mikaela.github.io/_posts/2015-06-12-ufw.md
Mikaela Suomalainen ae8076330c ufw: remove 5060/sip
I didn't ever do what I wanted to do with linphone and WebRTC suits my
purpouses better, as it's just sharing Firefox Hello or appear.in link
it's a lot easier to get people to use it when needed.
2015-07-09 16:01:05 +03:00

53 lines
1.8 KiB
Markdown

---
layout: post
comments: true
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
category: [english]
tags: [english]
redirect_from: /ufw/
---
*This post describes my UFW config and is here so I find it from somewhere
and with hope that I am told if someone notices something terriby insecure
here and is able to offer suggestions.*
Having firewall is important as you aren't always in your trusted home
network and with IPv6 your devices have public IPv6 addresses.
This post first has list of commands, then explanations.
```
ufw limit 22
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113
ufw allow 631
ufw allow 5353/udp
ufw allow 17500/tcp
ufw allow 60000:61000/udp
```
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
and it's the first command as you don't want to lock yourself out of
your host when you enable the firewall.
* Deny incoming connections unless the port has been whitelisted.
* Allow all outgoing connections, keeping list of authorized ports would be
too much for me.
* Start ufw on boot and now (I am not sure if this step is required, but
better safe than sorry).
* Put the firewall in force.
* 113/ident — Tell "Connection refused" to whoever tries to reach port 113.
This makes ident checking IRC servers connect faster as they don't have
to timeout. If you run shell server (for IRC purpouses) you should allow
this instead.
* 631/cups — Allow access to cups for printer sharing
* 5353/mdns/Avahi — used for `.local` addresses
* 17500/Dropbox — which I use everywhere
* 60000:61000/mosh — I feel this is the most insecure part of this setup
and there should be something bettter instead of this.
*If some host doesn't run some of the mentioned service, it's not open in
the firewall.*