mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-12-25 20:52:34 +01:00
_posts/ufw: specify protocols for ports
This commit is contained in:
parent
d273ec2408
commit
d96880c1c0
@ -17,40 +17,42 @@ network and with IPv6 your devices have public IPv6 addresses.
|
|||||||
This post first has list of commands, then explanations.
|
This post first has list of commands, then explanations.
|
||||||
|
|
||||||
```
|
```
|
||||||
ufw limit 22
|
ufw limit 22/tcp
|
||||||
ufw default deny incoming
|
ufw default deny incoming
|
||||||
ufw default allow outgoing
|
ufw default allow outgoing
|
||||||
systemctl enable ufw && systemctl start ufw
|
systemctl enable ufw && systemctl start ufw
|
||||||
ufw enable
|
ufw enable
|
||||||
ufw reject 113
|
ufw reject 113/tcp
|
||||||
ufw allow from 172.16.0.0/16 to any port 631
|
ufw allow from 172.16.0.0/16 to any port 631
|
||||||
ufw allow from 172.16.0.0/16 to any port 5353
|
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
|
||||||
ufw allow from 172.16.0.0/16 to any port 9091
|
ufw allow from 173.16.0.0/16 to any port 9091 proto tcp
|
||||||
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
|
||||||
ufw allow 60000:61000/udp
|
ufw allow 60000:61000/udp
|
||||||
```
|
```
|
||||||
|
|
||||||
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
|
* 22 TCP/ssh — Prevent more than 6 connections in 30 seconds to the SSH
|
||||||
|
port and it's the first command as you don't want to lock yourself out of
|
||||||
and it's the first command as you don't want to lock yourself out of
|
and it's the first command as you don't want to lock yourself out of
|
||||||
your host when you enable the firewall.
|
|
||||||
* Deny incoming connections unless the port has been whitelisted.
|
* Deny incoming connections unless the port has been whitelisted.
|
||||||
* Allow all outgoing connections, keeping list of authorized ports would be
|
* Allow all outgoing connections, keeping list of authorized ports would be
|
||||||
too much for me.
|
too much for me.
|
||||||
* Start ufw on boot and now (I am not sure if this step is required, but
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
||||||
better safe than sorry).
|
better safe than sorry).
|
||||||
* Put the firewall in force.
|
* Put the firewall in force.
|
||||||
* 113/ident — Tell "Connection refused" to whoever tries to reach port 113.
|
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
|
||||||
This makes ident checking IRC servers connect faster as they don't have
|
113. This makes ident checking IRC servers connect faster as they don't
|
||||||
to timeout. If you run shell server (for IRC purpouses) you should allow
|
have to timeout. If you run shell server (for IRC purpouses) you should
|
||||||
this instead.
|
allow this instead.
|
||||||
* 631/cups — Allow access to cups for printer sharing from local network
|
* 631 both/cups — Allow access to cups for printer sharing from local
|
||||||
* 5353/mdns/Avahi — used for `.local` addresses and probably not needed
|
network
|
||||||
|
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not needed
|
||||||
outside local network
|
outside local network
|
||||||
* 9091/transmission web interface — also something I want to access from
|
* 9091 TCP/transmission web interface — also something I want to access
|
||||||
LAN.
|
from LAN. This seems risky too.
|
||||||
|
* Transmission file transfer uses TCP. Default port: 51413.
|
||||||
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
* 17500 TCP/Dropbox LAN sync — which I use with desktops
|
||||||
* 60000:61000/mosh — I feel this is the most insecure part of this setup
|
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
|
||||||
and there should be something bettter instead of this.
|
setup and there should be something bettter instead of this.
|
||||||
|
|
||||||
*If some host doesn't run some of the mentioned service, it's not open in
|
*If some host doesn't run some of the mentioned service, it's not open in
|
||||||
the firewall.*
|
the firewall.*
|
||||||
|
Loading…
Reference in New Issue
Block a user