2015-06-12 18:06:17 +02:00
|
|
|
---
|
|
|
|
layout: post
|
|
|
|
comments: true
|
|
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
|
|
category: [english]
|
|
|
|
tags: [english]
|
2018-11-25 23:51:24 +01:00
|
|
|
redirect_from:
|
|
|
|
- /ufw/
|
|
|
|
- /english/2015/06/12/ufw.html
|
2015-06-12 18:06:17 +02:00
|
|
|
---
|
|
|
|
|
2023-02-22 19:28:38 +01:00
|
|
|
_This post describes my UFW config and is here so I find it from somewhere
|
|
|
|
and with hope that I am told if someone notices something terriby insecure
|
|
|
|
here and is able to offer suggestions. This probably will never be
|
|
|
|
perfect._
|
2015-06-12 18:06:17 +02:00
|
|
|
|
|
|
|
Having firewall is important as you aren't always in your trusted home
|
2018-11-03 11:43:08 +01:00
|
|
|
network (that can also be broken into especially if you have WLAN) and
|
|
|
|
with IPv6 your devices have public IPv6 addresses. Theoretically your
|
|
|
|
router should include a firewall, but at least the Huawei mobile broadband
|
|
|
|
routers or MiFis don't include one (and I might be annoyed by it enough
|
|
|
|
to disable it anyway and configure everything on host level if it was
|
|
|
|
my network).
|
2015-06-12 18:06:17 +02:00
|
|
|
|
2023-02-22 19:28:38 +01:00
|
|
|
_Threat model: service I am not aware of or that I accidentally make
|
|
|
|
listen wider than intended, with UFW I am aware of what ports are
|
|
|
|
allowed. I assume any mobile host is going to move randomly and while
|
|
|
|
some whitelists (especially link-local and IPv4 LANs) will overlap and
|
|
|
|
possibly allow access, it's still better than being open to the internet
|
|
|
|
and overlay networks that I have interacted with recently._
|
2017-05-27 11:00:07 +02:00
|
|
|
|
2018-11-03 11:43:08 +01:00
|
|
|
This post first has list of commands, then explanations that won't be
|
|
|
|
repeated with IPvX ranges.
|
2015-06-12 18:06:17 +02:00
|
|
|
|
2018-11-03 12:26:04 +01:00
|
|
|
```bash
|
2015-09-19 12:46:51 +02:00
|
|
|
ufw allow 22/tcp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw default deny incoming
|
|
|
|
ufw default allow outgoing
|
|
|
|
systemctl enable ufw && systemctl start ufw
|
|
|
|
ufw enable
|
2015-09-01 07:38:39 +02:00
|
|
|
ufw reject 113/tcp
|
2020-10-26 06:31:09 +01:00
|
|
|
#ufw allow from 192.168.0.0/16 to any port 123 proto udp
|
|
|
|
ufw allow from fe80::/10 to any port 123 proto udp
|
2018-11-03 11:43:08 +01:00
|
|
|
#ufw allow from 192.168.8.0/24 to any port 631 proto tcp
|
|
|
|
ufw allow from fe80::/10 to any port 631
|
|
|
|
#ufw allow from 192.168.8.0/24 to any port 5353 proto udp
|
|
|
|
ufw allow from fe80::/10 to any port 5353 proto udp
|
|
|
|
#ufw allow from <static:Yggdrasil:IPv6> to any port 5900
|
2019-09-19 14:54:29 +02:00
|
|
|
ufw allow 6771/udp
|
2018-11-03 17:49:26 +01:00
|
|
|
ufw allow from fe80::/10 to any port 9001 proto udp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw allow 60000:61000/udp
|
|
|
|
```
|
|
|
|
|
2023-02-22 19:28:38 +01:00
|
|
|
- 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
|
|
|
|
- previously I used `ufw limit` but it seems to be too oversensitive,
|
|
|
|
just use SSHGuard.
|
|
|
|
- Deny incoming connections unless the port has been whitelisted.
