mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-16 17:09:28 +01:00
Mikaela Suomalainen
ae8076330c
I didn't ever do what I wanted to do with linphone and WebRTC suits my purpouses better, as it's just sharing Firefox Hello or appear.in link it's a lot easier to get people to use it when needed.
53 lines
1.8 KiB
Markdown
53 lines
1.8 KiB
Markdown
---
|
|
layout: post
|
|
comments: true
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
category: [english]
|
|
tags: [english]
|
|
redirect_from: /ufw/
|
|
---
|
|
|
|
*This post describes my UFW config and is here so I find it from somewhere
|
|
and with hope that I am told if someone notices something terriby insecure
|
|
here and is able to offer suggestions.*
|
|
|
|
Having firewall is important as you aren't always in your trusted home
|
|
network and with IPv6 your devices have public IPv6 addresses.
|
|
|
|
This post first has list of commands, then explanations.
|
|
|
|
```
|
|
ufw limit 22
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
systemctl enable ufw && systemctl start ufw
|
|
ufw enable
|
|
ufw reject 113
|
|
ufw allow 631
|
|
ufw allow 5353/udp
|
|
ufw allow 17500/tcp
|
|
ufw allow 60000:61000/udp
|
|
```
|
|
|
|
* 22/ssh — Prevent more than 6 connections in 30 seconds to the SSH port
|
|
and it's the first command as you don't want to lock yourself out of
|
|
your host when you enable the firewall.
|
|
* Deny incoming connections unless the port has been whitelisted.
|
|
* Allow all outgoing connections, keeping list of authorized ports would be
|
|
too much for me.
|
|
* Start ufw on boot and now (I am not sure if this step is required, but
|
|
better safe than sorry).
|
|
* Put the firewall in force.
|
|
* 113/ident — Tell "Connection refused" to whoever tries to reach port 113.
|
|
This makes ident checking IRC servers connect faster as they don't have
|
|
to timeout. If you run shell server (for IRC purpouses) you should allow
|
|
this instead.
|
|
* 631/cups — Allow access to cups for printer sharing
|
|
* 5353/mdns/Avahi — used for `.local` addresses
|
|
* 17500/Dropbox — which I use everywhere
|
|
* 60000:61000/mosh — I feel this is the most insecure part of this setup
|
|
and there should be something bettter instead of this.
|
|
|
|
*If some host doesn't run some of the mentioned service, it's not open in
|
|
the firewall.*
|