mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-12-25 12:42:34 +01:00
_posts/ufw: specify protocols for ports
This commit is contained in:
parent
d273ec2408
commit
d96880c1c0
@ -17,40 +17,42 @@ network and with IPv6 your devices have public IPv6 addresses.
|
||||
This post first has list of commands, then explanations.
|
||||
|
||||
```
|
||||
ufw limit 22
|
||||
ufw limit 22/tcp
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
systemctl enable ufw && systemctl start ufw
|
||||
ufw enable
|
||||
ufw reject 113
|
||||
ufw reject 113/tcp
|
||||
ufw allow from 172.16.0.0/16 to any port 631
|
||||
ufw allow from 172.16.0.0/16 to any port 5353
|
||||
ufw allow from 172.16.0.0/16 to any port 9091
|
||||
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
|
||||
ufw allow from 173.16.0.0/16 to any port 9091 proto tcp
|
||||
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
||||
ufw allow 60000:61000/udp
|
||||
```
|
||||
|
||||
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
|
||||
* 22 TCP/ssh — Prevent more than 6 connections in 30 seconds to the SSH
|
||||
port and it's the first command as you don't want to lock yourself out of
|
||||
and it's the first command as you don't want to lock yourself out of
|
||||
your host when you enable the firewall.
|
||||
* Deny incoming connections unless the port has been whitelisted.
|
||||
* Allow all outgoing connections, keeping list of authorized ports would be
|
||||
too much for me.
|
||||
* Start ufw on boot and now (I am not sure if this step is required, but
|
||||
better safe than sorry).
|
||||
* Put the firewall in force.
|
||||
* 113/ident — Tell "Connection refused" to whoever tries to reach port 113.
|
||||
This makes ident checking IRC servers connect faster as they don't have
|
||||
to timeout. If you run shell server (for IRC purpouses) you should allow
|
||||
this instead.
|
||||
* 631/cups — Allow access to cups for printer sharing from local network
|
||||
* 5353/mdns/Avahi — used for `.local` addresses and probably not needed
|
||||
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
||||
113. This makes ident checking IRC servers connect faster as they don't
|
||||
have to timeout. If you run shell server (for IRC purpouses) you should
|
||||
allow this instead.
|
||||
* 631 both/cups — Allow access to cups for printer sharing from local
|
||||
network
|
||||
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not needed
|
||||
outside local network
|
||||
* 9091/transmission web interface — also something I want to access from
|
||||
LAN.
|
||||
* 9091 TCP/transmission web interface — also something I want to access
|
||||
from LAN. This seems risky too.
|
||||
* Transmission file transfer uses TCP. Default port: 51413.
|
||||
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
||||
* 60000:61000/mosh — I feel this is the most insecure part of this setup
|
||||
and there should be something bettter instead of this.
|
||||
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
||||
setup and there should be something bettter instead of this.
|
||||
|
||||
*If some host doesn't run some of the mentioned service, it's not open in
|
||||
the firewall.*
|
||||
|
Loading…
Reference in New Issue
Block a user