For high security, block everything coming in and everything going out. Then open outbound ports in the firewall that are needed for the specific things you do.
For example, do you want to connect to a mail server for reading and replying to email? That's usually port 465/tcp (SMTPs) and 993/tcp (IMAPS).
Do you want to access remote websites? Those use post 80/tcp and 443/tcp, typically. Streaming videos may hop to a different port and may use UDP instead of TCP.
You'll likely want DNS to be allowed. Depending on which type of DNS you use, that can be on port 53/udp or 53/tcp or if you use DNS-over-HTTPS, that would use 443/tcp.
Want to print to a network printer? CUPS is usually on port 631/tcp.
The major ports used for different network services are listed in the /etc/services file. May want to review that.
CIFS, NFS, ssh, are a few other things commonly used.
What most people do is to block all incoming connections, then allow all outbound connections on their workstations. Then they would add specific rules for the inbound network services only if needed. You can allow those for any systems on the same subnet or for specific IPs on the subnet. If you do specific IPs, then you'll need to have a well-managed network.
For one of my LAN servers, here are all the inbound firewall rules
Code:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
4949/tcp ALLOW 172.22.22.4
111 ALLOW 172.22.22.0/24
2049 ALLOW 172.22.22.0/24
22/tcp ALLOW 172.22.22.0/24
8096 ALLOW 172.22.22.0/24
13025 ALLOW 172.22.22.0/24
5353 ALLOW 172.22.22.0/24
3142 ALLOW 172.22.22.0/24 # apt-cacher-ng
1900 ALLOW 172.22.22.0/24 # DLNA
6600 ALLOW 172.22.22.0/24
123/udp ALLOW 172.22.22.0/24
7359/udp ALLOW 172.22.22.0/24 # Jellyfin Discovery UDP
8000 ALLOW 172.22.22.0/24 # Jellyfin TV Icons
8181 ALLOW 172.22.22.0/24
Each was carefully selected for specific reasons. Another servers has these rules:
Code:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
631 ALLOW 172.22.22.0/24 # Printing
22 ALLOW 172.22.22.0/24 # ssh
4949/tcp ALLOW 172.22.22.4
5353/udp ALLOW Anywhere # zeroconf/avahi/mdns
2049 ALLOW 172.22.22.0/24 # NFS
13025 ALLOW 172.22.22.0/24 # NFS
111 ALLOW 172.22.22.0/24 # ident
My desktop has these rules:
Code:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
4949/tcp ALLOW 172.22.22.4
I figured seeing real examples would be helpful. These are only the rules controlled by UFW. I have some other rules that get added dynamically when using VPN software. My VPN server has a bunch of rules to allow connections between different subnets.
Bookmarks