Mikaela/mikaela.github.io
1
0
Fork 0
mirror of https://github.com/mikaela/mikaela.github.io/ synced 2024-11-13 23:49:26 +01:00
Code Issues Projects Releases Wiki Activity
bc8b5dfd96
mikaela.github.io/_posts/2015-06-12-ufw.md
Mikaela Suomalainen 7952fcf0cc
ufw: transmission uses UDP for DHT 
Both are the same port number and this would be nice to be documented
somewhere.
2017-06-04 12:20:45 +03:00

2.7 KiB
Raw Blame History

This post describes my UFW config and is here so I find it from somewhere and with hope that I am told if someone notices something terriby insecure here and is able to offer suggestions.

Having firewall is important as you arent always in your trusted home network and with IPv6 your devices have public IPv6 addresses.

Threat model: service I am not aware of or that I accidentally make listen wider than intended and with UFW I am aware of what ports are allowed. I assume any host is going to move randomly and not whitelisting only from certain addresses as that address can be encountered anywhere.

This post first has list of commands, then explanations.

ufw allow 22/tcp
ufw default deny incoming
ufw default allow outgoing
systemctl enable ufw && systemctl start ufw
ufw enable
ufw reject 113/tcp
ufw allow 631
ufw allow 5353/udp
ufw allow from 172.16.0.0/16 to any port 9091 proto tcp
ufw allow 60000:61000/udp
  • 22 TCP/ssh — Allow acces to SSHd you dont want to lock yourself out.
    • previously I used ufw limit but it seems to be too oversensitive, just use SSHGuard.
  • Deny incoming connections unless the port has been whitelisted.
  • Allow all outgoing connections, keeping list of authorized ports would be too much for me.
  • Start ufw on boot and now (I am not sure if this step is required, but better safe than sorry).
  • Put the firewall in force.
  • 113 TCP/ident — Tell “Connection refused” to whoever tries to reach port
    1. This makes ident checking IRC servers connect faster as they dont have to timeout. If you run shell server (for IRC purpouses) you should allow this instead. And if you dont use IRC or dont care about having to wait for the check to timeout, dont do this as you may leave yourself visible to random port scanners.
  • 631 both/cups — Allow access to cups for printer sharing.
  • 5353 UDP/mdns/Avahi — used for .local addresses.
  • 9091 TCP/transmission web interface and also example on how to allow access to port only from specific addresses, only for devices that arent going anywhere and if IPv6 isnt cared about. (TODO: How to do it IPv6? I have faint idea of UFW not supporting it).
    • Transmission file transfer uses TCP and DHT UDP. Default port for both is: 51413. Source
  • 60000:61000 UDP/mosh — I feel this is the most insecure part of this setup and there should be something bettter instead of this. As something evil could run and listen on these ports.

If some host doesnt run some of the mentioned service, its not open in the firewall.