mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-26 14:29:24 +01:00
_posts: update 2015-06-12-ufw.md
This commit is contained in:
parent
5988c19571
commit
6520c44eed
@ -14,6 +14,12 @@ redirect_from: /ufw/
|
|||||||
Having firewall is important as you aren't always in your trusted home
|
Having firewall is important as you aren't always in your trusted home
|
||||||
network and with IPv6 your devices have public IPv6 addresses.
|
network and with IPv6 your devices have public IPv6 addresses.
|
||||||
|
|
||||||
|
*Threat model: service I am not aware of or that I accidentally make
|
||||||
|
listen wider than intended and with UFW I am aware of what ports are
|
||||||
|
allowed. I assume any host is going to move randomly and not
|
||||||
|
whitelisting only from certain addresses as that address can be
|
||||||
|
encountered anywhere.*
|
||||||
|
|
||||||
This post first has list of commands, then explanations.
|
This post first has list of commands, then explanations.
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -23,15 +29,13 @@ ufw default allow outgoing
|
|||||||
systemctl enable ufw && systemctl start ufw
|
systemctl enable ufw && systemctl start ufw
|
||||||
ufw enable
|
ufw enable
|
||||||
ufw reject 113/tcp
|
ufw reject 113/tcp
|
||||||
ufw allow from 172.16.0.0/16 to any port 631
|
ufw allow 631
|
||||||
ufw allow 3544/udp
|
ufw allow 5353/udp
|
||||||
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
|
|
||||||
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
|
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
|
||||||
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
|
||||||
ufw allow 60000:61000/udp
|
ufw allow 60000:61000/udp
|
||||||
```
|
```
|
||||||
|
|
||||||
* 22 TCP/ssh — Allow acces to SSHdm you don't want to lock yourself out.
|
* 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
|
||||||
* previously I used `ufw limit` but it seems to be too oversensitive,
|
* previously I used `ufw limit` but it seems to be too oversensitive,
|
||||||
just use SSHGuard.
|
just use SSHGuard.
|
||||||
* Deny incoming connections unless the port has been whitelisted.
|
* Deny incoming connections unless the port has been whitelisted.
|
||||||
@ -43,20 +47,19 @@ ufw allow 60000:61000/udp
|
|||||||
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
||||||
113. This makes ident checking IRC servers connect faster as they don't
|
113. This makes ident checking IRC servers connect faster as they don't
|
||||||
have to timeout. If you run shell server (for IRC purpouses) you should
|
have to timeout. If you run shell server (for IRC purpouses) you should
|
||||||
allow this instead.
|
allow this instead. And if you don't use IRC or don't care about having
|
||||||
* 631 both/cups — Allow access to cups for printer sharing from local
|
to wait for the check to timeout, don't do this as you may leave
|
||||||
network
|
yourself visible to random port scanners.
|
||||||
* 3544 udp/miredo — Sadly native IPv6 isn't everywhere, neither is 6rd
|
* 631 both/cups — Allow access to cups for printer sharing.
|
||||||
with every ISP or proper tunnel.
|
* 5353 UDP/mdns/Avahi — used for `.local` addresses.
|
||||||
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not
|
* 9091 TCP/transmission web interface and also example on how to allow
|
||||||
needed outside local network
|
access to port only from specific addresses, only for devices that
|
||||||
* 9091 TCP/transmission web interface — also something I want to access
|
aren't going anywhere and if IPv6 isn't cared about. (TODO: How to do
|
||||||
from LAN. This seems risky too, but risks can be limited by only
|
it IPv6? I have faint idea of UFW not supporting it).
|
||||||
using this rule with static hosts.
|
|
||||||
* Transmission file transfer uses TCP. Default port: 51413.
|
* Transmission file transfer uses TCP. Default port: 51413.
|
||||||
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
|
||||||
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
||||||
setup and there should be something bettter instead of this.
|
setup and there should be something bettter instead of this. As
|
||||||
|
something evil could run and listen on these ports.
|
||||||
|
|
||||||
*If some host doesn't run some of the mentioned service, it's not open in
|
*If some host doesn't run some of the mentioned service, it's not open in
|
||||||
the firewall.*
|
the firewall.*
|
||||||
|
Loading…
Reference in New Issue
Block a user