_posts: update 2015-06-12-ufw.md

This commit is contained in:
Aminda Suomalainen 2017-05-27 12:00:07 +03:00
parent 5988c19571
commit 6520c44eed
No known key found for this signature in database
GPG Key ID: 0C207F07B2F32B67

View File

@ -14,6 +14,12 @@ redirect_from: /ufw/
Having firewall is important as you aren't always in your trusted home Having firewall is important as you aren't always in your trusted home
network and with IPv6 your devices have public IPv6 addresses. network and with IPv6 your devices have public IPv6 addresses.
*Threat model: service I am not aware of or that I accidentally make
listen wider than intended and with UFW I am aware of what ports are
allowed. I assume any host is going to move randomly and not
whitelisting only from certain addresses as that address can be
encountered anywhere.*
This post first has list of commands, then explanations. This post first has list of commands, then explanations.
``` ```
@ -23,15 +29,13 @@ ufw default allow outgoing
systemctl enable ufw && systemctl start ufw systemctl enable ufw && systemctl start ufw
ufw enable ufw enable
ufw reject 113/tcp ufw reject 113/tcp
ufw allow from 172.16.0.0/16 to any port 631 ufw allow 631
ufw allow 3544/udp ufw allow 5353/udp
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
ufw allow 60000:61000/udp ufw allow 60000:61000/udp
``` ```
* 22 TCP/ssh — Allow acces to SSHdm you don't want to lock yourself out. * 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
* previously I used `ufw limit` but it seems to be too oversensitive, * previously I used `ufw limit` but it seems to be too oversensitive,
just use SSHGuard. just use SSHGuard.
* Deny incoming connections unless the port has been whitelisted. * Deny incoming connections unless the port has been whitelisted.
@ -43,20 +47,19 @@ ufw allow 60000:61000/udp
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port * 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
113. This makes ident checking IRC servers connect faster as they don't 113. This makes ident checking IRC servers connect faster as they don't
have to timeout. If you run shell server (for IRC purpouses) you should have to timeout. If you run shell server (for IRC purpouses) you should
allow this instead. allow this instead. And if you don't use IRC or don't care about having
* 631 both/cups — Allow access to cups for printer sharing from local to wait for the check to timeout, don't do this as you may leave
network yourself visible to random port scanners.
* 3544 udp/miredo — Sadly native IPv6 isn't everywhere, neither is 6rd * 631 both/cups — Allow access to cups for printer sharing.
with every ISP or proper tunnel. * 5353 UDP/mdns/Avahi — used for `.local` addresses.
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not * 9091 TCP/transmission web interface and also example on how to allow
needed outside local network access to port only from specific addresses, only for devices that
* 9091 TCP/transmission web interface — also something I want to access aren't going anywhere and if IPv6 isn't cared about. (TODO: How to do
from LAN. This seems risky too, but risks can be limited by only it IPv6? I have faint idea of UFW not supporting it).
using this rule with static hosts.
* Transmission file transfer uses TCP. Default port: 51413. * Transmission file transfer uses TCP. Default port: 51413.
* 17500 TCP/Dropbox LAN sync — which I use with desktops
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this * 60000:61000 UDP/mosh — I feel this is the most insecure part of this
setup and there should be something bettter instead of this. setup and there should be something bettter instead of this. As
something evil could run and listen on these ports.
*If some host doesn't run some of the mentioned service, it's not open in *If some host doesn't run some of the mentioned service, it's not open in
the firewall.* the firewall.*