secure configuration of the firewall

September 30, 2014 4.7k views
gabriele
By:
gabriele

Hallo,

I have installed the Firewall by following this guide: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

If I run this command (sudo ufw default deny incoming) from the guide asked this site is no longer accessible from the browser.

  • Please this is a good and safe configuration?
root@myclouds:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
****/tcp                   ALLOW IN    Anywhere        (port that I use for SSH) 
****/tcp (v6)              ALLOW IN    Anywhere (v6)   (port that I use for SSH)

Thank you very much!

Regards,
Gabriel

Log In to Comment
1 Answer
asb MOD September 30, 2014

That does not look right to me. You want something more like:

# sudo ufw status verbose
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere

Note the differences in the defaults. You are allowing all incoming connections. One of the main points in enabling firewalling is to block unwanted incoming connections. So by default, you want to deny all of them and then specific exceptions for the service that you want to be available to the outside. In a common web server setup, that would be HTTP on port 80, HTTPS on port 443, and 22 for SSH. Though many change the SSH port to a non-default one. Let's run through that set up.

First, let's temporarily disable the firewall in order to make sure we don't accidently lock ourselves out:

sudo ufw disable

Now we will set up default rules allowing outgoing connections and denying incoming ones:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Then open the ports which we want to have available:

sudo ufw allow 80/tcp # http
sudo ufw allow 443/tcp # https
sudo ufw allow 22/tcp # ssh, change if you're using a different port

Finally, after we have opened the needed ports we can re-enable the firewall:

sudo ufw enable
Reply
  • gabriele September 30, 2014

    Thank you so much, I followed your valuable advice. But now I also have (V6), it is negative or positive?

    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip

    To Action From

    ssh/tcp ALLOW IN Anywhere
    80/tcp ALLOW IN Anywhere
    443/tcp ALLOW IN Anywhere
    ssh/tcp (v6) ALLOW IN Anywhere (v6)
    80/tcp (v6) ALLOW IN Anywhere (v6)
    443/tcp (v6) ALLOW IN Anywhere (v6)

    Thank!
    Gabriel

  • asb MOD September 30, 2014

    That's fine. It means that those ports are also available via IPv6.

Have another answer? Share your knowledge.