Firewall & ufw

[00:00:00]
>> We're gonna use something called a firewall. And a firewall, this is the long definition from Cisco, but it essentially applies rules and says, you're allowed, you're not allowed. You're allowed, you're not allowed. And we can open and close these ports at will based on what we need the rules we need to access them.

[00:00:20]
Fortunately for our case, we only need a few ports open and even better, we can use a really nice piece of software, which is called ufw. I made a typo there, it is the uncomplicated firewall, [LAUGH] not the complicated firewall. So, we need something called ufw, which is uncomplicated firewall.

[00:00:45]
In the old days you had to do things like IP tables, and you had to run these really long commands and they're very esoteric and didn't make a lot of sense. Ufw is a pleasure to use, it's very, very easy to use, I would say. It's something that historically used to be hard and the commands we're going to use is ufw allow, ufw deny, ufw reject.

[00:01:08]
So, it makes it really easy to manage your firewalls. And if you're like me, you're saying, what's the difference between deny and reject? Those seem like the same concepts. Well, reject it'll tell you that it's rejecting you. So if you try to connect to my ports, it's not open.

[00:01:26]
My firewall will say hey you're blocked, you're not allowed to go in there. Versus reject won't tell you anything, it'll just be silent and that's something you want. We talked in a previous section about DDOS attacks and amplification attacks things like that, well, it's possible that someone can still overload your system by forcing you to send a bunch of reject error packets.

[00:01:50]
They DDOS you hard enough cuz your system still has to respond to that. Versus, if we just say reject everything else, it'll never respond. People won't even know your server is there. And that's usually what we tend to go with, unless we're explicitly trying to tell people that the port is denied.

[00:02:07]
So, let's go ahead and use ufw, because we wanna close that port 3,000, it's doesn't need to be open on our server. So the first thing you wanna do is you wanna sudo ufw the status. And it's likely if you're using the default installation that the status is disabled, because we didn't turn it on yet.

[00:02:32]
And that's what we'll do in the last step. But the first thing we wanna do is we wanna allow ufw take over management of our firewall, because right now it's just done an IP config tables. So, we're gonna say sudo a lot, ufw allow ssh. That's obvious, we want sudo to allow http, also obvious.

[00:02:50]
And then we're gonna turn on the firewall, that's it. So go ahead and try that.
>> Why wouldn't you allow htttps instead of http?
>> Good question, the question was, why wouldn't we allow https instead of http? We haven't set up https, we will, that's the fun part.

[00:03:14]
But right now, we don't have it, it doesn't exist. We don't have certificates, it's not configured in NGINX. So, we just have a port open for no reason at this point, we will later, though. Alright let me go ahead and try this out stay clear and sudo ufw status.

[00:03:41]
Yeah, it's not running yet. So, let's allow it to let me set up the rules before I enable it. Say allow ssh updated for ipv4 and ipv6. So, I'm gonna say sudo allow, sudo ufw allow http. Oops, typo, all right, and that's kinda all we need right now.

[00:04:10]
So, we'll say sudo ufw and we're gonna enable it. All right, and hopefully you didn't skip that ssh step. Otherwise, you're in a bad time at this point. You may have locked yourself out of your server. So, I probably should have hit that a little harder. But [LAUGH] make sure you don't close off the one port you need to connect to.

[00:04:45]
But you're probably okay it's pretty, ufw is a lot easier to use than some of the other tools we used to, and I think we can say sudo ufw lists try that. Enable, denable. Wow, so I see a ufw status. Yeah, there it's showing we have port 22.

[00:05:15]
Port 80 open for ipv four, ipv 6. Easy, pease, this used to be very very difficult. I'm glossing over the benefits of technology in modern software these days. This used to be something that only experts could do, which is modify your firewall configuration. Ok, so our firewall setup that's great, what else can we do?

[00:05:41]
Well, if we ever needed to block all http connections, for instance, when we enable https. We probably want to disable http in general or not, sometimes you want it to redirect. We can talk a bit more about redirection in a few minutes. But If you want it to, you can reject all http connections.

[00:06:02]
But I'll say once I'll say it again, do not close port 22. You will be in a bad place if you do that. So that's the uncomplicated firewall, it lives up to its name it's very uncomplicated.