mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-12-27 05:32:41 +01:00
51 lines
1.7 KiB
Markdown
51 lines
1.7 KiB
Markdown
|
---
|
||
|
layout: post
|
||
|
comments: true
|
||
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
||
|
category: [english]
|
||
|
tags: [english]
|
||
|
redirect_from: /ufw/
|
||
|
---
|
||
|
|
||
|
*This post describes my UFW config and is here so I find it from somewhere
|
||
|
and with hope that I am told if someone notices something terriby insecure
|
||
|
here and is able to offer suggestions.*
|
||
|
|
||
|
Having firewall is important as you aren't always in your trusted home
|
||
|
network and with IPv6 your devices have public IPv6 addresses.
|
||
|
|
||
|
This post first has list of commands, then explanations.
|
||
|
|
||
|
```
|
||
|
ufw limit 22
|
||
|
ufw default deny incoming
|
||
|
ufw default allow outgoing
|
||
|
systemctl enable ufw && systemctl start ufw
|
||
|
ufw enable
|
||
|
ufw allow 113
|
||
|
ufw allow 631
|
||
|
ufw allow 5353/udp
|
||
|
ufw allow 17500/tcp
|
||
|
ufw allow 60000:61000/udp
|
||
|
```
|
||
|
|
||
|
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
|
||
|
and it's the first command as you don't want to lock yourself out of
|
||
|
your host when you enable the firewall.
|
||
|
* Deny incoming connections unless the port has been whitelisted.
|
||
|
* Allow all outgoing connections, keeping list of authorized ports would be
|
||
|
too much for me.
|
||
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
||
|
better safe than sorry).
|
||
|
* Put the firewall in force.
|
||
|
* 113/ident — Allow identd to be reached, probably all my hosts run it for
|
||
|
IRC.
|
||
|
* 631/cups — Allow access to cups for printer sharing
|
||
|
* 5353/mdns/Avahi — used for `.local` addresses
|
||
|
* 17500/Dropbox — which I use everywhere
|
||
|
* 60000:61000/mosh — I feel this is the most insecure part of this setup
|
||
|
and there should be something bettter instead of this.
|
||
|
|
||
|
*If some host doesn't run some of the mentioned service, it's not open in
|
||
|
the firewall.*
|