mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-26 14:29:24 +01:00
_posts: update 2015-06-12-ufw.md
This commit is contained in:
parent
5988c19571
commit
6520c44eed
@ -14,6 +14,12 @@ redirect_from: /ufw/
|
||||
Having firewall is important as you aren't always in your trusted home
|
||||
network and with IPv6 your devices have public IPv6 addresses.
|
||||
|
||||
*Threat model: service I am not aware of or that I accidentally make
|
||||
listen wider than intended and with UFW I am aware of what ports are
|
||||
allowed. I assume any host is going to move randomly and not
|
||||
whitelisting only from certain addresses as that address can be
|
||||
encountered anywhere.*
|
||||
|
||||
This post first has list of commands, then explanations.
|
||||
|
||||
```
|
||||
@ -23,15 +29,13 @@ ufw default allow outgoing
|
||||
systemctl enable ufw && systemctl start ufw
|
||||
ufw enable
|
||||
ufw reject 113/tcp
|
||||
ufw allow from 172.16.0.0/16 to any port 631
|
||||
ufw allow 3544/udp
|
||||
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
|
||||
ufw allow 631
|
||||
ufw allow 5353/udp
|
||||
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
|
||||
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
||||
ufw allow 60000:61000/udp
|
||||
```
|
||||
|
||||
* 22 TCP/ssh — Allow acces to SSHdm you don't want to lock yourself out.
|
||||
* 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
|
||||
* previously I used `ufw limit` but it seems to be too oversensitive,
|
||||
just use SSHGuard.
|
||||
* Deny incoming connections unless the port has been whitelisted.
|
||||
@ -43,20 +47,19 @@ ufw allow 60000:61000/udp
|
||||
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
||||
113. This makes ident checking IRC servers connect faster as they don't
|
||||
have to timeout. If you run shell server (for IRC purpouses) you should
|
||||
allow this instead.
|
||||
* 631 both/cups — Allow access to cups for printer sharing from local
|
||||
network
|
||||
* 3544 udp/miredo — Sadly native IPv6 isn't everywhere, neither is 6rd
|
||||
with every ISP or proper tunnel.
|
||||
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not
|
||||
needed outside local network
|
||||
* 9091 TCP/transmission web interface — also something I want to access
|
||||
from LAN. This seems risky too, but risks can be limited by only
|
||||
using this rule with static hosts.
|
||||
allow this instead. And if you don't use IRC or don't care about having
|
||||
to wait for the check to timeout, don't do this as you may leave
|
||||
yourself visible to random port scanners.
|
||||
* 631 both/cups — Allow access to cups for printer sharing.
|
||||
* 5353 UDP/mdns/Avahi — used for `.local` addresses.
|
||||
* 9091 TCP/transmission web interface and also example on how to allow
|
||||
access to port only from specific addresses, only for devices that
|
||||
aren't going anywhere and if IPv6 isn't cared about. (TODO: How to do
|
||||
it IPv6? I have faint idea of UFW not supporting it).
|
||||
* Transmission file transfer uses TCP. Default port: 51413.
|
||||
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
||||
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
||||
setup and there should be something bettter instead of this.
|
||||
setup and there should be something bettter instead of this. As
|
||||
something evil could run and listen on these ports.
|
||||
|
||||
*If some host doesn't run some of the mentioned service, it's not open in
|
||||
the firewall.*
|
||||
|
Loading…
Reference in New Issue
Block a user