kpaste.net RSS- HowTo: UFW ) Block Outgoing Ports Except Those Needed + More in Ubuntu 11.10
- Contents -
- Part 1: (. Novice .) - Block Outgoing Ports Except Those Needed
- allow: 20-21, 53, 80, 123, 443 outgoing only
- Part 2: (. Moderate .) - Sysctl: configure kernel parameters at runtime
- Part 3: (. Moderate .) - Configuring before*.rules
- Part 4: (. Advanced .) - Blocking Private Networks
- ###################################################
- Part 1: (. Novice .) - Block Outgoing Ports Except Those Needed
- allow: 20-21, 53, 80, 123, 443 outgoing
- I have tested this at the command line and it works. Here
- are the instructions on how to block outgoing ports except
- those specified using ufw at the command line. This guide
- assumes you have previously modified /etc/ufw/ufw.conf
- to enable auto-launching on system startup and ufw is
- running.
- This configuration will allow the following outbound ports:
- 20-21, 53, 80, 123, 443 which is all that is required for
- many users. The outbound port mapping may be customized
- by you for your setup if it's your desire for allowing
- other applications using different ports. This guide
- does not cover configuration of apps which would reside
- in /etc/ufw/applications.d
- 1. Open a Terminal window
- 2. With ufw started and configured for system startup
- with the default inbound deny, begin:
- sudo ufw deny out 1:19/tcp
- sudo ufw deny out 1:19/udp
- sudo ufw deny out 22:52/tcp
- sudo ufw deny out 22:52/udp
- sudo ufw deny out 53:79/tcp
- sudo ufw deny out 53:79/udp
- sudo ufw deny out 81:122/tcp
- sudo ufw deny out 81:122/udp
- sudo ufw deny out 124:442/tcp
- sudo ufw deny out 124:442/udp
- sudo ufw deny out 444:65535/tcp
- sudo ufw deny out 444:65535/udp
- 3. Check your work in one or two ways:
- sudo ufw status verbose
- sudo ufw status numbered
- Configuration is complete. To test this configuration
- you may start applications requiring the use of another
- port, such as a torrent application and when it fails
- to function, your leak test is a success. If you prefer
- retaining the above configuration, you may customize
- applications which allow it to use ports 80 or 443 to
- function. Or, you may prefer to redo the above differently
- with your own port range to allow for ports you need
- open.
- I wrote this post because I couldn't find the information
- on-line on blocking outbound, or the information found was
- in error for the current version of Ubuntu 11.10. Or, there
- were posts where users *wanted* this functionality but
- people would post back unhelpful information in different
- ways, including but not limited to, "You don't need to
- do this." Yes, some would like this functionality, otherwise
- they wouldn't have asked for the information!
- When you've finished using the sudo command in your
- Terminal, close it out with:
- sudo -K
- followed by:
- exit
- If you're continuing to use sudo for other operations
- at the command line, don't type sudo -K until you've
- finished.
- One example of an application which may be customized for
- this setup is Vidalia/Tor:
- - Open Vidalia's Control Panel and click on Settings.
- - Now click on the Network Icon.
- - Next, click the box which says, "My firewall only lets
- me connect to certain ports - Firewall Settings", from
- here it should say 80,443 by default, you're done here,
- click OK.
- When you reload Vidalia/Tor, it will have
- written those port settings to the Tor configuration
- file and it will launch using the above two ports only.
- This is very useful when running Tor if you want an
- outbound blocking policy in ufw, as Tor by default
- connects to several different ports and it would be
- impossible to configure them all, as they change
- per Tor node(s).
- ###################################################
- Part 2: (. Moderate .) - Sysctl: configure kernel parameters at runtime
- This is interesting in Ubuntu 11.10, as Sysctl is
- found/referenced in three different locations:
- /etc/sysctl.conf
- /etc/sysctl.d/ (contains a few files)
- /etc/ufw/sysctl.conf
- Within /etc/ufw/sysctl.conf it reads:
- "Please note these settings override /etc/sysctl.conf and
- /etc/sysctl.d. If you prefer to use /etc/sysctl.conf,
- please adjust IPT_SYSCTL in /etc/default/ufw."
- Let's start by modifying /etc/default/ufw, use one
- of the two options, nano if you're comfortable
- with using nano, or gedit if you'd rather use a graphical
- editor:
- For nano copy/paste: sudo nano /etc/default/ufw
- For gedit copy/paste: gksudo gedit /etc/default/ufw
- Modify the following section to match this value:
- # IPT backend
- # only enable if using iptables backend
- IPT_SYSCTL=/etc/sysctl.conf
- Save document and exit.
- We've changed the default setting to specify
- the use of /etc/sysctl.conf here.
