Firewall setup
| Server setup | |
| ← Previous | Next → |
| Hostname and IP | Protect SSH |
I used to do firewall setup manually for the server, but ufw has now improved to the point where I use that. See historic versions of this page from before December 2016 for details.
For port names, see /etc/services and the list returned from calling ufw app list.
Set up ufw
Enable ufw and add rules for the services the server machine will provide:
root@server:~# ufw enable root@server:~# ufw allow ssh root@server:~# ufw allow http root@server:~# ufw allow https root@server:~# ufw allow imap root@server:~# ufw allow smtp root@server:~# ufw allow submission root@server:~# ufw allow from 192.168.1.0/24 to any port mysql root@server:~# ufw allow from 192.168.1.0/24 to any port postgresql root@server:~# ufw allow from 192.168.1.0/24 to any port 27017:27019 proto tcp # Mongo root@server:~# ufw allow from 192.168.1.0/24 to any port 28017 proto tcp # Mongo web interface root@server:~# ufw allow from 192.168.1.0/24 to any port mdns root@server:~# ufw allow from 192.168.1.0/24 to any port ipp root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ns root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-dgm root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ssn root@server:~# ufw allow from 192.168.1.0/24 to any port microsoft-ds root@server:~# ufw allow from 192.168.1.0/24 to any port 3551 # apcupsd root@server:~# ufw allow git root@server:~# ufw allow from 192.168.1.0/24 to any port 4949 # Munin root@server:~# ufw allow from 192.168.1.0/24 to any port domain root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port mysql proto tcp root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port postgresql proto tcp root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 27017:27019 proto tcp # Mongo root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 28017 proto tcp # Mongo web interface root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 3551 # apcupsd root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 4949 # munin root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port domain root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port ipp proto tcp
Enable ufw and add rules for the services the desktop machine will provide:
root@desktop:~# ufw enable root@server:~# ufw allow ssh root@server:~# ufw allow http root@server:~# ufw allow https root@server:~# ufw allow from 192.168.1.0/24 to any port domain root@server:~# ufw allow from 192.168.1.0/24 to any port ipp root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ns root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-dgm root@server:~# ufw allow from 192.168.1.0/24 to any port netbios-ssn root@server:~# ufw allow from 192.168.1.0/24 to any port microsoft-ds root@server:~# ufw allow from 192.168.1.0/24 to any port 1714:1764 proto udp # KDE connect root@server:~# ufw allow from 192.168.1.0/24 to any port 1714:1764 proto tcp # KDE connect root@server:~# ufw allow from 192.168.1.0/24 to any port 3551 # apcupsd root@server:~# ufw allow from 192.168.1.0/24 to any port 8080 # Calibre server root@server:~# ufw allow from 192.168.1.0/24 to any port 8200 # MiniDLNA root@server:~# ufw allow from 192.168.1.0/24 to any port 1900 # SSDP / UPnP root@server:~# ufw allow from 192.168.1.0/24 to any port 4949 # Munin root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port domain root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port ipp root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-ns root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-dgm root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port netbios-ssn root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port microsoft-ds root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1714:1764 proto udp root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1714:1764 proto tcp root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 8080 # Calibre server root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 3551 # apcupsd root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 1900 # SSDP / UPnP root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 8200 # MiniDLNA root@server:~# ufw allow from 1234:abcd:4321:dcba::/64 to any port 4949 # Munin
(The last rules are for KDE Connect, APC UPS, and Calibre ebook server respectively).
Check ufw's status
These commands show the status of the firewall, and the commands used to set it up.
root@desktop:~# ufw status verbose root@desktop:~# ufw show added
Modify network parameters
The network stack needs a few parameters (mainly timeouts) to be adjusted. This ensures the server keeps running under excessive loads, such as when an AI bot crawls a site.
Create a file /etc/sysctl.d/60-conntrack-timeouts.conf
# Updated values for conntrack, to prevent too many connections being held in the firewall # net.netfilter.nf_conntrack_generic_timeout=60 net.netfilter.nf_conntrack_icmp_timeout=10 #net.netfilter.nf_conntrack_tcp_timeout_close=10 net.netfilter.nf_conntrack_tcp_timeout_close_wait=20 net.netfilter.nf_conntrack_tcp_timeout_established=300 net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30 #net.netfilter.nf_conntrack_tcp_timeout_last_ack=20 #net.netfilter.nf_conntrack_tcp_timeout_max_retrans=300 net.netfilter.nf_conntrack_tcp_timeout_syn_recv=20 net.netfilter.nf_conntrack_tcp_timeout_syn_sent=20 net.netfilter.nf_conntrack_tcp_timeout_time_wait=60 #net.netfilter.nf_conntrack_tcp_timeout_unacknowledged=300 #net.netfilter.nf_conntrack_udp_timeout=30 net.netfilter.nf_conntrack_udp_timeout_stream=60 net.ipv4.tcp_fin_timeout=10 net.ipv4.tcp_keepalive_time=120
You can load the settings with
root@desktop:~# sysctl -p /etc/sysctl.d/60-conntrack-timeouts.conf
The settings will be reloaded automatically next time the system boots.