than being open to the internet and overlay networks that I have
interacted with recently._

This post first has list of commands, then explanations that won't be repeated
with IPvX ranges.

Fedora/firewalld? [n/firewalld](/n/firewalld)

```bash
ufw allow 22/tcp
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113/tcp
#ufw allow from 192.168.0.0/16 to any port 123 proto udp
ufw allow from fe80::/10 to any port 123 proto udp
#ufw allow from 192.168.8.0/24 to any port 631 proto tcp
ufw allow from fe80::/10 to any port 631
#ufw allow from 192.168.8.0/24 to any port 5353 proto udp
ufw allow from fe80::/10 to any port 5353 proto udp
#ufw allow from <static:Yggdrasil:IPv6> to any port 5900
ufw allow 6771/udp
ufw allow from fe80::/10 to any port 9001 proto udp
ufw allow 60000:61000/udp
```

- 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
  - previously I used `ufw limit` but it seems to be too oversensitive, just use
    SSHGuard.
- Deny incoming connections unless the port has been whitelisted.
- Allow all outgoing connections, keeping list of authorized ports would be too
  much for me.
- Start ufw on boot and now (I am not sure if this step is required, but better
  safe than sorry).
- Put the firewall in force.
- 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port 113.
  This makes ident checking IRC servers connect faster as they don't have to
  timeout. If you run shell server (for IRC purpouses) you should allow this
  instead. And if you don't use IRC or don't care about having to wait for the
  check to timeout, don't do this as you may leave yourself visible to random
  port scanners.
- 123 UDP/NTP - syncing time between local hosts
- 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx
  - fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,
    check your `ip addr` or on Windows `ipconfig /all` for fun.
- 5353 UDP/mdns/Avahi — used for `.local` addresses.
- 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
  I tend to only allow it from specific Yggdrasil address(es).
- 6771/udp —
  [Bittorrent Local Peer Discovery](http://bittorrent.org/beps/bep_0014.html)
- 9001/udp — [Yggdrasil](https://yggdrasil-network.github.io/) automatic peering
  port only on link-local.
- 60000:61000 UDP/mosh — I feel this is the most insecure part of this setup and
  there should be something bettter instead of this. As something evil could run
  and listen on these ports.

_If some host doesn't run some of the mentioned service, it's not open in the
firewall._

KDE Connect which seems painful enough to list separately and doesn't seem to
work IPv6-only or I am too impatient.

```bash
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto tcp
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto udp
ufw allow from fe80::/10 to any port 1714:1764 proto tcp
ufw allow from fe80::/10 to any port 1714:1764 proto udp
```

EXTRA:

If you need WLAN tethering, edit `/etc/ufw/sysctl.conf` and:

```
ufw route allow in on enp3s0 out on wlp2s0
ufw route allow in on wlp2s0 out on enp3s0
```

I am not sure if both rules are required, enp3s0 is the ethernet interface and
wlp2s0 the wireless one. I think it would make sense for only the first to be
required.

---

Last updated: 2020-10-26 |
[GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md)
|
[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`---`
			`layout: post`
			`comments: true`
			`title: "My ufw (Ubuntu/Uncomplicated Firewall) config"`
			`category: [english]`
			`tags: [english]`
Redirect old articles to new address 2018-11-25 23:51:24 +01:00			`redirect_from:`
			`- /ufw/`
			`- /english/2015/06/12/ufw.html`
controlled allowing of letting the bots in 2024-05-31 05:29:21 +02:00			`robots: noai`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`---`

run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`_This post describes my UFW config and is here so I find it from somewhere and`
			`with hope that I am told if someone notices something terriby insecure here and`
			`is able to offer suggestions. This probably will never be perfect._`

			`Having firewall is important as you aren't always in your trusted home network`
			`(that can also be broken into especially if you have WLAN) and with IPv6 your`
			`devices have public IPv6 addresses. Theoretically your router should include a`
			`firewall, but at least the Huawei mobile broadband routers or MiFis don't`
			`include one (and I might be annoyed by it enough to disable it anyway and`
			`configure everything on host level if it was my network).`

			`_Threat model: service I am not aware of or that I accidentally make listen`
			`wider than intended, with UFW I am aware of what ports are allowed. I assume any`
			`mobile host is going to move randomly and while some whitelists (especially`
			`link-local and IPv4 LANs) will overlap and possibly allow access, it's still`
			`better than being open to the internet and overlay networks that I have`
			`interacted with recently._`

