If you are opening your Raspberry Pi to the internet, then security should be a concern/part of your project design.
I’m going to install a software firewall called ufw on to My Pi.
1. Installing ufw
Installing this firewall on the Raspberry Pi is accomplished easily via the terminal and the following line:
sudo apt install ufw
The above installs the firewall. Before enabling it though, it is recommend to think about what ports you need to have open to access your Raspberry Pi. I’ve bolded your at this point as what ports you need depends on what you are doing on your Pi.
2. Allowing Ports
Ports are very important, different services uses different ports and it is worth knowing what some of them are. Popular ports include:
- Port 80 – HTTP (for serving web pages)
- Port 443 – HTTPS (for serving secure web pages)
- Port 22 – SSH (needed if you SSH to your Pi)
More information on ports can be found at:
Allowing a port is done via:
sudo ufw allow Port_Number
For example sudo ufw allow 443 allows connections to port 443 (HTTPS).
3. Denying Ports
Just as it is important to allow ports, it is also important to deny ports. Denying a port stops connections to the port, so make sure you don’t deny access to a port you need access to (i.e. if you SSH to your Pi do not deny port 22).
Denying a port is very similar to allowing a port:
sudo ufw deny Port_Number
For example sudo ufw deny 443 would deny 443 (HTTPS).
4. Firewall status
To view the status of your firewall (e.g. what is allowed, denyed or limited) enter:
sudo ufw status
UFW will then list all the ports it is allowing/denying/limiting. Note that the (v6) is the IPv6 port. An internet connection generally uses IPv4 but at some point IPv6 should become the standard. I write “at some point” because the transition from IPv4 to IPv6 is a long process. For more information see: https://en.wikipedia.org/wiki/IPv6
5. Limiting Ports
Limiting is a great function if you want to allow a port but also want a little security on the port. Limiting allows the port but if multiple connections (6 or more) are attempted in a time frame (30 seconds) then UFW denies the connections. Note: Limiting currently only works on IPv4.
sudo ufw limit ssh/tcp
The above will limit access to ssh.
6. Log files
To enable logging (recommended) enter:
sudo ufw logging on
UFW stores the log under /var/log/ufw.log , if your working on a project and having issues connecting then I recommend viewing the logs to see if your project is using an unexpected port (in which case you may need to allow the port).
7. Enabling ufw
After configuring UFW it needs turning on using the line:
sudo ufw enable
8. Extra configuration notes
After installing, configuring and running ufw, I discovered that some of the applications I run on My Pi, suddenly stopped working. Below are some examples of ufw allow/limit/deny commands that may help you out fixing connection issues.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow in to 192.168.x.0/24 sudo ufw allow out to 192.168.x.0/24 sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw limit ssh/tcp sudo ufw allow 10000/tcp (For Webmin) sudo ufw allow 666/tcp (For clamav) sudo ufw allow 3389/tcp (For XRDP) sudo ufw allow 8080/tcp (For Domoticz) sudo ufw allow 8118/tcp (For Privoxy) sudo ufw allow 9981/tcp (For TVheadend) sudo ufw limit 8081/tcp (For Motion) sudo ufw allow 5900/tcp (For VNC) sudo ufw deny telnet sudo ufw allow samba sudo ufw logging on sudo ufw default deny outgoing (For OpenVPN) sudo ufw allow 943/tcp (For OpenVPN) sudo ufw allow 1194/udp (For OpenVPN) sudo ufw default allow FORWARD (For OpenVPN) sudo ufw allow out on tun0 from any to any (For OpenVPN) sudo ufw allow in on tun0 from any to any (For OpenVPN)
9. Installing gufw
If you prefer to use a gui for ufw via the Raspberry Pi desktop, then you should install gufw using the following:
sudo apt-get install gufw
10. Limiting IPv6
If you need to limit IPv6 through the new firewall on your Pi, you can make the following change to the ufw config file:
sudo nano /etc/default/ufw
Original article that helped me: