Firewall setup

From Smith family
Jump to: navigation, search
Server setup
← Previous Next →
Hostname and IP Protect SSH

I used to do firewall setup manually for the server, but ufw has now improved to the point where I use that. See historic versions of this page from before December 2016 for details.

Set up ufw

Enable ufw and add rules for the services the server machine will provide:

root@server:~# ufw enable
root@server:~# ufw allow ssh
root@server:~# ufw allow http
root@server:~# ufw allow https
root@server:~# ufw allow domain
root@server:~# ufw allow ipp
root@server:~# ufw allow imap
root@server:~# ufw allow smtp
root@server:~# ufw allow submission
root@server:~# ufw allow from 192.168.1.0/24 to any port mysql
root@server:~# ufw allow from 192.168.1.0/24 to any port postgresql
root@server:~# ufw allow git
root@server:~# ufw allow in proto tcp from 192.168.1.0/24 to any port 27017:27019 # Mongo
root@server:~# ufw allow in proto tcp from 192.168.1.0/24 to any port 28017 # Mongo web interface

Enable ufw and add rules for the services the desktop machine will provide:

root@desktop:~# ufw enable
root@desktop:~# ufw allow ssh
root@desktop:~# ufw allow http
root@desktop:~# ufw allow https
root@desktop:~# ufw allow domain
root@desktop:~# ufw allow ipp
root@desktop:~# ufw allow netbios-ns
root@desktop:~# ufw allow netbios-dgm
root@desktop:~# ufw allow netbios-ssn
root@desktop:~# ufw allow microsoft-ds
root@desktop:~# ufw allow in proto udp from 192.168.1.0/24 to any port 1714:1764
root@desktop:~# ufw allow in proto tcp from 192.168.1.0/24 to any port 1714:1764
root@desktop:~# ufw allow in proto tcp from 192.168.1.0/24 to any port 8484
root@desktop:~# ufw allow in proto tcp from 192.168.1.0/24 to any port 3551

(The last rules are for KDE Connect, amaroKontrol, and APC UPS respectively).

Check ufw's status

root@desktop:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
53                         ALLOW IN    Anywhere
631                        ALLOW IN    Anywhere
137                        ALLOW IN    Anywhere
138                        ALLOW IN    Anywhere
139                        ALLOW IN    Anywhere
445                        ALLOW IN    Anywhere
1714:1764/tcp              ALLOW IN    192.168.1.0/24
8484/tcp                   ALLOW IN    192.168.1.0/24
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
53 (v6)                    ALLOW IN    Anywhere (v6)
631 (v6)                   ALLOW IN    Anywhere (v6)
137 (v6)                   ALLOW IN    Anywhere (v6)
138 (v6)                   ALLOW IN    Anywhere (v6)
139 (v6)                   ALLOW IN    Anywhere (v6)
445 (v6)                   ALLOW IN    Anywhere (v6)