			`This post first has list of commands, then explanations that won't be repeated`
			`with IPvX ranges.`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00
blog/ufw: note firewalld note 2023-09-09 09:51:00 +02:00			`Fedora/firewalld? [n/firewalld](/n/firewalld)`

ufw: add KDE Connect Closes #113 2018-11-03 12:26:04 +01:00			```bash
ufw: use sshguard for protecting sshd 2015-09-19 12:46:51 +02:00			`ufw allow 22/tcp`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`ufw default deny incoming`
			`ufw default allow outgoing`
			`systemctl enable ufw && systemctl start ufw`
			`ufw enable`
_posts/ufw: specify protocols for ports 2015-09-01 07:38:39 +02:00			`ufw reject 113/tcp`
blog/ufw: add port 123/NTP 2020-10-26 06:31:09 +01:00			`#ufw allow from 192.168.0.0/16 to any port 123 proto udp`
			`ufw allow from fe80::/10 to any port 123 proto udp`
_posts/ufw: stricten some rules, WIP WIP as I forgot at least KDE Connect from #133 2018-11-03 11:43:08 +01:00			`#ufw allow from 192.168.8.0/24 to any port 631 proto tcp`
			`ufw allow from fe80::/10 to any port 631`
			`#ufw allow from 192.168.8.0/24 to any port 5353 proto udp`
			`ufw allow from fe80::/10 to any port 5353 proto udp`
			`#ufw allow from <static:Yggdrasil:IPv6> to any port 5900`
ufw: add bt lpd Resolves: #166 2019-09-19 14:54:29 +02:00			`ufw allow 6771/udp`
ufw: 9001 is udp port for Yggdrasil 2018-11-03 17:49:26 +01:00			`ufw allow from fe80::/10 to any port 9001 proto udp`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00			`ufw allow 60000:61000/udp`
			```

prettier round one Ref: 324 2023-02-22 19:28:38 +01:00			`- 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.`
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			- previously I used `ufw limit` but it seems to be too oversensitive, just use
			`SSHGuard.`
prettier round one Ref: 324 2023-02-22 19:28:38 +01:00			`- Deny incoming connections unless the port has been whitelisted.`
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`- Allow all outgoing connections, keeping list of authorized ports would be too`
			`much for me.`
			`- Start ufw on boot and now (I am not sure if this step is required, but better`
			`safe than sorry).`
prettier round one Ref: 324 2023-02-22 19:28:38 +01:00			`- Put the firewall in force.`
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`- 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port 113.`
			`This makes ident checking IRC servers connect faster as they don't have to`
			`timeout. If you run shell server (for IRC purpouses) you should allow this`
			`instead. And if you don't use IRC or don't care about having to wait for the`
			`check to timeout, don't do this as you may leave yourself visible to random`
			`port scanners.`
prettier round one Ref: 324 2023-02-22 19:28:38 +01:00			`- 123 UDP/NTP - syncing time between local hosts`
			`- 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx`
			`- fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,`
			check your `ip addr` or on Windows `ipconfig /all` for fun.
			- 5353 UDP/mdns/Avahi — used for `.local` addresses.
			- 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
_posts/ufw: stricten some rules, WIP WIP as I forgot at least KDE Connect from #133 2018-11-03 11:43:08 +01:00			`I tend to only allow it from specific Yggdrasil address(es).`
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`- 6771/udp —`
			`[Bittorrent Local Peer Discovery](http://bittorrent.org/beps/bep_0014.html)`
			`- 9001/udp — [Yggdrasil](https://yggdrasil-network.github.io/) automatic peering`
			`port only on link-local.`
			`- 60000:61000 UDP/mosh — I feel this is the most insecure part of this setup and`
			`there should be something bettter instead of this. As something evil could run`
			`and listen on these ports.`
blog: ufw closes #58 2015-06-12 18:06:17 +02:00
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`_If some host doesn't run some of the mentioned service, it's not open in the`
			`firewall._`
_posts/ufw: stricten some rules, WIP WIP as I forgot at least KDE Connect from #133 2018-11-03 11:43:08 +01:00
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`KDE Connect which seems painful enough to list separately and doesn't seem to`
			`work IPv6-only or I am too impatient.`
ufw: add KDE Connect Closes #113 2018-11-03 12:26:04 +01:00
			```bash
			`#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto tcp`
			`#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto udp`
			`ufw allow from fe80::/10 to any port 1714:1764 proto tcp`
			`ufw allow from fe80::/10 to any port 1714:1764 proto udp`
			```

ufw: note WLAN tethering Resolves: #164 2019-09-19 14:57:08 +02:00			`EXTRA:`

			If you need WLAN tethering, edit `/etc/ufw/sysctl.conf` and:

			```
			`ufw route allow in on enp3s0 out on wlp2s0`
			`ufw route allow in on wlp2s0 out on enp3s0`
			```

run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`I am not sure if both rules are required, enp3s0 is the ethernet interface and`
			`wlp2s0 the wireless one. I think it would make sense for only the first to be`
			`required.`
ufw: add KDE Connect Closes #113 2018-11-03 12:26:04 +01:00
prettier round one Ref: 324 2023-02-22 19:28:38 +01:00			`---`
_posts/ufw: stricten some rules, WIP WIP as I forgot at least KDE Connect from #133 2018-11-03 11:43:08 +01:00
run prettier (mainly proseWrap) 2024-06-19 07:19:44 +02:00			`Last updated: 2020-10-26 \|`
			`[GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md)`
			`\|`
_posts/ufw: stricten some rules, WIP WIP as I forgot at least KDE Connect from #133 2018-11-03 11:43:08 +01:00			`[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)`