HowTo: UFW ) Block Outgoing Ports Except Those Needed + More

Kernels & Hardware, configuring network, installing services

HowTo: UFW ) Block Outgoing Ports Except Those Needed + More

Postby minuetriker » 2011-12-11 13:09

Notice: This guide was written for Ubuntu but certain parts are useful for Debian, too, especially the ufw configuration.

Contents -

Part 1: (. Novice .) - Block Outgoing Ports Except Those Needed
allow: 20-21, 53, 80, 123, 443 outgoing only
Part 2: (. Moderate .) - Sysctl: configure kernel parameters at runtime
Part 3: (. Moderate .) - Configuring before*.rules
Part 4: (. Advanced .) - Blocking Private Networks
###################################################

Part 1: (. Novice .) - Block Outgoing Ports Except Those Needed
allow: 20-21, 53, 80, 123, 443 outgoing

I have tested this at the command line and it works. Here
are the instructions on how to block outgoing ports except
those specified using ufw at the command line. This guide
assumes you have previously modified /etc/ufw/ufw.conf
to enable auto-launching on system startup and ufw is
running.

This configuration will allow the following outbound ports:
20-21, 53, 80, 123, 443 which is all that is required for
many users. The outbound port mapping may be customized
by you for your setup if it's your desire for allowing
other applications using different ports. This guide
does not cover configuration of apps which would reside
in /etc/ufw/applications.d

1. Open a Terminal window
2. With ufw started and configured for system startup
with the default inbound deny, begin:

sudo ufw deny out 1:19/tcp
sudo ufw deny out 1:19/udp
sudo ufw deny out 22:52/tcp
sudo ufw deny out 22:52/udp
sudo ufw deny out 54:79/tcp
sudo ufw deny out 54:79/udp
sudo ufw deny out 81:122/tcp
sudo ufw deny out 81:122/udp
sudo ufw deny out 124:442/tcp
sudo ufw deny out 124:442/udp
sudo ufw deny out 444:65535/tcp
sudo ufw deny out 444:65535/udp

3. Check your work in one or two ways:

sudo ufw status verbose
sudo ufw status numbered

Configuration is complete. To test this configuration
you may start applications requiring the use of another
port, such as a torrent application and when it fails
to function, your leak test is a success. If you prefer
retaining the above configuration, you may customize
applications which allow it to use ports 80 or 443 to
function. Or, you may prefer to redo the above differently
with your own port range to allow for ports you need
open.

I wrote this post because I couldn't find the information
on-line on blocking outbound, or the information found was
in error for the current version of Ubuntu 11.10. Or, there
were posts where users *wanted* this functionality but
people would post back unhelpful information in different
ways, including but not limited to, "You don't need to
do this." Yes, some would like this functionality, otherwise
they wouldn't have asked for the information!

When you've finished using the sudo command in your
Terminal, close it out with:

sudo -K

followed by:

exit

If you're continuing to use sudo for other operations
at the command line, don't type sudo -K until you've
finished.

One example of an application which may be customized for
this setup is Vidalia/Tor:

- Open Vidalia's Control Panel and click on Settings.
- Now click on the Network Icon.
- Next, click the box which says, "My firewall only lets
me connect to certain ports - Firewall Settings", from
here it should say 80,443 by default, you're done here,
click OK.

When you reload Vidalia/Tor, it will have
written those port settings to the Tor configuration
file and it will launch using the above two ports only.

This is very useful when running Tor if you want an
outbound blocking policy in ufw, as Tor by default
connects to several different ports and it would be
impossible to configure them all, as they change
per Tor node(s).

###################################################

Part 2: (. Moderate .) - Sysctl: configure kernel parameters at runtime

This is interesting in Ubuntu 11.10, as Sysctl is
found/referenced in three different locations:

/etc/sysctl.conf
/etc/sysctl.d/ (contains a few files)
/etc/ufw/sysctl.conf

Within /etc/ufw/sysctl.conf it reads:

"Please note these settings override /etc/sysctl.conf and
/etc/sysctl.d. If you prefer to use /etc/sysctl.conf,
please adjust IPT_SYSCTL in /etc/default/ufw."

Let's start by modifying /etc/default/ufw, use one
of the two options, nano if you're comfortable
with using nano, or gedit if you'd rather use a graphical
editor:

For nano copy/paste: sudo nano /etc/default/ufw
For gedit copy/paste: gksudo gedit /etc/default/ufw

Modify the following section to match this value:

# IPT backend
# only enable if using iptables backend
IPT_SYSCTL=/etc/sysctl.conf

Save document and exit.

