|
Size: 1006
Comment:
|
Size: 1491
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from UFWSetup | |
| Line 3: | Line 4: |
| '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around '''iptables''', automatically writing rules for it. | '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around `iptables`, automatically writing rules for it. UFW is accessed through the `ufw` executable, which on many distributions is installed to `/usr/sbin`--only the root user will have this program on their path. The associated `systemd` service file is `ufw.service`. ---- |
| Line 11: | Line 17: |
| ufw allow outgoing all ufw deny incoming all |
ufw default deny incoming ufw default allow outgoing |
| Line 20: | Line 26: |
| ---- |
|
| Line 23: | Line 32: |
| Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. | Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. First the unencrypted port, then the encrypted port. |
| Line 34: | Line 43: |
| ---- |
|
| Line 37: | Line 49: |
| There are standard unencrypted FTP ports: | First the unencrypted port, then the encrypted (FTPS, '''not''' SFTP) port. |
| Line 42: | Line 54: |
| ufw allow 989/tcp ufw allow 990/tcp |
|
| Line 44: | Line 58: |
| For security, encrypted FTP uses a pool of ports. This is the recommended setup for `vsftpd`: | Passive configuration also utilizes a pool of ports. This is an example--'''''not''''' recommended--configuration for `vsftpd`. |
| Line 47: | Line 61: |
| ufw allow 990/tcp | |
| Line 50: | Line 63: |
Recommended to use custom ports, so adjust as needed. |
UFW
Uncomplicated Firewall (UFW) is a simple-to-use but powerful firewall management software. It is a wrapper around iptables, automatically writing rules for it.
UFW is accessed through the ufw executable, which on many distributions is installed to /usr/sbin--only the root user will have this program on their path. The associated systemd service file is ufw.service.
Basic Setup
This is more than sufficient for servers that are not meant to be web-facing.
ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 22
If using custom ports, adjust as needed. This would be set in /etc/ssh/sshd_config.
HTTP
Regardless of httpd flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. First the unencrypted port, then the encrypted port.
ufw allow http ufw allow 80 ufw allow https ufw allow 443
If using custom ports, adjust as needed.
FTP
First the unencrypted port, then the encrypted (FTPS, not SFTP) port.
ufw allow 20/tcp ufw allow 21/tcp ufw allow 989/tcp ufw allow 990/tcp
Passive configuration also utilizes a pool of ports. This is an example--not recommended--configuration for vsftpd.
ufw allow 40000:42000/tcp
Recommended to use custom ports, so adjust as needed.