Skip to main content

Thread: HowTo: UFW ) Block Outgoing Ports Except Those Needed + More

-

contents -

part 1: (. novice .) - block outgoing ports except needed
allow: 20-21, 53, 80, 123, 443 outgoing only
part 2: (. moderate .) - sysctl: configure kernel parameters @ runtime
part 3: (. moderate .) - configuring before*.rules
part 4: (. advanced .) - blocking private networks
 ################################################## #

part 1: (. novice .) - block outgoing ports except needed
allow: 20-21, 53, 80, 123, 443 outgoing
have tested @ command line , works. here instructions on how block outgoing ports except specified using ufw @ command line. guide assumes have modified /etc/ufw/ufw.conf enable auto-launching on system startup , ufw running.

configuration allow following outbound ports: 20-21, 53, 80, 123, 443 required many users. outbound port mapping may customized setup if it's desire allowing other applications using different ports. guide not cover configuration of apps reside in /etc/ufw/applications.d

1. open terminal window
2. ufw started , configured system startup default inbound deny, begin:


sudo ufw deny out 1:19/tcp
sudo ufw deny out 1:19/udp
sudo ufw deny out 22:52/tcp
sudo ufw deny out 22:52/udp
sudo ufw deny out 54:79/tcp
sudo ufw deny out 54:79/udp
sudo ufw deny out 81:122/tcp
sudo ufw deny out 81:122/udp
sudo ufw deny out 124:442/tcp
sudo ufw deny out 124:442/udp
sudo ufw deny out 444:65535/tcp
sudo ufw deny out 444:65535/udp


3. check work in 1 or 2 ways:


sudo ufw status verbose
sudo ufw status numbered


configuration complete. test configuration may start applications requiring use of port, such torrent application , when fails function, leak test success. if prefer retaining above configuration, may customize applications allow use ports 80 or 443 function. or, may prefer redo above differently own port range allow ports need open.

wrote post because couldn't find information on-line on blocking outbound, or information found in error current version of ubuntu 11.10. or, there posts users *wanted* functionality people post unhelpful information in different ways, including not limited to, "you don't need this." yes, functionality, otherwise wouldn't have asked information!

when you've finished using sudo command in terminal, close out with:

sudo -k

followed by:

exit

if you're continuing use sudo other operations @ command line, don't type sudo -k until you've finished.

1 example of application may customized setup vidalia/tor:

- open vidalia's control panel , click on settings.
- click on network icon.
- next, click box says, "my firewall lets
me connect ports - firewall settings", from
here should 80,443 default, you're done here,
click ok.


when reload vidalia/tor, have written port settings tor configuration file , launch using above 2 ports only.

useful when running tor if want outbound blocking policy in ufw, tor default connects several different ports , impossible configure them all, change per tor node(s).

################################################## #

part 2: (. moderate .) - sysctl: configure kernel parameters @ runtime

interesting in ubuntu 11.10, sysctl found/referenced in 3 different locations:

/etc/sysctl.conf
/etc/sysctl.d/ (contains few files)
/etc/ufw/sysctl.conf


within /etc/ufw/sysctl.conf reads:

"please note these settings override /etc/sysctl.conf , /etc/sysctl.d. if prefer use /etc/sysctl.conf, please adjust ipt_sysctl in /etc/default/ufw."

let's start modifying /etc/default/ufw, use 1 of 2 options, nano if you're comfortable using nano, or gedit if you'd rather use graphical editor:

nano copy/paste: sudo nano /etc/default/ufw
gedit copy/paste: gksudo gedit /etc/default/ufw


modify following section match value:

# ipt backend
# enable if using iptables backend
ipt_sysctl=/etc/sysctl.conf


save document , exit.


we've changed default setting specify
use of /etc/sysctl.conf here.


modify /etc/sysctl.conf file. start
editor wish use, nano or gedit:


sudo nano /etc/sysctl.conf gksudo gedit /etc/sysctl.conf

* uncomment (remove '#' before each line) following sections: (these recommended settings) if prefer, copy/paste these lines /etc/sysctl.conf rather hunting down each section uncommenting, it's faster:

kernel.printk = 3 4 1 3
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1


* copy/paste following /etc/sysctl.conf:

#from /etc/sysctl.d
kernel.kptr_restrict = 1
kernel.yama.ptrace_scope = 1
vm.mmap_min_addr = 65536


* copy/paste following /etc/sysctl.conf:

#from /etc/ufw/ directory
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_echo_ignore_all=0


save document , exit, copy/paste @ command line:

sudo sysctl -p

, you're done sysctl configuration! if know you're doing, may alter configuration above, know you're doing before add further, or subtract recommended settings.

references:

- https://en.wikipedia.org/wiki/sysctl

after completion:

sudo ufw disable
sudo ufw enable


when you've finished using sudo command in terminal, close out with:

sudo -k

followed by:

exit

if you're continuing use sudo other operations @ command line, don't type sudo -k until you've finished.

