blog: ufw

closes #58

_posts/2015-06-12-ufw.md

@@ -0,0 +1,50 @@
+---
+layout: post
+comments: true
+title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
+category: [english]
+tags: [english]
+redirect_from: /ufw/
+---
+
+*This post describes my UFW config and is here so I find it from somewhere
+ and with hope that I am told if someone notices something terriby insecure
+ here and is able to offer suggestions.*
+
+Having firewall is important as you aren't always in your trusted home
+network and with IPv6 your devices have public IPv6 addresses.
+
+This post first has list of commands, then explanations.
+
+```
+ufw limit 22
+ufw default deny incoming
+ufw default allow outgoing
+systemctl enable ufw && systemctl start ufw
+ufw enable
+ufw allow 113
+ufw allow 631
+ufw allow 5353/udp
+ufw allow 17500/tcp
+ufw allow 60000:61000/udp
+```
+
+* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
+  and it's the first command as you don't want to lock yourself out of
+  your host when you enable the firewall.
+* Deny incoming connections unless the port has been whitelisted.
+* Allow all outgoing connections, keeping list of authorized ports would be
+  too much for me.
+* Start ufw on boot and now (I am not sure if this step is required, but
+  better safe than sorry).
+* Put the firewall in force.
+* 113/ident — Allow identd to be reached, probably all my hosts run it for
+  IRC.
+* 631/cups — Allow access to cups for printer sharing
+* 5353/mdns/Avahi — used for `.local` addresses
+* 17500/Dropbox — which I use everywhere
+* 60000:61000/mosh — I feel this is the most insecure part of this setup
+  and there should be something bettter instead of this.
+
+*If some host doesn't run some of the mentioned service, it's not open in
+the firewall.*