Ubuntu Server UFW Firewall

BecauseRussia · January 15, 2024, 1:39am

New to Ubuntu Server and firewalls on Ubuntu server.

Background
I spun up an Ubuntu 22.04.3 with the HWE to run Plex on. I had originally planned on not making the server accessible from the internet, but to get Plex to work the way I want I have to have it connected.

To help keep it secure I want to enable the firewall only allowing access to SSH internally, NFS internally and then the Plex port of 32400.

I have the SSH and Plex port rules figured out but was unclear about the NFS rules.

Question
The Ubuntu server is connecting to a NFS share on a Synology on the local network. Do I need to create a specific rule to allow that or will the Ubuntu server be able to reach out connect once I enable the ufw firewall? Or will the ufw firewall also block outbound connections as well?

xMAXIMUSx · January 15, 2024, 2:22am

If the Ubuntu server is connecting to the nfs share then it is an outbound rule only. Usually outbound rules are open and not restricted.

cableguy103 · January 26, 2024, 5:20am

by default when you enable the UFW firewall both directions of traffic are blocked. So before you enable it make sure you have your SSH rule set. Yes you will need to add a rule to allow the NFS share to your plex box. You can do that by the ip address of the NFS share and the port numbers.
Synology uses 111, 892, 2049 these ports for NFS shares. Port 2049 is the main NFS port.
This would be the command you would run to add it the UFW firewall.
“sudo ufw allow in from X.X.X.X to any port 2049”

bb77 · January 26, 2024, 1:31pm

Sorry, but that’s not true, at least not on Ubuntu:

https://help.ubuntu.com/community/UFW#Enable_and_Disable

bb77 · January 26, 2024, 2:03pm

sudo apt install ufw
sudo ufw allow 22/tcp comment "SSH"
sudo ufw allow 32400/tcp comment "Plex"
sudo ufw enable

You can check if the rules have been applied with:

sudo ufw status verbose

The output should look like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                   # SSH
32400/tcp                  ALLOW IN    Anywhere                   # Plex
22/tcp (v6)                ALLOW IN    Anywhere (v6)              # SSH
32400/tcp (v6)             ALLOW IN    Anywhere (v6)              # Plex

That’s it.

If you can’t connect to the NFS share the problem most likely lies somewhere else.

In order to rule out the firewall, you can simply disable it temporarily with:

sudo ufw --force disable

cableguy103 · January 26, 2024, 4:35pm

Sorry you are correct on this. All incoming is blocked and outgoing is open.

For the SSH rule I would limit it to your local network and not from anywhere.

sudo ufw allow from 192.168.1.0/24 to any port 22

bb77 · January 26, 2024, 5:26pm

Good point, but as long as you don’t expose port 22 to the Internet, it doesn’t really make a difference, unless of course you restrict it even more by only allowing certain clients or specific network segments to access it.