################################################## #

part 3: (. moderate .) - configuring before*.rules


won't elaborate on purpose of section, should become obvious should read files. following recommendations:

sudo nano /etc/ufw/before.rules
or: gksudo gedit /etc/ufw/before.rules


under #ok icmp codes comment entries in section adding # mark @ beginning of each line. there's no reason computer allow icmp. don't care else says or why, preference, ignore me here if preferences different.

under #allow dhcp work comment out line if system setup static ip use, if system needs dhcp networking, not comment section, leave as-is.

under #allow multicast mdns service discovery comment out line

under #allow multicast upnp service discovery comment out line

save file , exit

repeat above configuration modifications file before6.rules, loading nano or gedit, save , exit.

after completion:

sudo ufw disable
sudo ufw enable


when you've finished using sudo command in terminal, close out with:

sudo -k

followed by:

exit

if you're continuing use sudo other operations @ command line, don't type sudo -k until you've finished.

################################################## #

part 4: (. advanced .) - blocking private networks


assume know you're doing in portion of guide. if not, please skip section.

block private networks (including pesky multicast if don't need it) works, out 192.168.0.0/16 may local private network , shouldn't blocked.

subsection 2(1): blocking private networks: [1]

sudo ufw deny out 10.0.0.0/8
sudo ufw deny out 172.16.0.0/12
sudo ufw deny out 192.168.0.0/16


2(1),[1] references:
- https://en.wikipedia.org/wiki/privat...address_spaces
- https://tools.ietf.org/html/rfc1918


subsection 2(2): blocking multicast: [2] [2/i]


sudo ufw deny out 239.0.0.0/10 (or 239.0.0.0/8) sudo ufw deny out 224.0.0.0/4

2(2),[2] references:
- https://en.wikipedia.org/wiki/multicast_address
- https://www.ietf.org/rfc/rfc2365.txt


2(2),[2/i] information: google multicast , many users on web experiencing flooding routers messages in log these addresses frustrating them. may ignore these messages if see them in logs backtracking part 2 in guide above, , modifying line within /etc/sysctl.conf to: net.ipv4.conf.all.log_martians = 0 instead of value = 1. personally, seeing martians logged, may not, reasons of sanity when combing log files , disk space.

when you've finished using sudo command in terminal, close out with:

sudo -k

followed by:

exit

if you're continuing use sudo other operations @ command line, don't type sudo -k until you've finished.

is there reason don't do:
code:
sudo ufw deny out any
and do:
code:
sudo ufw allow out 20,21,53,80,123,442/tcp sudo ufw allow out 20,21,53,80,123,442/udp
that give samre result, make ufw status more readable (ie see ports open, instead of closed).

ufw status verbose looks like:
code:
status: active logging: on (low) default: deny (incoming), allow (outgoing) new profiles: skip                          action      --                         ------      ---- 53/udp                     allow out   anywhere 20,21,80,443,8001/tcp      allow out   anywhere 1863/tcp                   allow out   anywhere 465                        allow out   anywhere 993                        allow out   anywhere 51413                      allow out   anywhere 23399                      allow out   anywhere anywhere                   deny out    anywhere
or there missed?


Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [SOLVED] HowTo: UFW ) Block Outgoing Ports Except Those Needed + More


Ubuntu

Comments

Post a Comment

Popular posts from this blog

Falang and too many redirects - Joomla! Forum - community, help and support

-
hello i don't know if i'm posting in right place , i'm apologise have searched solution long time , couldn't find . my problem starts when have install component falang (translation component ). after time decided uninstall , problem starts. go extension tab meny in left column press manage button, list on right found falang component , delete it, when did website not accessible did stupidest thing install falang package file 1 more time , here problem, when trying open website message showing: "website redirected many times. try clearing cookies. err_too_many_redirects" i have cleared cookies didn't help. have used tool "header checker tool" , result "301 moved permanently " please because don't know do. thank you setka Board index Joomla! 3.x - Ask Support Questions Here Extensions for Joomla! 3.x
Read more

Infinite loop detected in JErrorInfinite loop detected in JError - Joomla! Forum - community, help and support

-
after migrating site new server see error below infinite loop detected in jerrorinfinite loop detected in jerror please can me it means there mis-configuration configuration.php file. can refer post - viewtopic.php?t=830509 https://docs.joomla.org/infinite_loop_d ... joomla_1.7 Board index Joomla! 3.x - Ask Support Questions Here General Questions/New to Joomla! 3.x
Read more

logged out from joomla! - Joomla! Forum - community, help and support

-
Image
good morning you! since joomla! version still running on 3.7.5, trying update current version 23.8.1. tried, got white page due incompatibility 1 of extension (page builder pro). decided first upgrade extension, , trying again. tried update, received error message of dublicated tables. went phpmyadmin , deleted these tables manually. same error appeared again, when tried update part. extension. in order rid of extension, tried remove extension via extension manager. hit "remove" button, got logged out. while trying log admin, got message: you not have access administrator section of site. . yes, changed _user table in phpmyadmin, , checked configuration.php, i'm still not able lock admin. however, checked , browsed internet solution, couldn't find hint, excepted, had similar issue , asked post output of "forum assistant". have no idea if narrow problem, @ least gotta try! of appreciated! thank in advance! part i: forum post assistant (v1.3.5) : 2nd november ...
Read more