From 4424d6f24f6ec7f89c47fbc67cf0f88a7d39c18e Mon Sep 17 00:00:00 2001
From: Adrien Luxey <adrien.luxey@gmail.com>
Date: Tue, 28 Jan 2020 13:40:31 +0100
Subject: [PATCH] added easy UFW rules

---
 README.md          |  5 +++++
 security/README.md | 29 +++++++++++++++++++++++++++++
 security/ufw.sh    | 13 +++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 security/README.md
 create mode 100755 security/ufw.sh

diff --git a/README.md b/README.md
index bf6bda6..34ecff1 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,6 @@
 * [wordpress:apache in Docker, with host MySQL config and host nginx](wordpress/)
+* [securing  server](security/)
+
+## TODO
+
+* review synapse nginx conf - seems incomplete
diff --git a/security/README.md b/security/README.md
new file mode 100644
index 0000000..65c79d2
--- /dev/null
+++ b/security/README.md
@@ -0,0 +1,29 @@
+## Firewall
+
+### Ports I need
+
+Incoming - DROP except:
+* http/s (nginx)
+* 8448 (synapse - with TLS through nginx)
+* ssh
+* icmp
+* ftp
+
+Outgoing - ACCEPT all
+
+### Using UFW
+
+* Enable IPv6 in `/etc/default/ufw` if not done:
+
+    IPV6=yes
+
+* Set default rules e.g.:
+
+    ufw default deny incoming
+    ufw default allow outgoing
+
+* Configure more rules:
+
+    ufw [allow|deny|reject|limit] [in|out] [protocol|port]
+
+See `ufw.sh`.
diff --git a/security/ufw.sh b/security/ufw.sh
new file mode 100755
index 0000000..80ede9e
--- /dev/null
+++ b/security/ufw.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+
+ufw default allow outgoing
+ufw default allow routed
+ufw default deny incoming
+ufw allow in ftp/tcp
+ufw allow in ssh/tcp
+ufw allow in http/tcp
+ufw allow in https/tcp
+ufw allow in 8448
+ufw allow in from 172.0.0.0/8 # docker and such
+