Raspberry Pi Forums

A small, affordable computer with free resources to help people learn, make things, and have fun
https://www.raspberrypi.org/forums/

UFW Firewall Rules

https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=276531

Page 1 of 1

UFW Firewall Rules

Posted: Mon Jun 08, 2020 1:29 pm
by jr_g33k
I have been suffering with UFW and IPTables for some time now. I'm struggling to get it to work how I would like and/or feel safe in the knowledge it's working as I might expect.

Ultimately, I want to use my Pi with the camera module and likely sensor module to detect someone, then record a clip.
- the basic principle of this: https://projects.raspberrypi.org/en/pro ... t-detector

But with one slight tweak, I’d like to view the camera remotely too. So, it’s important that the firewall is configured well to avoid unsolicited access.

Below is my current configuration. The idea being;
INBOUND – HTTP/S Allow, SSH on LAN Allow, all other deny.
OUTBOUND – I did want the same but struggling with getting this setup.

When I use something like:
sudo ufw default deny outgoing

It blocks everything despite adding rules to allow HTTP/S. I thought the above with a specific rule to allow HTTP/S would do the trick but apparently not.

Essentially all this boils down to, can you review the following rules and confirm they're serving a purpose and not just undermining itself?
Secondly, suggest how I can have a more desirable configuration (desirable in the sense of more secure)? Have I left any gaps/weaknesses? With the consideration of IP camera down the line.
Thirdly, after hearing my intentions, can you help me establish a good outgoing rule(s)?
To Action From
-- ------ ----
443 ALLOW Anywhere
80 ALLOW Anywhere
1:21/tcp DENY Anywhere
1:21/udp DENY Anywhere
23:79/tcp DENY Anywhere
23:79/udp DENY Anywhere
81:442/udp DENY Anywhere
81:442/tcp DENY Anywhere
444:65535/tcp DENY Anywhere
444:65535/udp DENY Anywhere
22 ALLOW 192.168.0.0/16
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
1:21/tcp (v6) DENY Anywhere (v6)
1:21/udp (v6) DENY Anywhere (v6)
23:79/tcp (v6) DENY Anywhere (v6)
23:79/udp (v6) DENY Anywhere (v6)
81:442/udp (v6) DENY Anywhere (v6)
81:442/tcp (v6) DENY Anywhere (v6)
444:65535/tcp (v6) DENY Anywhere (v6)
444:65535/udp (v6) DENY Anywhere (v6)

Re: UFW Firewall Rules

Posted: Mon Jun 08, 2020 3:13 pm
by knute
The simple solution to this is don't block all outgoing, it's just going to make your life difficult and not make your computer any more secure. View your camera through an SSH tunnel.

Re: UFW Firewall Rules

Posted: Tue Jun 09, 2020 12:58 pm
by jr_g33k
knute wrote:
Mon Jun 08, 2020 3:13 pm
 The simple solution to this is don't block all outgoing, it's just going to make your life difficult and not make your computer any more secure. View your camera through an SSH tunnel.
Thank you for your reply.

Do my existing firewall rules look OK then?

Re: UFW Firewall Rules

Posted: Tue Jun 09, 2020 3:48 pm
by knute
Not really. The default for UFW is to block inbound so you don't need any deny in rules, just allow rules. Just allow the ports for services that are running on your Pi. If you can restrict where they are coming from you should do that too. Do you have a router between your Pi and the internet or does your Pi have a wild address?

Re: UFW Firewall Rules

Posted: Thu Jun 11, 2020 9:20 pm
by jr_g33k
knute wrote:
Tue Jun 09, 2020 3:48 pm
 Not really. The default for UFW is to block inbound so you don't need any deny in rules, just allow rules. Just allow the ports for services that are running on your Pi. If you can restrict where they are coming from you should do that too. Do you have a router between your Pi and the internet or does your Pi have a wild address?
Thank you. I do have a router, provided by ISP, between the Pi and the WWW.

Should I remove the INBOUND rules or are they OK in situ - just serving no purpose?

Re: UFW Firewall Rules

Posted: Fri Jun 12, 2020 2:38 am
by knute
You don't need the deny in rules. If you have a router you can connect from the outside to your network with a VPN. From there you can ssh into your Pi and restrict it to local addresses. You need to decide if you need to get to your webserver from the wild or if you can VPN to your network first. All depends on what you want to do with it. I wouldn't hesitate to run apache open to the internet as I think it is pretty secure. You can do that by port forwarding from your router and using the router address as the wild address. I use to have wild IP addresses and had apache and ssh running but I set the ssh up for public key but a good password is probably safe too.

Re: UFW Firewall Rules

Posted: Sat Jun 13, 2020 3:42 pm
by jr_g33k
knute wrote:
Fri Jun 12, 2020 2:38 am
 You don't need the deny in rules. If you have a router you can connect from the outside to your network with a VPN. From there you can ssh into your Pi and restrict it to local addresses. You need to decide if you need to get to your webserver from the wild or if you can VPN to your network first. All depends on what you want to do with it. I wouldn't hesitate to run apache open to the internet as I think it is pretty secure. You can do that by port forwarding from your router and using the router address as the wild address. I use to have wild IP addresses and had apache and ssh running but I set the ssh up for public key but a good password is probably safe too.
Thank you. You've confirmed I can remove the explicit inbound rules and it is safe enough, that'll work for me. ;)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/