Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UFW Firewall : looking for additional rules to add


  • Please log in to reply
3 replies to this topic

#1 Agent_Orange

Agent_Orange

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:01:03 PM

Posted 26 August 2017 - 09:40 PM

Hi all, I have enabled the UFW Firewall with it's default settings but would like to add some rules that will help tighten the overall security of my OS.

The problem that I have is that I don't know of any rules that I could add that would assist with doing so

 

I was messing about with the rules to see how you would add them when I came across FTP and a message that states that "FTP is an unsecure connection, think about using SFTP". 

I went ahead and added a rule to block all traffic (in & out) for FTP.

Some examples of how other people have set up their UFW Firewall would be really helpful, as would any suggestions as to what (if any) other policies I should add or programs that I should block (I was thinking that I have no need for Kali to be accessing the internet or accessing my computer so have blocked that too).|

Thanks for any help and information that can be provided.


 



BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 27 August 2017 - 03:11 AM

The easiest way to add rules to UFW is by using GUFW ... https://help.ubuntu.com/community/Gufw ... which is a graphic user interface for UFW

 

As far as basic security goes, see .... https://wiki.ubuntu.com/BasicSecurity/Firewall

 

Personally I have never needed to use anything more restrictive with Linux.



#3 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:11:03 PM

Posted 27 August 2017 - 03:38 AM

If you really want to do firewalls right, start with default deny on any interface but loopback.  deny in all, deny out all, then selectively turn things on.  Most firewalls on Linux are stateful, meaning that traffic you send out creates as state that will allow responses to that back in without you needing to do anything (look up flow for protocols like http if you want more understanding).  Most day to day use doesn't need that many ports open, I've not had problems opening up just:

TCP:

domain, http, https, imaps, pop3s, smtps, imap, smtp

 

UDP:

domain, ntp, https, imaps

 

You just have to be willing to accept that some things may not work, figure out what else needs to be opened and update the rules.

If you are looking at firewall rules, you should also look at what ports are open for listening (netstat -aln), what they are for and what address they are bound to (things bound to 127.0.0.1 are typically looking for local connections from your machine, so something like CUPS listening on a 127.0.0.1 port is not a big deal) but listeners bound to INET_ADDR_ANY (0.0.0.0) are potential ingress points.

 

My opinions only, other disagree and say you should allow everything and then turn off what you don't need.  But how do you know to turn it off if you don't need it?


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#4 here2serveu

here2serveu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 28 August 2017 - 03:54 PM

Are you running server services on this? FTP/SFTP ? 1. If the answer is yes. Do a server install and skip the gui. Deny all is correct. Then allow as needed. If making this on the public net look at fail2ban it will help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users