Part of the situation that I’m running on my MIAB machine is that part of the time I use it as a traffic concentrator when I’m traveling. Aka OpenVPN I want my data to cross back into a country I trust a bit more when I’m abroad. The reason I’m even running MIAB is that theres tonnes of time when this machine isn’t really being used where I might as well be using it for something else. Turns out MIAB is a super great solution. Especially since I don’t really care for the situation where I have to trust cloud providers too much. ( I realise trusting a VPS provider is also technically in the same boat ).
Thing is, I use this OpenVPN for way more then just web browsing and a lot of things like browser extensions that rely on things like Sync functions die because I don’t want to sit here and argue with firewall rules. Would it be possible to set priorities in UFW or something where the ports that Fail2Ban will be able to apply special limitations etc… but basically allow all other traffic? I know that it was recommended to me in another thread to just run
ufw default allow outgoing. Which solves part of the problem but not the whole problem.
The thing is, I’ve got a firewall installed inside of my machines so that I know what traffic is going through my network cards locally. So I could effectively just write down all of the individual ports on a piece of paper and do UFW allow for every service ever but this is going to require about 700 UFW rules.
I don’t want to do that at the very least not manually.
The simplest solution that I can think of
The easiest solution that I can imagine is to just do something like
ufw default allow incoming then just hope that MIAB will just restrict access when needed.
The ruleset that came with MIAB
To Action From -- ------ ---- 22 ALLOW Anywhere 53 ALLOW Anywhere 25/tcp ALLOW Anywhere 587 ALLOW Anywhere 993 ALLOW Anywhere 995 ALLOW Anywhere 4190/tcp ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 53 (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 587 (v6) ALLOW Anywhere (v6) 993 (v6) ALLOW Anywhere (v6) 995 (v6) ALLOW Anywhere (v6) 4190/tcp (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)