--- layout: post comments: true title: "My ufw (Ubuntu/Uncomplicated Firewall) config" category: [english] tags: [english] redirect_from: /ufw/ --- *This post describes my UFW config and is here so I find it from somewhere and with hope that I am told if someone notices something terriby insecure here and is able to offer suggestions.* Having firewall is important as you aren't always in your trusted home network and with IPv6 your devices have public IPv6 addresses. This post first has list of commands, then explanations. ``` ufw limit 22 ufw default deny incoming ufw default allow outgoing systemctl enable ufw && systemctl start ufw ufw enable ufw reject 113 ufw allow from 172.16.0.0/16 to any port 631 ufw allow from 172.16.0.0/16 to any port 5353 ufw allow from 172.16.0.0/16 to any port 9091 ufw allow from 172.16.0.0/16 to any port 17500 proto tcp ufw allow 60000:61000/udp ``` * 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port and it's the first command as you don't want to lock yourself out of your host when you enable the firewall. * Deny incoming connections unless the port has been whitelisted. * Allow all outgoing connections, keeping list of authorized ports would be too much for me. * Start ufw on boot and now (I am not sure if this step is required, but better safe than sorry). * Put the firewall in force. * 113/ident — Tell "Connection refused" to whoever tries to reach port 113. This makes ident checking IRC servers connect faster as they don't have to timeout. If you run shell server (for IRC purpouses) you should allow this instead. * 631/cups — Allow access to cups for printer sharing from local network * 5353/mdns/Avahi — used for `.local` addresses and probably not needed outside local network * 9091/transmission web interface — also something I want to access from LAN. * 17500 TCP/Dropbox LAN sync — which I use with desktops * 60000:61000/mosh — I feel this is the most insecure part of this setup and there should be something bettter instead of this. *If some host doesn't run some of the mentioned service, it's not open in the firewall.*