---
layout: post
comments: true
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
category: [english]
tags: [english]
redirect_from: /ufw/
---

*This post describes my UFW config and is here so I find it from somewhere
 and with hope that I am told if someone notices something terriby insecure
 here and is able to offer suggestions.*

Having firewall is important as you aren't always in your trusted home
network and with IPv6 your devices have public IPv6 addresses.

This post first has list of commands, then explanations.

```
ufw allow 22/tcp
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113/tcp
ufw allow from 172.16.0.0/16 to any port 631
ufw allow 3544/udp
ufw allow from 172.16.0.0/16 to any port 5353 proto udp
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
ufw allow from 172.16.0.0/16 to any port 17500 proto tcp
ufw allow 60000:61000/udp
```

* 22 TCP/ssh — Allow acces to SSHdm you don't want to lock yourself out.
    * previously I used `ufw limit` but it seems to be too oversensitive,
      just use SSHGuard.
* Deny incoming connections unless the port has been whitelisted.
* Allow all outgoing connections, keeping list of authorized ports would
  be too much for me.
* Start ufw on boot and now (I am not sure if this step is required, but
  better safe than sorry).
* Put the firewall in force.
* 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port
  113. This makes ident checking IRC servers connect faster as they don't
  have to timeout. If you run shell server (for IRC purpouses) you should
  allow this instead.
* 631 both/cups — Allow access to cups for printer sharing from local
  network
* 3544 udp/miredo — Sadly native IPv6 isn't everywhere, neither is 6rd
  with every ISP or proper tunnel.
* 5353 UDP/mdns/Avahi — used for `.local` addresses and probably not
  needed outside local network
* 9091 TCP/transmission web interface — also something I want to access
  from LAN. This seems risky too, but risks can be limited by only
  using this rule with static hosts.
    * Transmission file transfer uses TCP. Default port: 51413.
* 17500 TCP/Dropbox LAN sync — which I use with desktops
* 60000:61000 UDP/mosh — I feel this is the most insecure part of this
  setup and there should be something bettter instead of this.

*If some host doesn't run some of the mentioned service, it's not open in
the firewall.*