Firewall setup

I used to do firewall setup manually for the server, but ufw has now improved to the point where I use that. See historic versions of this page from before December 2016 for details.

For port names, see /etc/services and the list returned from calling ufw app list.

Set up ufw

Enable ufw and add rules for the services the server machine will provide:

root@server:~# ufw enable
root@server:~# ufw allow ssh
root@server:~# ufw allow http
root@server:~# ufw allow https
root@server:~# ufw allow imap
root@server:~# ufw allow smtp
root@server:~# ufw allow submission
root@server:~# ufw allow from 192.168.1.0/24 to any port mysql
root@server:~# ufw allow from 192.168.1.0/24 to any port postgresql
root@server:~# ufw allow from 192.168.1.0/24 to any port 27017:27019 proto tcp # Mongo
root@server:~# ufw allow from 192.168.1.0/24 to any port 28017 proto tcp # Mongo web interface
root@server:~# ufw allow from 192.168.1.0/24 to any port mdns 
root@server:~# ufw allow from 192.168.1.0/24 to any port ipp
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ns
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-dgm
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ssn
root@server:~# ufw allow from 192.168.1.0/24 to any port microsoft-ds
root@server:~# ufw allow from 192.168.1.0/24 to any port 3551 # apcupsd
root@server:~# ufw allow git
root@server:~# ufw allow from 192.168.1.0/24 to any port 4949 # Munin
root@server:~# ufw allow from 192.168.1.0/24 to any port domain
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port mysql proto tcp
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port postgresql proto tcp
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 27017:27019 proto tcp # Mongo
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 28017 proto tcp # Mongo web interface
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 3551 # apcupsd
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 4949 # munin
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port domain
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port ipp proto tcp

Enable ufw and add rules for the services the desktop machine will provide:

root@desktop:~# ufw enable
root@server:~# ufw allow ssh
root@server:~# ufw allow http
root@server:~# ufw allow https
root@server:~# ufw allow from 192.168.1.0/24 to any port domain
root@server:~# ufw allow from 192.168.1.0/24 to any port ipp
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ns
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-dgm
root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ssn
root@server:~# ufw allow from 192.168.1.0/24 to any port microsoft-ds
root@server:~# ufw allow from 192.168.1.0/24 to any port 1714:1764 proto udp # KDE connect
root@server:~# ufw allow from 192.168.1.0/24 to any port 1714:1764 proto tcp # KDE connect
root@server:~# ufw allow from 192.168.1.0/24 to any port 3551 # apcupsd
root@server:~# ufw allow from 192.168.1.0/24 to any port 8080 # Calibre server
root@server:~# ufw allow from 192.168.1.0/24 to any port 8200 # MiniDLNA
root@server:~# ufw allow from 192.168.1.0/24 to any port 1900 # SSDP / UPnP
root@server:~# ufw allow from 192.168.1.0/24 to any port 4949 # Munin
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port domain
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port ipp
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-ns
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-dgm
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-ssn
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port microsoft-ds
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1714:1764 proto udp
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1714:1764 proto tcp
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 8080 # Calibre server
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 3551 # apcupsd
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1900 # SSDP / UPnP
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 8200 # MiniDLNA
root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 4949 # Munin

(The last rules are for KDE Connect, APC UPS, and Calibre ebook server respectively).

Check ufw's status

These commands show the status of the firewall, and the commands used to set it up.

root@desktop:~# ufw status verbose
root@desktop:~# ufw show added

Restrict Established TCP connections

The firewall keeps track of all "established" TCP connections, for a long time: by default, 432000 seconds or 5 days.

root@desktop:~# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established 

I reduce that to 10 minutes with this:

root@desktop:~# echo 3600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established