Securing the System with a Firewall
This section provides guidelines on firewall rules as well as the required ports to be opened for a machine hosting UIP or Adapter Hub.
Check the official Ubuntu Uncomplicated Firewall Document for more detail on firewall commands.
If the machine is exposed to external traffic, NEC also recommends that your system be protected by a commercial grade firewall to prevent DOS or other malicious activity. The items listed in this document should be part of a overall security plan for your IT environment.
Secure a New System
By default after a clean install, the system firewall (iptables) contains all the rules necessary to allow the NEC software services to communicate. This is done behind the scenes by the Docker daemon which is manipulating the actual system firewall to provide network isolation.
However, there are no rules meant to forbid connections on other ports, which exposes the system to potential malicious activity.
Run the following commands to secure the system:
# Install the Uncomplicated Firewall (UFW) configuration tool
sudo apt install ufw
# Allow SSH connections.
# Note: This is needed to be able to manage the system remotely via PuTTY / SCP or similar apps.
sudo ufw allow ssh
# Deny all incoming connections unless specified otherwise
sudo ufw default deny incoming
# Allow all outgoing connections unless specified otherwise
sudo ufw default allow outgoing
# We don't need to explicitly allow any specific ports (Docker does this for us)
# Enable the UFW firewall
sudo ufw enable
# Reboot the system to ensure that these rules are effectively applied
sudo reboot now
This is the minimum set of rules needed to secure the system with a firewall.
To enforce additional rules, follow the guidelines from the Modify the Firewall Rules section.
Additional Notes
- In the above rules, the open ports are allowed from all IP addresses. The "from" syntax can be used to restrict connection further by limiting which addresses can connect. For example, the following command allows SSH access (port 22 tcp) only from an IP address in the range of 192.168.1.0-192.168.1.255.
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp
- External firewalls may use different rules than those specified here. If you are using an external firewall, be sure to allow the following ports in order to be able to access UIP:
- 22 for SSH administration of the Linux host system.
- 80 for HTTP access to UIP before HTTPS access is configured
- 443 for HTTPS access to UIP after HTTPS access is configured
- 9090 for the UIP installation wizard. This port can be closed after the installation process is complete.
- 65300 for WF Adapter proxy only if your UIP system needs to use the WF Adapter Proxy with external adapters.
Check Firewall Status and Rules
To check the current firewall status and rules, run this command in a SSH session or in a console terminal:
sudo ufw status verbose
The output of this command after following the Secure a New System section above will appear like the following:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere
If the firewall status is not "active", the system is not protected and it may be exposed to attacks. Activate the firewall by running sudo ufw enable
. Then re-run the firewall status command sudo ufw status verbose
If the ports list contains anything else except the entries mentioned above, be sure to confirm whether those ports are required for other apps or services. If they are not used, it is recommended to remove the associated rules from the firewall to have the system fully protected.
If the ports list does not contain the required entries, they should be added to allow essential services through the firewall. Refer to the next section to learn how to add or remove ports from the firewall.
Modify Firewall Rules
There may be a need to allow or deny ports though the firewall after the system is configured. The following commands show how to add and remove "allow and deny" rules.
Allow Ports
To allow a specific TCP port through the firewall, use this command with the port number to be allowed:
sudo ufw allow <in|out> <port_number>/tcp
For example, to allow incoming TCP connections on port 4000, the command would look like the following:
sudo ufw allow in 4000/tcp
Remove Allowed Ports
To remove a previously allowed port from the firewall, delete the associated rule:
sudo ufw delete allow <in|out> <port_number>/tcp
For example, to remove incoming TCP connections on port 4000, the command would look like the following:
sudo ufw delete allow in 4000/tcp
Deny Ports
To deny a specific TCP port from passing through the firewall, use this command with the port number to be denied:
sudo ufw deny <in|out> <port_number>/tcp
For example, to deny the outgoing TCP connections on port 5555, the command would look like the following:
sudo ufw deny out 5555/tcp
Remove Denied Ports
To remove a previously denied port rule from the firewall, the associated rule needs to be deleted:
sudo ufw delete deny <in|out> <port_number>/tcp
For example, to remove the deny rule for outgoing access for TCP port 5555, the command would look like the following:
sudo ufw delete deny out 5555/tcp
Reset Firewall
To discard all firewall settings and return to a completely unlocked state, clear the firewall settings by running the reset command:
sudo ufw reset