We've changed the default setting to specify
the use of /etc/sysctl.conf here.

Now we modify the /etc/sysctl.conf file. Start
the editor you wish to use, nano or gedit:

sudo nano /etc/sysctl.conf
gksudo gedit /etc/sysctl.conf

* Uncomment (remove the '#' before each line) the
following sections: (these are my recommended settings)
If you prefer, you could simply copy/paste these
lines into /etc/sysctl.conf rather than hunting down
each section for uncommenting, it's faster:

kernel.printk = 3 4 1 3
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1

* Copy/paste the following into /etc/sysctl.conf:

#from /etc/sysctl.d
kernel.kptr_restrict = 1
kernel.yama.ptrace_scope = 1
vm.mmap_min_addr = 65536

* Copy/paste the following into /etc/sysctl.conf:

#from /etc/ufw/ directory
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_echo_ignore_all=0

Save the document and exit, now copy/paste at
the command line:

sudo sysctl -p

and you're done with the sysctl configuration!
If you know what you're doing, you may alter
the configuration above, but know what you're
doing before you add anything further, or
subtract from my recommended settings.

References:

- https://en.wikipedia.org/wiki/Sysctl

After completion:

sudo ufw disable
sudo ufw enable

When you've finished using the sudo command in your
Terminal, close it out with:

sudo -K

followed by:

exit

If you're continuing to use sudo for other operations
at the command line, don't type sudo -K until you've
finished.

###################################################

Part 3: (. Moderate .) - Configuring before*.rules

I won't elaborate on the purpose of this section,
it should become obvious should you read the files.
The following are my recommendations:

sudo nano /etc/ufw/before.rules
or: gksudo gedit /etc/ufw/before.rules

under #ok icmp codes
comment all entries in this section by adding
a # mark at the beginning of each line. There's
no reason for my computer to allow icmp. I don't
care what someone else says or why, this is my
preference, ignore me here if your preferences
are different.

under #allow dhcp to work
comment out the line if your system is setup
for static ip use, if your system needs dhcp
for networking, do not comment this section,
leave it as-is.

under #allow MULTICAST mDNS for service discovery
comment out the line

under #allow MULTICAST UPnP for service discovery
comment out the line

Save file and exit

Repeat the above configuration modifications to
the file before6.rules, loading it with nano
or gedit, save and exit.

After completion:

sudo ufw disable
sudo ufw enable

When you've finished using the sudo command in your
Terminal, close it out with:

sudo -K

followed by:

exit

If you're continuing to use sudo for other operations
at the command line, don't type sudo -K until you've
finished.

###################################################

Part 4: (. Advanced .) - Blocking Private Networks

I assume you know what you're doing in this portion
of the guide. If you do not, please skip this section.

To block private networks (including the pesky multicast
if you don't need it) this works, but look out for the
192.168.0.0/16 which may be your local private network
and shouldn't be blocked.

Subsection 2(1): Blocking Private Networks: [1]

sudo ufw deny out to 10.0.0.0/8
sudo ufw deny out to 172.16.0.0/12
sudo ufw deny out to 192.168.0.0/16

2(1),[1] References:
- https://en.wikipedia.org/wiki/Private_n ... ess_spaces
- https://tools.ietf.org/html/rfc1918

Subsection 2(2): Blocking MULTICAST: [2] [2/I]

sudo ufw deny out to 239.0.0.0/10 (or 239.0.0.0/8)
sudo ufw deny out to 224.0.0.0/4

2(2),[2] References:
- https://en.wikipedia.org/wiki/Multicast_address
- https://www.ietf.org/rfc/rfc2365.txt

2(2),[2/I] Information: Google about MULTICAST and
many users on the web experiencing flooding from
their routers with messages in their log from
these addresses frustrating them. You may ignore
these messages if you see them in your logs by
backtracking to Part 2 in this guide above,
and modifying the line within /etc/sysctl.conf
to: net.ipv4.conf.all.log_martians = 0
instead of the value = 1. Personally, I like
seeing martians logged, you may not, for
reasons of sanity when combing log files
and disk space.

When you've finished using the sudo command in your
Terminal, close it out with:

sudo -K

followed by:

exit

If you're continuing to use sudo for other operations
at the command line, don't type sudo -K until you've
finished.
minuetriker
 
Posts: 1
Joined: 2011-12-11 13:02

Return to System configuration

Who is online

Users browsing this forum: No registered users and 23 guests

fashionable