2015-06-12 18:06:17 +02:00
|
|
|
---
|
|
|
|
|
layout: post
|
|
|
|
|
comments: true
|
|
|
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
|
|
|
category: [english]
|
|
|
|
|
tags: [english]
|
|
|
|
|
redirect_from: /ufw/
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
*This post describes my UFW config and is here so I find it from somewhere
|
|
|
|
|
and with hope that I am told if someone notices something terriby insecure
|
|
|
|
|
here and is able to offer suggestions.*
|
|
|
|
|
|
|
|
|
|
Having firewall is important as you aren't always in your trusted home
|
|
|
|
|
network and with IPv6 your devices have public IPv6 addresses.
|
|
|
|
|
|
|
|
|
|
This post first has list of commands, then explanations.
|
|
|
|
|
|
|
|
|
|
```
|
2015-09-19 12:46:51 +02:00
|
|
|
ufw allow 22/tcp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw default deny incoming
|
|
|
|
|
ufw default allow outgoing
|
|
|
|
|
systemctl enable ufw && systemctl start ufw
|
|
|
|
|
ufw enable
|
2015-09-01 07:38:39 +02:00
|
|
|
ufw reject 113/tcp
|
2015-08-22 11:01:20 +02:00
|
|
|
ufw allow from 172.16.0.0/16 to any port 631
|
2015-09-06 12:04:16 +02:00
|
|
|
ufw allow 3544/udp
|
2015-09-01 07:38:39 +02:00
|
|
|
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
|
2015-09-23 08:37:32 +02:00
|
|
|
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
|
2015-09-01 07:10:18 +02:00
|
|
|
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw allow 60000:61000/udp
|
|
|
|
|
```
|
|
|
|
|
|
2015-09-19 12:46:51 +02:00
|
|
|
* 22 TCP/ssh — Allow acces to SSHdm you don't want to lock yourself out.
|
|
|
|
|
* previously I used `ufw limit` but it seems to be too oversensitive,
|
|
|
|
|
just use SSHGuard.
|
2015-06-12 18:06:17 +02:00
|
|
|
* Deny incoming connections unless the port has been whitelisted.
|
2015-09-06 12:04:16 +02:00
|
|
|
* Allow all outgoing connections, keeping list of authorized ports would
|
|
|
|
|
be too much for me.
|
2015-06-12 18:06:17 +02:00
|
|
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
|
|
|
|
better safe than sorry).
|
|
|
|
|
* Put the firewall in force.
|
2015-09-01 07:38:39 +02:00
|
|
|
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
|
|
|
|
113. This makes ident checking IRC servers connect faster as they don't
|
|
|
|
|
have to timeout. If you run shell server (for IRC purpouses) you should
|
|
|
|
|
allow this instead.
|
|
|
|
|
* 631 both/cups — Allow access to cups for printer sharing from local
|
|
|
|
|
network
|
2015-09-06 12:04:16 +02:00
|
|
|
* 3544 udp/miredo — Sadly native IPv6 isn't everywhere, neither is 6rd
|
|
|
|
|
with every ISP or proper tunnel.
|
|
|
|
|
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not
|
|
|
|
|
needed outside local network
|
2015-09-01 07:38:39 +02:00
|
|
|
* 9091 TCP/transmission web interface — also something I want to access
|
2015-09-01 07:55:50 +02:00
|
|
|
from LAN. This seems risky too, but risks can be limited by only
|
|
|
|
|
using this rule with static hosts.
|
2015-09-01 07:38:39 +02:00
|
|
|
* Transmission file transfer uses TCP. Default port: 51413.
|
2015-09-01 07:13:12 +02:00
|
|
|
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
2015-09-01 07:38:39 +02:00
|
|
|
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
|
|
|
|
setup and there should be something bettter instead of this.
|
2015-06-12 18:06:17 +02:00
|
|
|
|
|
|
|
|
*If some host doesn't run some of the mentioned service, it's not open in
|
|
|
|
|
the firewall.*
|
