From 6a6ca792535c5f73a32fa681dd38bfd89b6620bc Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 22 Aug 2015 12:01:20 +0300 Subject: [PATCH] blog/ufw: limit access to cups & mdnsd to LAN --- _posts/2015-06-12-ufw.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/_posts/2015-06-12-ufw.md b/_posts/2015-06-12-ufw.md index 21e3d8b..055fa11 100644 --- a/_posts/2015-06-12-ufw.md +++ b/_posts/2015-06-12-ufw.md @@ -23,8 +23,8 @@ ufw default allow outgoing systemctl enable ufw && systemctl start ufw ufw enable ufw reject 113 -ufw allow 631 -ufw allow 5353/udp +ufw allow from 172.16.0.0/16 to any port 631 +ufw allow from 172.16.0.0/16 to any port 5353 ufw allow 17500/tcp ufw allow 60000:61000/udp ``` @@ -42,8 +42,9 @@ ufw allow 60000:61000/udp This makes ident checking IRC servers connect faster as they don't have to timeout. If you run shell server (for IRC purpouses) you should allow this instead. -* 631/cups — Allow access to cups for printer sharing -* 5353/mdns/Avahi — used for `.local` addresses +* 631/cups — Allow access to cups for printer sharing from local network +* 5353/mdns/Avahi — used for `.local` addresses and probably not needed + outside local network * 17500/Dropbox — which I use everywhere * 60000:61000/mosh — I feel this is the most insecure part of this setup and there should be something bettter instead of this.