Question

secure configuration of the firewall

  • Posted September 30, 2014

Hallo,

I have installed the Firewall by following this guide: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

If I run this command (sudo ufw default deny incoming) from the guide asked this site is no longer accessible from the browser.

  • Please this is a good and safe configuration?
root@myclouds:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
****/tcp                   ALLOW IN    Anywhere        (port that I use for SSH) 
****/tcp (v6)              ALLOW IN    Anywhere (v6)   (port that I use for SSH) 

Thank you very much!

Regards, Gabriel

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

That does not look right to me. You want something more like:

# sudo ufw status verbose
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere

Note the differences in the defaults. You are allowing all incoming connections. One of the main points in enabling firewalling is to block unwanted incoming connections. So by default, you want to deny all of them and then specific exceptions for the service that you want to be available to the outside. In a common web server setup, that would be HTTP on port 80, HTTPS on port 443, and 22 for SSH. Though many change the SSH port to a non-default one. Let’s run through that set up.

First, let’s temporarily disable the firewall in order to make sure we don’t accidently lock ourselves out:

sudo ufw disable

Now we will set up default rules allowing outgoing connections and denying incoming ones:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Then open the ports which we want to have available:

sudo ufw allow 80/tcp # http
sudo ufw allow 443/tcp # https
sudo ufw allow 22/tcp # ssh, change if you're using a different port

Finally, after we have opened the needed ports we can re-enable the firewall:

sudo ufw enable