mikaela.github.io/blog/_posts/2015-06-12-ufw.md

111 lines
4.5 KiB
Markdown
Raw Normal View History

2015-06-12 18:06:17 +02:00
---
layout: post
comments: true
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
category: [english]
tags: [english]
2018-11-25 23:51:24 +01:00
redirect_from:
- /ufw/
- /english/2015/06/12/ufw.html
2015-06-12 18:06:17 +02:00
---
*This post describes my UFW config and is here so I find it from somewhere
and with hope that I am told if someone notices something terriby insecure
here and is able to offer suggestions. This probably will never be
perfect.*
2015-06-12 18:06:17 +02:00
Having firewall is important as you aren't always in your trusted home
network (that can also be broken into especially if you have WLAN) and
with IPv6 your devices have public IPv6 addresses. Theoretically your
router should include a firewall, but at least the Huawei mobile broadband
routers or MiFis don't include one (and I might be annoyed by it enough
to disable it anyway and configure everything on host level if it was
my network).
2015-06-12 18:06:17 +02:00
2017-05-27 11:00:07 +02:00
*Threat model: service I am not aware of or that I accidentally make
listen wider than intended, with UFW I am aware of what ports are
allowed. I assume any mobile host is going to move randomly and while
some whitelists (especially link-local and IPv4 LANs) will overlap and
possibly allow access, it's still better than being open to the internet
and overlay networks that I have interacted with recently.*
2017-05-27 11:00:07 +02:00
This post first has list of commands, then explanations that won't be
repeated with IPvX ranges.
2015-06-12 18:06:17 +02:00
2018-11-03 12:26:04 +01:00
```bash
2015-09-19 12:46:51 +02:00
ufw allow 22/tcp
2015-06-12 18:06:17 +02:00
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113/tcp
#ufw allow from 192.168.8.0/24 to any port 631 proto tcp
ufw allow from fe80::/10 to any port 631
#ufw allow from 192.168.8.0/24 to any port 5353 proto udp
ufw allow from fe80::/10 to any port 5353 proto udp
#ufw allow from <static:Yggdrasil:IPv6> to any port 5900
2019-09-19 14:54:29 +02:00
ufw allow 6771/udp
2018-11-03 17:49:26 +01:00
ufw allow from fe80::/10 to any port 9001 proto udp
2015-06-12 18:06:17 +02:00
ufw allow 60000:61000/udp
```
2017-05-27 11:00:07 +02:00
* 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
2015-09-19 12:46:51 +02:00
* previously I used `ufw limit` but it seems to be too oversensitive,
just use SSHGuard.
2015-06-12 18:06:17 +02:00
* Deny incoming connections unless the port has been whitelisted.
2015-09-06 12:04:16 +02:00
* Allow all outgoing connections, keeping list of authorized ports would
be too much for me.
2015-06-12 18:06:17 +02:00
* Start ufw on boot and now (I am not sure if this step is required, but
better safe than sorry).
* Put the firewall in force.
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
113. This makes ident checking IRC servers connect faster as they don't
have to timeout. If you run shell server (for IRC purpouses) you should
2017-05-27 11:00:07 +02:00
allow this instead. And if you don't use IRC or don't care about having
to wait for the check to timeout, don't do this as you may leave
yourself visible to random port scanners.
* 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx
* fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,
check your `ip addr` or on Windows `ipconfig /all` for fun.
2017-05-27 11:00:07 +02:00
* 5353 UDP/mdns/Avahi — used for `.local` addresses.
* 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
I tend to only allow it from specific Yggdrasil address(es).
2019-09-19 14:54:29 +02:00
* 6771/udp — [Bittorrent Local Peer Discovery](http://bittorrent.org/beps/bep_0014.html)
2018-11-03 17:49:26 +01:00
* 9001/udp — [Yggdrasil](https://yggdrasil-network.github.io/) automatic
peering port only on link-local.
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
2017-05-27 11:00:07 +02:00
setup and there should be something bettter instead of this. As
something evil could run and listen on these ports.
2015-06-12 18:06:17 +02:00
*If some host doesn't run some of the mentioned service, it's not open in
the firewall.*
2018-11-03 12:26:04 +01:00
KDE Connect which seems painful enough to list separately and doesn't seem
to work IPv6-only or I am too impatient.
```bash
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto tcp
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto udp
ufw allow from fe80::/10 to any port 1714:1764 proto tcp
ufw allow from fe80::/10 to any port 1714:1764 proto udp
```
EXTRA:
If you need WLAN tethering, edit `/etc/ufw/sysctl.conf` and:
```
ufw route allow in on enp3s0 out on wlp2s0
ufw route allow in on wlp2s0 out on enp3s0
```
I am not sure if both rules are required, enp3s0 is the ethernet interface
and wlp2s0 the wireless one. I think it would make sense for only the first
to be required.
2018-11-03 12:26:04 +01:00
* * * * *
2018-11-03 12:26:04 +01:00
Last updated: 2018-11-03T13:25+0200 | [GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md) |
[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)