New to Ubuntu Server and firewalls on Ubuntu server.
I spun up an Ubuntu 22.04.3 with the HWE to run Plex on. I had originally planned on not making the server accessible from the internet, but to get Plex to work the way I want I have to have it connected.
To help keep it secure I want to enable the firewall only allowing access to SSH internally, NFS internally and then the Plex port of 32400.
I have the SSH and Plex port rules figured out but was unclear about the NFS rules.
The Ubuntu server is connecting to a NFS share on a Synology on the local network. Do I need to create a specific rule to allow that or will the Ubuntu server be able to reach out connect once I enable the ufw firewall? Or will the ufw firewall also block outbound connections as well?
If the Ubuntu server is connecting to the nfs share then it is an outbound rule only. Usually outbound rules are open and not restricted.
by default when you enable the UFW firewall both directions of traffic are blocked. So before you enable it make sure you have your SSH rule set. Yes you will need to add a rule to allow the NFS share to your plex box. You can do that by the ip address of the NFS share and the port numbers.
Synology uses 111, 892, 2049 these ports for NFS shares. Port 2049 is the main NFS port.
This would be the command you would run to add it the UFW firewall.
“sudo ufw allow in from X.X.X.X to any port 2049”
Sorry, but that’s not true, at least not on Ubuntu:
sudo apt install ufw
sudo ufw allow 22/tcp comment "SSH"
sudo ufw allow 32400/tcp comment "Plex"
sudo ufw enable
You can check if the rules have been applied with:
sudo ufw status verbose
The output should look like this:
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere # SSH
32400/tcp ALLOW IN Anywhere # Plex
22/tcp (v6) ALLOW IN Anywhere (v6) # SSH
32400/tcp (v6) ALLOW IN Anywhere (v6) # Plex
If you can’t connect to the NFS share the problem most likely lies somewhere else.
In order to rule out the firewall, you can simply disable it temporarily with:
sudo ufw --force disable
Sorry you are correct on this. All incoming is blocked and outgoing is open.
For the SSH rule I would limit it to your local network and not from anywhere.
sudo ufw allow from 192.168.1.0/24 to any port 22
Good point, but as long as you don’t expose port 22 to the Internet, it doesn’t really make a difference, unless of course you restrict it even more by only allowing certain clients or specific network segments to access it.