Securing your Raspberry Pi
A bit more ...

Thanks to Mark for his presentation on  Let's Encrypt - I borrowed a bunch of ideas from there.

More information here:

  • ufw opens up more than what is shown above.  From the man page:  NOTES:

           - ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-
                  problem, and echo-request for IPv4. destination-unreachable, packet-too-big, time-exceeded,  parameter-problem,
                  and echo-request for IPv6.
           - ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)
           - ACCEPT ping replies from IPv6 link-local (fe80::/10) addresses (INPUT)
           - ACCEPT DHCP client traffic (INPUT)
           - DROP non-local traffic (INPUT)
           - ACCEPT mDNS (zeroconf/bonjour/avahi for IPv4 and ff02::fb for IPv6) for service discovery (INPUT)
           - ACCEPT UPnP ( for IPv4 and ff02::f for IPv6) for service discovery (INPUT)

  • If you want to remove mDNS and UPnP  or others see below.  Be cautious.  Removing some of the icmp packets and DHCP packets my break your networking.
    Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, ...

    In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System (DNS). Although Stuart Cheshire designed mDNS as a stand-alone protocol, it can work in concert with standard DNS servers.[1]

    Part II

    REJECT  all  --  8gig.lan  anywhere  reject-with icmp-port-unreachable

    How To Change The ufw Defaults for mDNS and uPnP

    (Thanks Mark)

    Change directory to the /etc/ufw.

    Run a 'ufw reset' command to start from a known state.

    Make a copy of before.rules and before6.rules and give them
    a .dist extension for distribution).   This is for safe keeping of the original distribution rules as we play.

    # cp before.rules before.rules.dist
    # cp before6.rules before6.rules.dist

    Edit those two before(6).rules files and change the ACCEPT command to DROP for the rules designating mDNS and uPNP:

    Running a diff command against these two rule sets should produce.


    root@meet:/etc/ufw# diff before.rules.dist before.rules
    < -A ufw-before-input -p udp -d --dport 5353 -j ACCEPT
    > -A ufw-before-input -p udp -d --dport 5353 -j DROP
    < -A ufw-before-input -p udp -d --dport 1900 -j ACCEPT
    > -A ufw-before-input -p udp -d --dport 1900 -j DROP


    root@meet:/etc/ufw# diff before6.rules.dist before6.rules
    < -A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
    > -A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j DROP
    < -A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
    > -A ufw6-before-input -p udp -d ff02::f --dport 1900 -j DROP

    This shows the changes you made to the before(6).rules files

    Now make a copy of your altered files like so to preserve your changes as a ufw reset will destroy the changes:

    # cp before.rules before.rules.nomdns_or_upnp
    # cp before6.rules before6.rules.nomdns_or_upnp

    You can use these files in the future to save yourself editing time if you run 'ufw reset' again.   You just need to copy the .nomds_or_pnp files to .rules.

    To cause these new rule sets to be implemented do a ufw disable and ufw enable.