From 0d4b200f1ccdafab3b0a42af1dcbfbe76a0cd9ad Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 12 Jun 2015 19:06:17 +0300 Subject: [PATCH] blog: ufw closes #58 --- _posts/2015-06-12-ufw.md | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 _posts/2015-06-12-ufw.md diff --git a/_posts/2015-06-12-ufw.md b/_posts/2015-06-12-ufw.md new file mode 100644 index 0000000..80789c9 --- /dev/null +++ b/_posts/2015-06-12-ufw.md @@ -0,0 +1,50 @@ +--- +layout: post +comments: true +title: "My ufw (Ubuntu/Uncomplicated Firewall) config" +category: [english] +tags: [english] +redirect_from: /ufw/ +--- + +*This post describes my UFW config and is here so I find it from somewhere + and with hope that I am told if someone notices something terriby insecure + here and is able to offer suggestions.* + +Having firewall is important as you aren't always in your trusted home +network and with IPv6 your devices have public IPv6 addresses. + +This post first has list of commands, then explanations. + +``` +ufw limit 22 +ufw default deny incoming +ufw default allow outgoing +systemctl enable ufw && systemctl start ufw +ufw enable +ufw allow 113 +ufw allow 631 +ufw allow 5353/udp +ufw allow 17500/tcp +ufw allow 60000:61000/udp +``` + +* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port + and it's the first command as you don't want to lock yourself out of + your host when you enable the firewall. +* Deny incoming connections unless the port has been whitelisted. +* Allow all outgoing connections, keeping list of authorized ports would be + too much for me. +* Start ufw on boot and now (I am not sure if this step is required, but + better safe than sorry). +* Put the firewall in force. +* 113/ident — Allow identd to be reached, probably all my hosts run it for + IRC. +* 631/cups — Allow access to cups for printer sharing +* 5353/mdns/Avahi — used for `.local` addresses +* 17500/Dropbox — which I use everywhere +* 60000:61000/mosh — I feel this is the most insecure part of this setup + and there should be something bettter instead of this. + +*If some host doesn't run some of the mentioned service, it's not open in +the firewall.*