|
|
|
|
- Allow all outgoing connections, keeping list of authorized ports would
|
2015-09-06 12:04:16 +02:00
|
|
|
be too much for me.
|
2023-02-22 19:28:38 +01:00
|
|
|
- Start ufw on boot and now (I am not sure if this step is required, but
|
2015-06-12 18:06:17 +02:00
|
|
|
better safe than sorry).
|
2023-02-22 19:28:38 +01:00
|
|
|
- Put the firewall in force.
|
|
|
|
- 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port 113. This makes ident checking IRC servers connect faster as they don't
|
2015-09-01 07:38:39 +02:00
|
|
|
have to timeout. If you run shell server (for IRC purpouses) you should
|
2017-05-27 11:00:07 +02:00
|
|
|
allow this instead. And if you don't use IRC or don't care about having
|
|
|
|
to wait for the check to timeout, don't do this as you may leave
|
|
|
|
yourself visible to random port scanners.
|
2023-02-22 19:28:38 +01:00
|
|
|
- 123 UDP/NTP - syncing time between local hosts
|
|
|
|
- 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx
|
|
|
|
- fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,
|
|
|
|
check your `ip addr` or on Windows `ipconfig /all` for fun.
|
|
|
|
- 5353 UDP/mdns/Avahi — used for `.local` addresses.
|
|
|
|
- 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
|
2018-11-03 11:43:08 +01:00
|
|
|
I tend to only allow it from specific Yggdrasil address(es).
|
2023-02-22 19:28:38 +01:00
|
|
|
- 6771/udp — [Bittorrent Local Peer Discovery](http://bittorrent.org/beps/bep_0014.html)
|
|
|
|
- 9001/udp — [Yggdrasil](https://yggdrasil-network.github.io/) automatic
|
2018-11-03 17:49:26 +01:00
|
|
|
peering port only on link-local.
|
2023-02-22 19:28:38 +01:00
|
|
|
- 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
2017-05-27 11:00:07 +02:00
|
|
|
setup and there should be something bettter instead of this. As
|
|
|
|
something evil could run and listen on these ports.
|
2015-06-12 18:06:17 +02:00
|
|
|
|
2023-02-22 19:28:38 +01:00
|
|
|
_If some host doesn't run some of the mentioned service, it's not open in
|
|
|
|
the firewall._
|
2018-11-03 11:43:08 +01:00
|
|
|
|
2018-11-03 12:26:04 +01:00
|
|
|
KDE Connect which seems painful enough to list separately and doesn't seem
|
|
|
|
to work IPv6-only or I am too impatient.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto tcp
|
|
|
|
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto udp
|
|
|
|
ufw allow from fe80::/10 to any port 1714:1764 proto tcp
|
|
|
|
ufw allow from fe80::/10 to any port 1714:1764 proto udp
|
|
|
|
```
|
|
|
|
|
2019-09-19 14:57:08 +02:00
|
|
|
EXTRA:
|
|
|
|
|
|
|
|
If you need WLAN tethering, edit `/etc/ufw/sysctl.conf` and:
|
|
|
|
|
|
|
|
```
|
|
|
|
ufw route allow in on enp3s0 out on wlp2s0
|
|
|
|
ufw route allow in on wlp2s0 out on enp3s0
|
|
|
|
```
|
|
|
|
|
|
|
|
I am not sure if both rules are required, enp3s0 is the ethernet interface
|
|
|
|
and wlp2s0 the wireless one. I think it would make sense for only the first
|
|
|
|
to be required.
|
2018-11-03 12:26:04 +01:00
|
|
|
|
2023-02-22 19:28:38 +01:00
|
|
|
---
|
2018-11-03 11:43:08 +01:00
|
|
|
|
2020-10-26 18:33:56 +01:00
|
|
|
Last updated: 2020-10-26 | [GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md) |
|
2018-11-03 11:43:08 +01:00
|
|
|
[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)
|