- Now we modify the /etc/sysctl.conf file. Start
- the editor you wish to use, nano or gedit:
- sudo nano /etc/sysctl.conf
- gksudo gedit /etc/sysctl.conf
- * Uncomment (remove the '#' before each line) the
- following sections: (these are my recommended settings)
- If you prefer, you could simply copy/paste these
- lines into /etc/sysctl.conf rather than hunting down
- each section for uncommenting, it's faster:
- kernel.printk = 3 4 1 3
- net.ipv4.conf.default.rp_filter=1
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.tcp_syncookies=1
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
- net.ipv4.conf.all.log_martians = 1
- * Copy/paste the following into /etc/sysctl.conf:
- #from /etc/sysctl.d
- kernel.kptr_restrict = 1
- kernel.yama.ptrace_scope = 1
- vm.mmap_min_addr = 65536
- * Copy/paste the following into /etc/sysctl.conf:
- #from /etc/ufw/ directory
- net.ipv4.icmp_echo_ignore_broadcasts=1
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.icmp_echo_ignore_all=0
- Save the document and exit, now copy/paste at
- the command line:
- sudo sysctl -p
- and you're done with the sysctl configuration!
- If you know what you're doing, you may alter
- the configuration above, but know what you're
- doing before you add anything further, or
- subtract from my recommended settings.
- References:
- - https://en.wikipedia.org/wiki/Sysctl
- After completion:
- sudo ufw disable
- sudo ufw enable
- When you've finished using the sudo command in your
- Terminal, close it out with:
- sudo -K
- followed by:
- exit
- If you're continuing to use sudo for other operations
- at the command line, don't type sudo -K until you've
- finished.
- ###################################################
- Part 3: (. Moderate .) - Configuring before*.rules
- I won't elaborate on the purpose of this section,
- it should become obvious should you read the files.
- The following are my recommendations:
- sudo nano /etc/ufw/before.rules
- or: gksudo gedit /etc/ufw/before.rules
- under #ok icmp codes
- comment all entries in this section by adding
- a # mark at the beginning of each line. There's
- no reason for my computer to allow icmp. I don't
- care what someone else says or why, this is my
- preference, ignore me here if your preferences
- are different.
- under #allow dhcp to work
- comment out the line if your system is setup
- for static ip use, if your system needs dhcp
- for networking, do not comment this section,
- leave it as-is.
- under #allow MULTICAST mDNS for service discovery
- comment out the line
- under #allow MULTICAST UPnP for service discovery
- comment out the line
- Save file and exit
- Repeat the above configuration modifications to
- the file before6.rules, loading it with nano
- or gedit, save and exit.
- After completion:
- sudo ufw disable
- sudo ufw enable
- When you've finished using the sudo command in your
- Terminal, close it out with:
- sudo -K
- followed by:
- exit
- If you're continuing to use sudo for other operations
- at the command line, don't type sudo -K until you've
- finished.
- ###################################################
- Part 4: (. Advanced .) - Blocking Private Networks
- I assume you know what you're doing in this portion
- of the guide. If you do not, please skip this section.
- To block private networks (including the pesky multicast
- if you don't need it) this works, but look out for the
- 192.168.0.0/16 which may be your local private network
- and shouldn't be blocked.
- Subsection 2(1): Blocking Private Networks: [1]
- sudo ufw deny out to 10.0.0.0/8
- sudo ufw deny out to 172.16.0.0/12
- sudo ufw deny out to 192.168.0.0/16
- 2(1),[1] References:
- - https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
- - https://tools.ietf.org/html/rfc1918
- Subsection 2(2): Blocking MULTICAST: [2] [2/I]
- sudo ufw deny out to 239.0.0.0/10 (or 239.0.0.0/8)
- sudo ufw deny out to 224.0.0.0/4
- 2(2),[2] References:
- - https://en.wikipedia.org/wiki/Multicast_address
- - https://www.ietf.org/rfc/rfc2365.txt
- 2(2),[2/I] Information: Google about MULTICAST and
- many users on the web experiencing flooding from
- their routers with messages in their log from
- these addresses frustrating them. You may ignore
- these messages if you see them in your logs by
- backtracking to Part 2 in this guide above,
- and modifying the line within /etc/sysctl.conf
- to: net.ipv4.conf.all.log_martians = 0
- instead of the value = 1. Personally, I like
- seeing martians logged, you may not, for
- reasons of sanity when combing log files
- and disk space.
- When you've finished using the sudo command in your
- Terminal, close it out with:
- sudo -K
- followed by:
- exit
- If you're continuing to use sudo for other operations
- at the command line, don't type sudo -K until you've
- finished.
x ray penis
Posted by Anonymous on Sun 11th Dec 2011 10:43
raw | new post
Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.