From 1ec992e30152ca1d5b7034025f3fd094b49bbd7a Mon Sep 17 00:00:00 2001
From: Luke Smith <luke@lukesmith.xyz>
Date: Thu, 1 Jul 2021 16:58:41 -0400
Subject: [PATCH] ufw rss

---
 rss.xml | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)

diff --git a/rss.xml b/rss.xml
index 2e3d9aa..df7620a 100644
--- a/rss.xml
+++ b/rss.xml
@@ -15,6 +15,135 @@
 
 <!-- LB -->
 
+<item>
+<title>Using UFW as a Firewall</title>
+<guid>https://landchad.net/ufw.html</guid>
+<link>https://landchad.net/ufw.html</link>
+<pubDate>Thu, 01 Jul 2021 16:58:11 -0400</pubDate>
+<description><![CDATA[
+    <header><h1>Using UFW as a Firewall</h1></header>
+
+    <main>
+		<p>
+			<strong>Uncomplicated Firewall</strong> (UFW) is a front-facing program for the more involved <code>iptables</code> firewall program installed in most GNU/Linux distributions.
+			We can use <code>ufw</code> to restrict machines on the internet to only access the services (SSH, websites etc) you want them to, but it can also be used to prevent programs on the computer itself from accesing parts of the internet it shouldn't.
+		</p>
+		<h2 id="how-to-get-it">How to Get It</h2>
+		<p>Log into your server by pulling up a terminal and typing:</p>
+		<pre><code>ssh root@<strong>example.org</strong></code></pre>
+		<p>
+			This command will attempt to log into your server and run a remote shell.
+			If you leave the settings default, it should prompt you for your password, and you can just copy or type in the password from Vultr's site.
+		</p>
+		<p>
+        Some VPS providers automatically install <code>ufw</code>, but if you do not have it installed already, install it in the typical way:
+		</p>
+		<pre><code>apt install ufw</code></pre>
+		<h2 id="first-time-setup">First-Time Setup</h2>
+		<p>You can check the status of <code>ufw</code> right now by running:</p>
+		<pre><code>ufw status</code></pre>
+		<p>Without any changes, it should report back <code>Status: inactive</code>. Let's set it up so that only connections to SSH (standardized at port 22) are allowed in, and then enable the firewall:</p>
+		<aside>
+			<strong>Careful!</strong> Enabling <code>ufw</code> without allowing SSH will block you from remoting to your server.
+			Double-check that you have allowed SSH, and if you have changed the default SSH port, put in <em>that</em> number instead.
+		</aside>
+		<pre><code>ufw default deny incoming # block all incoming connections by default
+ufw allow in ssh # or: ufw allow in 22
+ufw enable</code></pre>
+		<aside>
+			<code>ufw</code> has an internal list of protocols applications, and the ports used by them.
+			In this case, it knwos SSH is on port 22.
+			We'll go more in detail how to view all protocols <code>ufw</code> knows about.
+			By default, when you allow an incoming port, it allows that port both on IPv4 and IPv6.
+		</aside>
+		<p>
+			With the firewall enabled and allowing only SSH in, all other ports are prortected from incoming requests.
+			To view all your rules, run:
+		</p>
+		<pre><code>ufw status verbose</code></pre>
+		<p>A firewall that allows to connect to SSH and their website may look like:</p>
+		<pre><code>Status: active
+Logging: on (low)
+Default: deny (incoming), allow (outgoing), deny (routed)
+New profiles: skip
+To                           Action      From
+--                           ------      ----
+22 (SSH)                     ALLOW IN    Anywhere
+80,443/tcp (WWW Full)        ALLOW IN    Anywhere
+22 (SSH (v6))                ALLOW IN    Anywhere (v6)
+80,443/tcp (WWW Full (v6))   ALLOW IN    Anywhere (v6)</code></pre>
+		<p>If you want to delete e.g. the 'WWW Full' rule, run:</p>
+		<pre><code>ufw delete allow in 'WWW Full'
+ufw reload</pre></code>
+		<h2 id="enabling-common-services">Enabling Common Services</h2>
+		<p>
