|
Size: 1036
Comment:
|
Size: 1456
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from UFW | |
| Line 4: | Line 3: |
| '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around '''iptables''', automatically writing rules for it. | '''Uncomplicated Firewall''' ('''UFW''') is a simple-to-use but powerful firewall management software. It is a wrapper around `iptables`, automatically writing rules for it. UFW is accessed through the `ufw` executable, which on many distributions is installed to `/usr/sbin`--only the root user will have this program on their path. The associated `systemd` service file is `ufw.service`. ---- |
| Line 12: | Line 16: |
| ufw allow outgoing all ufw deny incoming all |
ufw default deny incoming ufw default allow outgoing |
| Line 21: | Line 25: |
| ---- |
|
| Line 24: | Line 31: |
| Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. | Regardless of `httpd` flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. First the unencrypted port, then the encrypted port. |
| Line 35: | Line 42: |
| ---- |
|
| Line 38: | Line 48: |
| There are standard unencrypted FTP ports: | First the unencrypted port, then the encrypted (FTPS, '''not''' SFTP) port. |
| Line 43: | Line 53: |
| ufw allow 989/tcp ufw allow 990/tcp |
|
| Line 45: | Line 57: |
| For security, encrypted FTP uses a pool of ports. This is the recommended setup for `vsftpd`: | Passive configuration also utilizes a pool of ports. This is an example--'''''not''''' recommended--configuration for `vsftpd`. |
| Line 48: | Line 60: |
| ufw allow 990/tcp | |
| Line 51: | Line 62: |
Recommended to use custom ports, so adjust as needed. |
UFW
Uncomplicated Firewall (UFW) is a simple-to-use but powerful firewall management software. It is a wrapper around iptables, automatically writing rules for it.
UFW is accessed through the ufw executable, which on many distributions is installed to /usr/sbin--only the root user will have this program on their path. The associated systemd service file is ufw.service.
Basic Setup
This is more than sufficient for servers that are not meant to be web-facing.
ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 22
If using custom ports, adjust as needed. This would be set in /etc/ssh/sshd_config.
HTTP
Regardless of httpd flavor (Apache, NGINX, lighttpd, etc), this basic configuration should suffice. First the unencrypted port, then the encrypted port.
ufw allow http ufw allow 80 ufw allow https ufw allow 443
If using custom ports, adjust as needed.
FTP
First the unencrypted port, then the encrypted (FTPS, not SFTP) port.
ufw allow 20/tcp ufw allow 21/tcp ufw allow 989/tcp ufw allow 990/tcp
Passive configuration also utilizes a pool of ports. This is an example--not recommended--configuration for vsftpd.
ufw allow 40000:42000/tcp
Recommended to use custom ports, so adjust as needed.