LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2019, 09:29 AM   #1
zpimp
Member
 
Registered: Oct 2014
Posts: 72

Rep: Reputation: Disabled
configure ufw


i want to block all ports using ufw except http/https, basically just to browse the web

i used this

Code:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw status verbose
sudo ufw enable
sudo ufw logging on
 
sudo ufw allow out http
sudo ufw allow out https
this is my output

Code:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
 
To                         Action      From
--                         ------      ----
80                         ALLOW OUT   Anywhere                  
443                        ALLOW OUT   Anywhere                                   
80 (v6)                    ALLOW OUT   Anywhere (v6)            
443 (v6)                   ALLOW OUT   Anywhere (v6)
anything else i could do, maybe default disable outgoing by default?
is it ok to eliminate v6, i assume ipv6
is ok ALLOW OUT? as i understand this means connection that my pc starts to another ip


edit:
it seems my browser doesent work if i set default deny (outgoing)
after running 'lsof -i' it seems firefox has connections from local ports 56389 44274 22400 127612 to the websites's https (443)

but if i let any local port to connect to remote https, with something like this
sudo ufw allow out to any port 80
that leaves room for other programs (like possibly malware) to communicate

Last edited by zpimp; 07-30-2019 at 10:16 AM.
 
Old 07-30-2019, 11:04 AM   #2
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 2,264

Rep: Reputation: 499Reputation: 499Reputation: 499Reputation: 499Reputation: 499
Start with the docs.
https://wiki.ubuntu.com/UncomplicatedFirewall
http://manpages.ubuntu.com/manpages/...an8/ufw.8.html

https://www.booleanworld.com/depth-g...inux-firewall/

Then allow through/block what you wish.
 
1 members found this post helpful.
Old 07-30-2019, 11:12 AM   #3
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,646

Rep: Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209Reputation: 1209
Your desktop doesn't use port 80 (or port 443) to connect from your browser. Those ports are used by the remote web servers...those are the ports they listen on and respond from.

As you saw, your 'puter is using very high port numbers to connect outbound to remote servers. Yes, those ports (the high ones) need to be open to outbound traffic in order for you to be able to surf the web.

I don't use ufw, so can't help you with specifics...I just wanted to clarify that, unless you are running a web server, ports 80 and 443 on your machine are not used at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to Configure a Firewall with UFW on Ubuntu 18.04 LXer Syndicated Linux News 0 07-22-2019 08:50 AM
LXer: Ubuntu 9.10 UFW Firewall LXer Syndicated Linux News 0 10-15-2009 01:02 AM
ufw in Slackware mattydee Slackware 2 05-19-2009 02:35 PM
LXer: Gufw - Simple GUI for ufw (Uncomplicated Firewall) in Ubuntu LXer Syndicated Linux News 0 09-30-2008 03:20 AM
Can't access network printer through UFW cornleader Ubuntu 3 09-25-2008 09:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration