2020-02-01

Firewall on Beagle Boards

UFW - Firewall...

I was surprised to learn that Dedian does not ship with a firewall enabled. If a system is going to be on the internet, you need a way to controll access to it, on all levels. This will document how to setup a firewall on Beaglebone Boards running Debian 9.5 and the ports that are needed to be open for use.

Once your board is connected to the internet, be sure to run updates and install nmap. We will use nmap to discover what ports are being used. 

sudo apt install nmap

Once nmap is installed run the following from a terminal on the Beagle to find the tcp and udp ports currently in use.

sudo nmap -sTU -O localhost

This will return something like:

Starting Nmap 7.40 ( https://nmap.org ) at 2020-01-31 22:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 1992 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
53/tcp   open          domain
3000/tcp open          ppp
8000/tcp open          http-alt
8080/tcp open          http-proxy
53/udp   open          domain
67/udp   open|filtered dhcps
5353/udp open|filtered zeroconf
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.10
Network Distance: 0 hops

The only ports we need open for basic work are:

  • 22/tcp for ssh
  • 53/tcp and
  • 53/udp for dns
  • 67/udp to be able to connect via usb from a PC over ssh
  • 8080/tcp for the webserver along with http and we will also open https

Next we need to install ufw (Uncomplicated Firewall).

sudo apt install ufw

ufw is inactive after an install. The status of ufw can be checked

sudo ufw status verbose

This will return: Status: inactive

To list all application profiles available on your system type:

sudo ufw app list </p>

Returning on a BBG for example:

Available applications:
  AIM
  Bonjour
  CIFS
  DNS
  Deluge
  IMAP
  IMAPS
  IPP
  KTorrent
  Kerberos Admin
  Kerberos Full
  Kerberos KDC
  Kerberos Password
  LDAP
  LDAPS
  LPD
  MSN
  MSN SSL
  Mail submission
  NFS
  OpenSSH
  POP3
  POP3S
  PeopleNearby
  SMTP
  SSH
  Socks
  Telnet
  Transmission
  Transparent Proxy
  VNC
  WWW
  WWW Cache
  WWW Full
  WWW Secure
  XMPP
  Yahoo
  qBittorrent
  svnserve

To find more information about a specific profile and included rules, run the following command:

sudo ufw app info Bonjour

Returning:

Profile: Bonjour
Title: Bonjour
Description: Bonjour protocol

Ports:
  5353/udp
  5298

The above shows port 5353 to only be open for udp traffic, while port 5298 is open for both tcp and udp. Because of this it is necessary on ports that need both types of traffic, to maually open by port number and type, while others can be open by name.

To open the ssh port run: 

sudo ufw allow 22/tcp

To open HTTP and HTTPS ports run:

sudo ufw allow http

and

sudo ufw allow https

From the above list open the remaining needed ports.

sudo ufw allow 8080/tcp
sudo ufw allow 67/udp
sudo ufw allow 53/udp
sudo ufw allow 53/tcp

Now ufw can be started.

sudo ufw enable

You will receive a warning, Command may disrupt existing ssh connections. Proceed with operation (y|n)? . If you have opened the required ports, enter "y". Your board will need to be restarted for ufw to start.

Once the board restarts you can check ufw

sudo ufw status verbose

This will return:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
8080/tcp                   ALLOW IN    Anywhere                  
67/udp                     ALLOW IN    Anywhere                  
53/udp                     ALLOW IN    Anywhere                  
53/tcp                     ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
8080/tcp (v6)              ALLOW IN    Anywhere (v6)             
67/udp (v6)                ALLOW IN    Anywhere (v6)             
53/udp (v6)                ALLOW IN    Anywhere (v6)             
53/tcp (v6)                ALLOW IN    Anywhere (v6)

To see a numbered list:

sudo ufw status numbered

Returning

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                  
[ 3] 443/tcp                    ALLOW IN    Anywhere                  
[ 4] 8080/tcp                   ALLOW IN    Anywhere                  
[ 5] 67/udp                     ALLOW IN    Anywhere                  
[ 6] 53/udp                     ALLOW IN    Anywhere                  
[ 7] 53/tcp                     ALLOW IN    Anywhere                  
[ 8] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 9] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
[10] 443/tcp (v6)               ALLOW IN    Anywhere (v6)             
[11] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)             
[12] 67/udp (v6)                ALLOW IN    Anywhere (v6)             
[13] 53/udp (v6)                ALLOW IN    Anywhere (v6)             
[14] 53/tcp (v6)                ALLOW IN    Anywhere (v6)

Now a rule can be deleted by number if needed. Running the below will delete the rule for port 8080:

sudo ufw delete 4

If for some reason you need to disable the firewall:

sudo ufw disable

To start the firewall again:

sudo ufw enable

To reset the firewall and start over:

sudo ufw reset

To find out more information about ufw, here is a good source:

https://linuxize.com/post/how-to-setup-a-firewall-with-ufw-on-debian-9/