Mikaela/mikaela.github.io
1
0
Fork 0
mirror of https://github.com/mikaela/mikaela.github.io/ synced 2025-01-11 13:32:36 +01:00
Code Issues Projects Releases Wiki Activity

_posts/ufw: stricten some rules, WIP

Browse Source 
WIP as I forgot at least KDE Connect from #133
This commit is contained in:
Aminda Suomalainen 2018-11-03 12:43:08 +02:00
parent 6d38e6b1f6
commit a2743adad0
No known key found for this signature in database
GPG Key ID: 0C207F07B2F32B67
1 changed files with 33 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
_posts/2015-06-12-ufw.md
View File

@ -9,18 +9,26 @@ redirect_from: /ufw/
*This post describes my UFW config and is here so I find it from somewhere
and with hope that I am told if someone notices something terriby insecure
here and is able to offer suggestions.*
here and is able to offer suggestions. This probably will never be
perfect.*
Having firewall is important as you aren't always in your trusted home
network and with IPv6 your devices have public IPv6 addresses.
network (that can also be broken into especially if you have WLAN) and
with IPv6 your devices have public IPv6 addresses. Theoretically your
router should include a firewall, but at least the Huawei mobile broadband
routers or MiFis don't include one (and I might be annoyed by it enough
to disable it anyway and configure everything on host level if it was
my network).
*Threat model: service I am not aware of or that I accidentally make
listen wider than intended and with UFW I am aware of what ports are
allowed. I assume any host is going to move randomly and not
whitelisting only from certain addresses as that address can be
encountered anywhere.*
listen wider than intended, with UFW I am aware of what ports are
allowed. I assume any mobile host is going to move randomly and while
some whitelists (especially link-local and IPv4 LANs) will overlap and
possibly allow access, it's still better than being open to the internet
and overlay networks that I have interacted with recently.*
This post first has list of commands, then explanations.
This post first has list of commands, then explanations that won't be
repeated with IPvX ranges.
```
ufw allow 22/tcp
@ -29,9 +37,12 @@ ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113/tcp
ufw allow 631
ufw allow 5353/udp
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
#ufw allow from 192.168.8.0/24 to any port 631 proto tcp
ufw allow from fe80::/10 to any port 631
#ufw allow from 192.168.8.0/24 to any port 5353 proto udp
ufw allow from fe80::/10 to any port 5353 proto udp
#ufw allow from <static:Yggdrasil:IPv6> to any port 5900
ufw allow from fe80::/10 to any port 9001
ufw allow 60000:61000/udp
```
@ -50,17 +61,22 @@ ufw allow 60000:61000/udp
allow this instead. And if you don't use IRC or don't care about having
to wait for the check to timeout, don't do this as you may leave
yourself visible to random port scanners.
* 631 both/cups — Allow access to cups for printer sharing.
* 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx
* fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,
check your `ip addr` or on Windows `ipconfig /all` for fun.
* 5353 UDP/mdns/Avahi — used for `.local` addresses.
* 9091 TCP/transmission web interface and also example on how to allow
access to port only from specific addresses, only for devices that
aren't going anywhere and if IPv6 isn't cared about. (TODO: How to do
it IPv6? I have faint idea of UFW not supporting it).
* Transmission file transfer uses TCP and DHT UDP. Default port for
both is: 51413. [Source](https://trac.transmissionbt.com/ticket/2265)
* 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
I tend to only allow it from specific Yggdrasil address(es).
* 9001 — [Yggdrasil](https://yggdrasil-network.github.io/) automatic peering
port only on link-local.
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
setup and there should be something bettter instead of this. As
something evil could run and listen on these ports.
*If some host doesn't run some of the mentioned service, it's not open in
the firewall.*
* * * * *
Last updated: 2018-11-03T12:40 | [GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md) |
[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)