+			You have blocked all incoming ports but SSH, which means no outsiders would be able to access other services, like an email server or your website.
+			You should look at the ports your services are open on and enable them individually.
+			Here is a list of a few common services:
+		</p>
+        <h3>Opening Port Numbers</h3>
+        <p>Suppose you install <a href="gemini.html">a Gemini server</a>, which must broadcast on port 1965. By default <code>ufw</code> blocks all incoming connections on all ports, so whenever you install a new service like this you will have to tell <code>ufw</code> to enable the desired port:</p>
+        <pre><code>ufw allow 1985</code></pre>
+		<h3>Websites: HTTP and HTTPS</h3>
+        <p>HTTP uses port 80 and HTTPS uses port 443. We can enable them like this:</p>
+        <pre><code>ufw allow 80
+ufw allow 443</code></pre>
+        <p>But <code>ufw</code> additionally knows the typical ports of common serives, so you can also run this:</p>
+        <pre><code>ufw allow http
+ufw allow https</code></pre>
+        <p>And that will do the same thing. There are also other abbreviations for common port lists:</p>
+		<pre><code>ufw allow in 'WWW Full'</code></pre>
+        <p>To see these other "apps" that <code>ufw</code> knows by default, run <code>ufw app list</code></p>
+		<h3>Email: IMAP, POP3, and SMTP</h3>
+		<pre><code>ufw allow in IMAPS
+ufw allow in POP3
+ufw allow in SMTP
+ufw allow in 'Postfix SMTPS'
+ufw allow in 'Mail Submission'</pre></code>
+		<h2 id="fine-tuning-rules">Fine-Tuning Rules</h2>
+		<p>Instead of denying all ports by default, you may want to deny (ignores incoming requests) or reject (explicitly tells requests they're not allowed):</p>
+		<pre><code>ufw default allow in
+ufw deny in <strong>PORT</strong>
+ufw reject in <strong>PORT</strong>
+ufw reload</code></pre>
+		<p>You can add rules to comments to remember what they are there for:</p>
+		<pre><code>ufw allow in <strong>PORT</strong> comment 'Secret SSH'
+ufw reload
+ufw status verbose</code></pre>
+		<p>Output:</p>
+		<pre><code>To                         Action      From
+--                         ------      ----
+<strong>PORT</strong>                       ALLOW IN    Anywhere                   # Secret SSH
+<strong>PORT</strong> (v6)                  ALLOW IN    Anywhere (v6)              # Secret SSH</pre></code>
+		<p>To deny outgoing ports:</p>
+		<pre><code>ufw deny out <strong>PORT</strong></code></pre>
+		<p>Ratelimiting is useful to protect against brute-force login attacks, like in SSH. Only IPv4 is supported for now. Enable it by running:</p>
+		<pre><code>ufw limit <strong>PORT</strong>/tcp</code></pre>
+		<p>To blocklist IP addresses:</p>
+		<pre><code>ufw deny from <strong>IP_ADDRESS</strong></code></pre>
+		<p>To read more what you can do with <code>ufw</code>, run:</p>
+		<pre><code>man ufw</code></pre>
+		<h2 id="recovering-from-losing-ssh">Recovering SSH</h2>
+		<p>
+			If you have accidentally firewalled yourself from logging on your computer, you can recover access by using your VPS's virtual console.
+            On Vultr, this is on your VPS's menu. To the right of the server name, It is the leftmost icon that looks like a monitor.
+		</p>
+		<a href="pix/ssh-01.png"><img src="pix/ssh-01.png" alt="View Console"></a>
+		<p>Log in through there, and disable ufw by typing:</p>
+		<pre><code>ufw disable</code></pre>
+		<h2 id="further-reading">Further Reading</h2>
+		<ul>
+			<li><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Ubuntu Wiki: UncomplicatedFirewall</a></li>
+			<li><a href="https://help.ubuntu.com/community/Gufw">Gufw (Graphical UFW)</a></li>
+			<li><code>man ufw</code></li>
+		</ul>
+		<strong>Contributor</strong> - <a href="https://shunter.xyz">shunter.xyz</a>
+    </main>
+
+]]></description>
+</item>
+
+
 <item>
 <title>Creating Your Own Chat Server With IRC</title>
 <guid>https://landchad.net/irc.html</guid>