This question is based on settings learned from this tutorial, thanks to the author ! https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#
I’m trying to secure my Raspberry Pi using UFW on Raspbian, a distro of Debian. However I’m not sure it’s working properly, here is what I’ve done so far.
I configured my firewall in this order.
Then I couldn’t browse the net anymore, nor do apt-get update or apt-get upgrade for example.
What I did to try to fix/troubleshoot:
I hope anyone can help me figure this out. Because I’m thinking now, even if I switch default for outgoing to allow again, a part from allowing a lot of ports to communicate to the outside, I’ll also be left wondering about how the rules work and if they do really work in UFW.
Also this makes me wonder about something: if I default for outgoing to allow but create a rule to block from the Raspberry to my other device (for example my main computer), then how can I know the rule will be respected since it seems that allowing outbound connections for ports 80 and 443 with default set to deny all outbound doesn’t work?
Is there a higher priority given to the default settings ? That wouldn’t make sense in my opinion. I also installer GUFW (the UFW gui) but it doesn’t let me add rules. Could this have a link ? In the end I configured everything using the terminal and your commands or variants of it found on the Debian forums etc. Checked every time if the firewall was running or not as well as detailed status using “sudo ufw status numbered” and the verbose variant.
I hope someone can help me figure this out. Thanks !
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Here ya go. Dont run it on a weak machine. 1024+Ram 2+ cores. This will take a very long time due to the recent addition of botnet addresses. https://github.com/diveyez/ufw-dnsbl-rules-set/blob/master/dofw.sh
@hansen
Alrighty then ! Thanks again for your help ! I guess I’ll go with your recommendation of allowing all-outgoing after this mini firewall-nightmare.
This comment has been deleted
Thanks but I already tried those commands. Moreover, I don’t want to use SSH or Telnet so I would like to lock them incoming and outgoing as I connect directly to my system with a keyboard and monitor. If I have for defaults allow outgoing but deny incoming, do I have to still allow ports 80 and 443 as you suggested to be able to browse the net for example ?
At the moment I have defaults for outgoing and incoming both to deny but I created allow rules for outgoing of ports 80 and 443, though browsing doesn’t work, which makes me question why the rules I set aren’t respected.
@Method
When it comes to
ufw
, if you want to start fresh, you’ll want to useufw reset
. That gives you a clean slate to work with, though first I would runufw disable
.With
ufw
disabled and reset, I would recommend setting up defaults that deny incoming, but allow outgoing as your server needs to communicate out to runapt-get
and similar commands. If you do not allow outgoing connections, your server can’t communicate outside.So I would start with (while
ufw
is disabled):Now, at this stage, we need to allow ports in, otherwise nothing can connect to the Droplet, so the first thing to allow is SSH.
From there, you need to allow whichever ports through that you wish to allow connections on. For example, if we wanted to open web ports, commonly 80 and 443 (for HTTP and HTTPS), we’d use: