If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
Comment on Do I really need a firewall for my server?
agile_squirrel@lemmy.ml 3 months ago[deleted]
Fizz@lemmy.nz 3 months ago
eldain@feddit.nl 3 months ago
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip’s for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don’t expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
lud@lemm.ee 3 months ago
Also get rid of password authentication if you can.
agile_squirrel@lemmy.ml 3 months ago
[deleted]eldain@feddit.nl 3 months ago
Only public facing ports, maybe your openvpn login. But that means you are already firewalled up and your attack surface is tiny, good 👍
swab148@lemm.ee 3 months ago
Sounds like you could use a reverse proxy.
Jakeroxs@sh.itjust.works 3 months ago
That doesn’t count as a firewall though no? I use traefik as my reverse proxy (and like one thing on nginx that also goes through traefik ultimately) but I still put crowdsec on top
swab148@lemm.ee 3 months ago
No, but putting a bunch of those services behind a reverse proxy would lower the amount of open ports. It would also have the side effect of making firewall configuration easier, since you don’t need rules for all those ports anymore.
Jakeroxs@sh.itjust.works 3 months ago
True, I love not having to open ports anymore, game changing.