install from ufw if missing:
sudo dnf install -y ufw
sudo apt install -y ufw
default deny
ufw default deny outgoing
ufw default deny incoming
Inbound rules:
# allow 8080 from any
ufw allow 8080/tcp
# allow ssh from local subnet
ufw allow from 192.168.1.0/24 to any port 22 proto tcp
Limited outbound:
ufw allow out 80,443/tcp # http/s
ufw allow out 53,123/tcp # dns, ntp
ufw allow out 53,123/udp # dns, ntp
ufw allow out 67,68/udp # dhcp
# outbound mysql to DB server IP
ufw allow out from any to 192.168.2.2 port 3306 proto tcp
finish up
ufw enable
ufw logging on
ufw status verbose
- Code repo: https://launchpad.net/ufw
- man page: https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html
- Arch wiki: https://wiki.archlinux.org/title/Uncomplicated_Firewall
not ufw.
route blackholes, these will not persist after reboot:
ip route add blackhole 10.0.0.0/8
ip route add blackhole 172.16.0.0/12
ip route add blackhole 192.168.0.0/16