18

I did the following: ufw default deny outgoing, sudo ufw allow out 80 which I thought would let me use the Internet but didn't can y'all help?

Also are there any other ports used by Ubuntu for which I should allow outgoing traffic for? I hear these 20, 21, 53, 123, 443 are some what do you all think?

Thanks

user250155
  • 361
  • 1
  • 3
  • 8

4 Answers4

34

This is my setup

sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow 993
sudo ufw allow 6969
sudo ufw allow out 53
sudo ufw allow out http
sudo ufw allow out https
sudo ufw allow out 465
sudo ufw allow out 587
sudo ufw allow out 993
sudo ufw allow out 6969

This works well with Ubuntu 16.04: Everything works properly

sudo ufw status numbered (the reasoning)

[ 1] 993 ALLOW IN Anywhere (thunderbird)
[ 2] 6969 ALLOW IN Anywhere (qbittorrent)
[ 3] 53 ALLOW OUT Anywhere (dns)
[ 4] 80 ALLOW OUT Anywhere (http)
[ 5] 443 ALLOW OUT Anywhere (https)
[ 6] 465 ALLOW OUT Anywhere (thunderbird gmail) (*send)
[ 7] 587 ALLOW OUT Anywhere (thunderbird hotmail) (*send)
[ 8] 993 ALLOW OUT Anywhere (thunderbird)

*check thunderbird edit> account settings> outgoing server
I would suggest to allow qtorrent only when using it. Peerguadian will be working overtime!
They say there is no spyware on linux. It's just a barrage :)

Dan
  • 724
  • The world needs more people like you. – php_nub_qq Jan 03 '19 at 22:36
  • This will deny some important ICMP rules from remote connections being allowed back in, such as "Host Unreachable" responses which are indicative of connections being unable to complete, and sometimes those're issued from your router back down to you. – Thomas Ward Jan 16 '20 at 18:30
  • @ThomasWard can you elaborate? Is there just something that needs to be added, or this entire strategy wrong? I found https://askubuntu.com/q/6995/347888 but it seems like the defaults should be OK. – shadowtalker Jan 03 '22 at 06:59
  • deny outgoing isnt a default. thats why i commented on this post. defaults of ufw would otherwise be sufficient. @shadowtalker – Thomas Ward Jan 03 '22 at 14:08
  • @ThomasWard so would this default deny outgoing end up overriding those special cases that are in place by default for ICMP? Would it be possible to re-add exceptions for those rules, or impose similar restrictions on the system without overriding those specific rules? I don't know enough about UFW or networking to make an intelligent determination, which is why I'm asking! – shadowtalker Jan 03 '22 at 15:58
  • I'm gonna get this tattooed on my arm. – Marcel Hernandez Jan 12 '22 at 22:12
  • You can replace most of numbers with their service names (domain, submission, submissions, imaps) to aid memory. You can also define application specifications (or the program may install them itself - ufw app list) or add comments to the rules. – OrangeDog Sep 19 '23 at 14:48
5

The rule needs to be ufw allow out to any port 80. Any connection to the outside comes from a local port (but not 80!), to another computer's port 80, thus the rule must allow outbound to anywhere, on port 80. Of course, the port and destination can be changed, but that should work.

user269370
  • 1,302
  • 7
  • 7
  • 1
    The ufw command from your example can be reduced to ufw allow out 80, I've just checked the contents of /etc/ufw/user.rules and the results are the same:

    tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 out

    -A ufw-user-output -p tcp --dport 80 -j ACCEPT -A ufw-user-output -p udp --dport 80 -j ACCEPT

     – ioCron May 24 '22 at 11:43
3

I found a site that has a useful list. I suspect you were missing a few (like 8080, which is commonly used). You can use a tool like netstat to see which ports you are using at any given time. I think 

netstat -u
netstat -t

may do it, but there is probably something better out there! Be careful what options you pass to netstat because it also lists internal sockets. Above, the -u is for udp and the -t is for tcp ports.

You may also try searching to see if someone has created a ufw application profile and set ufw to allow the specified profile using sudo ufw allow Name

Finally, if something breaks, you can check your ufw logs to see what you need to add to make it work. Just keep in mind that other programs may need other ports. If you use an email client for example, you will have to allow things like pop3, imap and smtp.

Bruno
  • 51
  • 3
0

I have tried our configuration of UFW on a fresh Ubuntu 18.04.3 x86_64 and after that, I've made a NMAP test to see what port could be visible from the outside.

Guess what, you shouldn't use this configuration anymore...

Many ports are open, so I've tried a new firewall with many feature instead of UFW:

First download the csf.tgz package

wget https://download.configserver.com/csf.tgz

Then:

tar -xpvf csf.tgz
cd csf

Then run in the terminal:

./install.sh
./install.cpanel.sh
./install.cwp.sh
./install.cyberpanel.sh
./install.directadmin.sh
./install.generic.sh
./install.interworx.sh
./install.vesta.sh

To test the module paste this:

perl /etc/csf/csftest.pl
service csf start

Edit the /etc/csf/csf.conf
Use the readme file in the CSF folder
Add or suppress ports

service csf restart

You should try it, it works quite fine out of the box just edit one file /etc/csf/csf.conf and you're good to go.

Cordially

Gryu
  • 7,559
  • 9
  • 33
  • 52
user1034882
  • 9
  • This is not an exactly answer to the question. – nobody Jan 17 '20 at 09:48
  • 1
    Do you have any information on this? What configuration were you using and which ports seemed open which were supposed to be closed? I have been using UFW for years with a relatively simple config and never noticed a port to be falsely open so your post triggers my interest =] – RemyNL Apr 20 '21 at 12:53