2015-06-12 18:06:17 +02:00
|
|
|
---
|
|
|
|
layout: post
|
|
|
|
comments: true
|
|
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
|
|
category: [english]
|
|
|
|
tags: [english]
|
|
|
|
redirect_from: /ufw/
|
|
|
|
---
|
|
|
|
|
|
|
|
*This post describes my UFW config and is here so I find it from somewhere
|
|
|
|
and with hope that I am told if someone notices something terriby insecure
|
|
|
|
here and is able to offer suggestions.*
|
|
|
|
|
|
|
|
Having firewall is important as you aren't always in your trusted home
|
|
|
|
network and with IPv6 your devices have public IPv6 addresses.
|
|
|
|
|
|
|
|
This post first has list of commands, then explanations.
|
|
|
|
|
|
|
|
```
|
|
|
|
ufw limit 22
|
|
|
|
ufw default deny incoming
|
|
|
|
ufw default allow outgoing
|
|
|
|
systemctl enable ufw && systemctl start ufw
|
|
|
|
ufw enable
|
|
|
|
ufw allow 113
|
|
|
|
ufw allow 631
|
2015-06-28 12:27:20 +02:00
|
|
|
ufw allow 5060
|
2015-06-12 18:06:17 +02:00
|
|
|
ufw allow 5353/udp
|
|
|
|
ufw allow 17500/tcp
|
|
|
|
ufw allow 60000:61000/udp
|
|
|
|
```
|
|
|
|
|
|
|
|
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
|
|
|
|
and it's the first command as you don't want to lock yourself out of
|
|
|
|
your host when you enable the firewall.
|
|
|
|
* Deny incoming connections unless the port has been whitelisted.
|
|
|
|
* Allow all outgoing connections, keeping list of authorized ports would be
|
|
|
|
too much for me.
|
|
|
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
|
|
|
better safe than sorry).
|
|
|
|
* Put the firewall in force.
|
|
|
|
* 113/ident — Allow identd to be reached, probably all my hosts run it for
|
|
|
|
IRC.
|
|
|
|
* 631/cups — Allow access to cups for printer sharing
|
2015-06-28 12:27:20 +02:00
|
|
|
* 5060/sip — VoIP, in this case Linphone
|
2015-06-12 18:06:17 +02:00
|
|
|
* 5353/mdns/Avahi — used for `.local` addresses
|
|
|
|
* 17500/Dropbox — which I use everywhere
|
|
|
|
* 60000:61000/mosh — I feel this is the most insecure part of this setup
|
|
|
|
and there should be something bettter instead of this.
|
|
|
|
|
|
|
|
*If some host doesn't run some of the mentioned service, it's not open in
|
|
|
|
the firewall.*
|