blog/ufw: limit access to cups & mdnsd to LAN

2015-08-22 12:01:20 +03:00 · 2015-08-22 12:01:20 +03:00 · 6a6ca79253
parent af8001edd9
commit 6a6ca79253
1 changed files with 5 additions and 4 deletions
--- a/_posts/2015-06-12-ufw.md
+++ b/_posts/2015-06-12-ufw.md
@ -23,8 +23,8 @@ ufw default allow outgoing
 systemctl enable ufw && systemctl start ufw
 ufw enable
 ufw reject 113
-ufw allow 631
-ufw allow 5353/udp
+ufw allow from 172.16.0.0/16 to any port 631
+ufw allow from 172.16.0.0/16 to any port 5353
 ufw allow 17500/tcp
 ufw allow 60000:61000/udp
 ```
@ -42,8 +42,9 @@ ufw allow 60000:61000/udp
  This makes ident checking IRC servers connect faster as they don't have
  to timeout. If you run shell server (for IRC purpouses) you should allow
  this instead.
-* 631/cups — Allow access to cups for printer sharing
-* 5353/mdns/Avahi — used for `.local` addresses
+* 631/cups — Allow access to cups for printer sharing from local network
+* 5353/mdns/Avahi — used for `.local` addresses and probably not needed
+  outside local network
 * 17500/Dropbox — which I use everywhere
 * 60000:61000/mosh — I feel this is the most insecure part of this setup
  and there should be something bettter instead of this.