_posts/ufw: specify protocols for ports

This commit is contained in:
Aminda Suomalainen 2015-09-01 08:38:39 +03:00
parent d273ec2408
commit d96880c1c0

View File

@ -17,40 +17,42 @@ network and with IPv6 your devices have public IPv6 addresses.
This post first has list of commands, then explanations. This post first has list of commands, then explanations.
``` ```
ufw limit 22 ufw limit 22/tcp
ufw default deny incoming ufw default deny incoming
ufw default allow outgoing ufw default allow outgoing
systemctl enable ufw && systemctl start ufw systemctl enable ufw && systemctl start ufw
ufw enable ufw enable
ufw reject 113 ufw reject 113/tcp
ufw allow from 172.16.0.0/16 to any port 631 ufw allow from 172.16.0.0/16 to any port 631
ufw allow from 172.16.0.0/16 to any port 5353 ufw allow from 172.16.0.0/16 to any port 5353 proto udp
ufw allow from 172.16.0.0/16 to any port 9091 ufw allow from 173.16.0.0/16 to any port 9091 proto tcp
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
ufw allow 60000:61000/udp ufw allow 60000:61000/udp
``` ```
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port * 22 TCP/ssh — Prevent more than 6 connections in 30 seconds to the SSH
port and it's the first command as you don't want to lock yourself out of
and it's the first command as you don't want to lock yourself out of and it's the first command as you don't want to lock yourself out of
your host when you enable the firewall.
* Deny incoming connections unless the port has been whitelisted. * Deny incoming connections unless the port has been whitelisted.
* Allow all outgoing connections, keeping list of authorized ports would be * Allow all outgoing connections, keeping list of authorized ports would be
too much for me. too much for me.
* Start ufw on boot and now (I am not sure if this step is required, but * Start ufw on boot and now (I am not sure if this step is required, but
better safe than sorry). better safe than sorry).
* Put the firewall in force. * Put the firewall in force.
* 113/ident — Tell "Connection refused" to whoever tries to reach port 113. * 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
This makes ident checking IRC servers connect faster as they don't have 113. This makes ident checking IRC servers connect faster as they don't
to timeout. If you run shell server (for IRC purpouses) you should allow have to timeout. If you run shell server (for IRC purpouses) you should
this instead. allow this instead.
* 631/cups — Allow access to cups for printer sharing from local network * 631 both/cups — Allow access to cups for printer sharing from local
* 5353/mdns/Avahi — used for `.local` addresses and probably not needed network
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not needed
outside local network outside local network
* 9091/transmission web interface — also something I want to access from * 9091 TCP/transmission web interface — also something I want to access
LAN. from LAN. This seems risky too.
* Transmission file transfer uses TCP. Default port: 51413.
* 17500 TCP/Dropbox LAN sync — which I use with desktops * 17500 TCP/Dropbox LAN sync — which I use with desktops
* 60000:61000/mosh — I feel this is the most insecure part of this setup * 60000:61000 UDP/mosh — I feel this is the most insecure part of this
and there should be something bettter instead of this. setup and there should be something bettter instead of this.
*If some host doesn't run some of the mentioned service, it's not open in *If some host doesn't run some of the mentioned service, it's not open in
the firewall.* the firewall.*