UFW - How to make it easier and what are stealth ports can UFW have these?

Question

Let me show u what I jusat wasted 2 hours doing:

To                         Action      From
--                         ------      ----
22                         REJECT      Anywhere
23/tcp                     REJECT      Anywhere
79/tcp                     REJECT      Anywhere
25/tcp                     REJECT      Anywhere
43/tcp                     REJECT      Anywhere
49                         REJECT      Anywhere
21/tcp                     REJECT      Anywhere
110                        REJECT      Anywhere
115/tcp                    REJECT      Anywhere
39/udp                     REJECT      Anywhere
143                        REJECT      Anywhere
161                        REJECT      Anywhere
199                        REJECT      Anywhere
209                        REJECT      Anywhere
213                        REJECT      Anywhere
530/tcp                    REJECT      Anywhere
389                        REJECT      Anywhere
444                        REJECT      Anywhere
465/tcp                    REJECT      Anywhere
512/udp                    REJECT      Anywhere
513/udp                    REJECT      Anywhere
514/tcp                    REJECT      Anywhere
514/udp                    REJECT      Anywhere
540/tcp                    REJECT      Anywhere
554                        REJECT      Anywhere
556/tcp                    REJECT      Anywhere
623/udp                    REJECT      Anywhere
706                        REJECT      Anywhere
88                         REJECT      Anywhere
990/tcp                    REJECT      Anywhere
994                        REJECT      Anywhere
995                        REJECT      Anywhere
993                        REJECT      Anywhere
130/tcp                    REJECT      Anywhere
130/udp                    REJECT      Anywhere
131/udp                    REJECT      Anywhere
132/udp                    REJECT      Anywhere
133/udp                    REJECT      Anywhere
134/udp                    REJECT      Anywhere
135/udp                    REJECT      Anywhere
136/udp                    REJECT      Anywhere
137/udp                    REJECT      Anywhere
138/udp                    REJECT      Anywhere
139/udp                    REJECT      Anywhere
139/tcp                    REJECT      Anywhere
138/tcp                    REJECT      Anywhere
137/tcp                    REJECT      Anywhere
136/tcp                    REJECT      Anywhere
135/tcp                    REJECT      Anywhere
134/tcp                    REJECT      Anywhere
133/tcp                    REJECT      Anywhere
132/tcp                    REJECT      Anywhere
131/tcp                    REJECT      Anywhere
22 (v6)                    REJECT      Anywhere (v6)
23/tcp (v6)                REJECT      Anywhere (v6)
79/tcp (v6)                REJECT      Anywhere (v6)
25/tcp (v6)                REJECT      Anywhere (v6)
43/tcp (v6)                REJECT      Anywhere (v6)
49 (v6)                    REJECT      Anywhere (v6)
21/tcp (v6)                REJECT      Anywhere (v6)
110 (v6)                   REJECT      Anywhere (v6)
115/tcp (v6)               REJECT      Anywhere (v6)
39/udp (v6)                REJECT      Anywhere (v6)
143 (v6)                   REJECT      Anywhere (v6)
161 (v6)                   REJECT      Anywhere (v6)
199 (v6)                   REJECT      Anywhere (v6)
209 (v6)                   REJECT      Anywhere (v6)
213 (v6)                   REJECT      Anywhere (v6)
530/tcp (v6)               REJECT      Anywhere (v6)
389 (v6)                   REJECT      Anywhere (v6)
444 (v6)                   REJECT      Anywhere (v6)
465/tcp (v6)               REJECT      Anywhere (v6)
512/udp (v6)               REJECT      Anywhere (v6)
513/udp (v6)               REJECT      Anywhere (v6)
514/tcp (v6)               REJECT      Anywhere (v6)
514/udp (v6)               REJECT      Anywhere (v6)
540/tcp (v6)               REJECT      Anywhere (v6)
554 (v6)                   REJECT      Anywhere (v6)
556/tcp (v6)               REJECT      Anywhere (v6)
623/udp (v6)               REJECT      Anywhere (v6)
706 (v6)                   REJECT      Anywhere (v6)
88 (v6)                    REJECT      Anywhere (v6)
990/tcp (v6)               REJECT      Anywhere (v6)
994 (v6)                   REJECT      Anywhere (v6)
995 (v6)                   REJECT      Anywhere (v6)
993 (v6)                   REJECT      Anywhere (v6)
130/tcp (v6)               REJECT      Anywhere (v6)
130/udp (v6)               REJECT      Anywhere (v6)
131/udp (v6)               REJECT      Anywhere (v6)
132/udp (v6)               REJECT      Anywhere (v6)
133/udp (v6)               REJECT      Anywhere (v6)
134/udp (v6)               REJECT      Anywhere (v6)
135/udp (v6)               REJECT      Anywhere (v6)
136/udp (v6)               REJECT      Anywhere (v6)
137/udp (v6)               REJECT      Anywhere (v6)
138/udp (v6)               REJECT      Anywhere (v6)
139/udp (v6)               REJECT      Anywhere (v6)
139/tcp (v6)               REJECT      Anywhere (v6)
138/tcp (v6)               REJECT      Anywhere (v6)
137/tcp (v6)               REJECT      Anywhere (v6)
136/tcp (v6)               REJECT      Anywhere (v6)
135/tcp (v6)               REJECT      Anywhere (v6)
134/tcp (v6)               REJECT      Anywhere (v6)
133/tcp (v6)               REJECT      Anywhere (v6)
132/tcp (v6)               REJECT      Anywhere (v6)
131/tcp (v6)               REJECT      Anywhere (v6)

Followed by installing fail2ban I did this all manually from wiki ports page list and typing every single reject command!

I still probably missed another 60000

2707974 · Accepted Answer · 2015-02-27T07:22:37.213

Almost every access list is by default ended with deny all all.

When you enable ufw width any rules to allow some traffic all is in deny state.

Status: active

To                         Action      From
--                         ------      ----
69                         ALLOW       Anywhere
53                         ALLOW       Anywhere
22                         ALLOW       213.xxx.xxx.xxx
80/tcp                     ALLOW       194.247.xxx.xxx
21/tcp                     ALLOW       194.247.xxx.xxx
69 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)

This rules accept any on port 69, any on port 53, ssh from 213.xxx.xxx.xxx, 80 and 21 from 194.247.xxx.xxx ... and deny any other inbound traffic

Edit 1

When enable ufw without any allow rule everithing is deny.

Complete command for rule in ufw is

sudo ufw [--dry-run] [delete] [insert NUM]  allow|deny|reject|limit  [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]][to ADDRESS [port PORT]]

Based on this rule template you can allow from xxx.xxx.xxx.xxx on port 80 with this rule

for specific host

sudo ufw allow proto tcp from xxx.xxx.xxx.xxx to any port 80

if you wont to allow any to access your web server

sudo ufw allow proto tcp from any to any port 80

if you wish to allow access from specific network

sudo ufw allow proto tcp from xxx.xxx.xxx.xxx/yy to any port 80

where

xxx.xxx.xxx.xxx - represent network ip

yy - represent network mask

If you have DNSservice on server use make rule for port 53 and proto tcp and proto udp.

sudo ufw allow proto tcp from xxx.xxx.xxx.xxx/yy to any port 53
sudo ufw allow proto udp from xxx.xxx.xxx.xxx/yy to any port 53

UFW - How to make it easier and what are stealth ports can UFW have these?

1 Answers1