How do I with ufw deny all outgoing ports excepting the ones I need?

I did the following: ufw default deny outgoing, sudo ufw allow out 80 which I thought would let me use the Internet but didn't can y'all help?

Also are there any other ports used by Ubuntu for which I should allow outgoing traffic for? I hear these 20, 21, 53, 123, 443 are some what do you all think?

Thanks

Solution 1:

This is my setup

sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow 993
sudo ufw allow 6969
sudo ufw allow out 53
sudo ufw allow out http
sudo ufw allow out https
sudo ufw allow out 465
sudo ufw allow out 587
sudo ufw allow out 993
sudo ufw allow out 6969

This works well with Ubuntu 16.04: Everything works properly

sudo ufw status numbered (the reasoning)

[ 1] 993 ALLOW IN Anywhere (thunderbird)
[ 2] 6969 ALLOW IN Anywhere (qbittorrent)
[ 3] 53 ALLOW OUT Anywhere (dns)
[ 4] 80 ALLOW OUT Anywhere (http)
[ 5] 443 ALLOW OUT Anywhere (https)
[ 6] 465 ALLOW OUT Anywhere (thunderbird gmail) (*send)
[ 7] 587 ALLOW OUT Anywhere (thunderbird hotmail) (*send)
[ 8] 993 ALLOW OUT Anywhere (thunderbird)

*check thunderbird edit> account settings> outgoing server
I would suggest to allow qtorrent only when using it. Peerguadian will be working overtime!
They say there is no spyware on linux. It's just a barrage :)

Solution 2:

The rule needs to be ufw allow out to any port 80. Any connection to the outside comes from a local port (but not 80!), to another computer's port 80, thus the rule must allow outbound to anywhere, on port 80. Of course, the port and destination can be changed, but that should work.

Solution 3:

I found a site that has a useful list. I suspect you were missing a few (like 8080, which is commonly used). You can use a tool like netstat to see which ports you are using at any given time. I think

netstat -u
netstat -t

may do it, but there is probably something better out there! Be careful what options you pass to netstat because it also lists internal sockets. Above, the -u is for udp and the -t is for tcp ports.

You may also try searching to see if someone has created a ufw application profile and set ufw to allow the specified profile using sudo ufw allow Name

Finally, if something breaks, you can check your ufw logs to see what you need to add to make it work. Just keep in mind that other programs may need other ports. If you use an email client for example, you will have to allow things like pop3, imap and smtp.

Solution 4:

I have tried our configuration of UFW on a fresh Ubuntu 18.04.3 x86_64 and after that, I've made a NMAP test to see what port could be visible from the outside.

Guess what, you shouldn't use this configuration anymore...

Many ports are open, so I've tried a new firewall with many feature instead of UFW:

First download the csf.tgz package

wget https://download.configserver.com/csf.tgz

Then:

tar -xpvf csf.tgz
cd csf

Then run in the terminal:

./install.sh
./install.cpanel.sh
./install.cwp.sh
./install.cyberpanel.sh
./install.directadmin.sh
./install.generic.sh
./install.interworx.sh
./install.vesta.sh

To test the module paste this:

perl /etc/csf/csftest.pl
service csf start

Edit the /etc/csf/csf.conf
Use the readme file in the CSF folder
Add or suppress ports

service csf restart

You should try it, it works quite fine out of the box just edit one file /etc/csf/csf.conf and you're good to go.

Cordially