TK
Docs
Top Tags

Open standart ports on Ubuntu Server

Open standart ports on Ubuntu Server

ubuntuserverportsufw

Understanding UFW (Uncomplicated Firewall)

UFW is Ubuntu's default firewall configuration tool that provides an easy-to-use interface for managing netfilter firewall rules. It uses iptables under the hood but simplifies the process of creating and managing firewall rules.

How UFW Works

  • Default Policy: By default, UFW denies all incoming connections and allows all outgoing connections
  • Rule Evaluation: Rules are evaluated in order from first to last
  • State Tracking: UFW uses connection state tracking to allow return traffic automatically
  • IPv6 Support: UFW manages both IPv4 and IPv6 rules simultaneously

Essential System Ports

bash
1sudo ufw enable
2

3sudo ufw allow 80
4sudo ufw allow 443
5sudo ufw allow 22
6#ntp
7sudo ufw allow 123
8#DNS
9sudo ufw allow 5353
10sudo ufw allow 53
11#postgresql
12sudo ufw allow 5432
13#mysql
14sudo ufw allow 3306

Port Explanations

  • Port 80 (HTTP): Standard unencrypted web traffic. Used by web servers like Apache, Nginx
  • Port 443 (HTTPS): Encrypted web traffic using TLS/SSL. Required for secure websites
  • Port 22 (SSH): Secure Shell for remote server administration. Critical for remote management
  • Port 123 (NTP): Network Time Protocol (UDP). Keeps system clock synchronized
  • Port 53 (DNS): Domain Name System. Standard DNS queries (TCP/UDP)
  • Port 5353 (mDNS): Multicast DNS. Used for local network service discovery (Avahi, Bonjour)
  • Port 5432 (PostgreSQL): Default port for PostgreSQL database server
  • Port 3306 (MySQL/MariaDB): Default port for MySQL and MariaDB database servers

Allow MongoDB (port 27017)

MongoDB is a NoSQL document database. Port 27017 is the default port for MongoDB instances.

Security Note: Only expose MongoDB to trusted networks. Consider using UFW to limit access to specific IP addresses:

bash
1sudo ufw allow 27017

Restricting MongoDB Access to Specific IPs

bash
1# Allow MongoDB access only from specific IP
2sudo ufw allow from 192.168.1.100 to any port 27017
3

4# Allow MongoDB access from a subnet
5sudo ufw allow from 192.168.1.0/24 to any port 27017

Allow Email Ports

Email servers require multiple ports for different protocols:

  • Port 25 (SMTP): Simple Mail Transfer Protocol - Used for sending email between mail servers
  • Port 143 (IMAP): Internet Message Access Protocol - Unencrypted email retrieval
  • Port 993 (IMAPS): IMAP over SSL/TLS - Encrypted email retrieval
  • Port 110 (POP3): Post Office Protocol v3 - Unencrypted email download
  • Port 995 (POP3S): POP3 over SSL/TLS - Encrypted email download
bash
1sudo ufw allow 25
2sudo ufw allow 143
3sudo ufw allow 993
4sudo ufw allow 110
5sudo ufw allow 995

Additional Email Server Ports

bash
1# SMTP Submission (modern email submission)
2sudo ufw allow 587
3

4# SMTPS (SMTP over SSL - legacy)
5sudo ufw allow 465

Advanced Email Server Configuration

For production email servers, consider restricting port 25 to prevent spam:

bash
1# Allow SMTP only from localhost (for local apps sending email)
2sudo ufw allow from 127.0.0.1 to any port 25
3

4# Allow SMTP from specific trusted servers
5sudo ufw allow from 203.0.113.10 to any port 25

Reload UFW

After adding or modifying firewall rules, reload UFW to apply changes:

bash
1sudo ufw reload

Check UFW status to confirm rules

bash
1sudo ufw status

Detailed Status View

For more verbose output showing rule numbers and details:

bash
1# Show numbered rules (useful for deleting specific rules)
2sudo ufw status numbered
3

4# Show verbose status with more details
5sudo ufw status verbose

Example Output

plaintext
1Status: active
2

3To                         Action      From
4--                         ------      ----
522/tcp                     ALLOW       Anywhere
680/tcp                     ALLOW       Anywhere
7443/tcp                    ALLOW       Anywhere
83306/tcp                   ALLOW       Anywhere
95432/tcp                   ALLOW       Anywhere

Enable Logging for Monitoring

UFW logging helps track connection attempts and troubleshoot firewall issues:

bash
1sudo ufw logging on

Logging Levels

bash
1# Set logging to low (minimal logging)
2sudo ufw logging low
3

4# Set logging to medium (moderate detail)
5sudo ufw logging medium
6

7# Set logging to high (maximum detail)
8sudo ufw logging high
9

10# Set logging to full (logs all packets)
11sudo ufw logging full

View UFW Logs

bash
1# View recent UFW log entries
2sudo tail -f /var/log/ufw.log
3

4# Search for blocked connections
5sudo grep -i "block" /var/log/ufw.log
6

7# Count blocked connection attempts
8sudo grep -c "BLOCK" /var/log/ufw.log

Unify Network Server ports

UniFi Controller is Ubiquiti's network management software. It requires multiple ports for different services:

Port Categories:

  • Controller Management: Web interface and device communication
  • Device Discovery: L2 and L3 network discovery protocols
  • Streaming Services: Camera feeds and real-time video
  • VoIP Services: UniFi Talk voice communications
  • Database: MongoDB for storing configuration and statistics
bash
1# Allow UniFi Controller HTTP and HTTPS ports
2sudo ufw allow 8080    # Device communication
3sudo ufw allow 8443    # UniFi controller management interface (HTTPS)
4

5# Allow UniFi Discovery
6sudo ufw allow 10001   # Device discovery on the network
7

8# Allow MongoDB (UniFi Database)
9sudo ufw allow 27017   # Default MongoDB port for UniFi services
10

11# Allow UniFi Video / Protect ports
12sudo ufw allow 7443    # Web interface for UniFi Protect
13sudo ufw allow 554     # Camera streaming (RTSP)
14sudo ufw allow 8000    # Camera streaming
15sudo ufw allow 7444    # Camera streaming
16

17# Allow SNMP (for monitoring purposes)
18sudo ufw allow 161     # SNMP monitoring
19

20# Allow UniFi Talk (VoIP - SIP and RTP)
21sudo ufw allow 5060    # SIP (Session Initiation Protocol) for voice
22sudo ufw allow 5061    # Secure SIP (SIP over TLS)
23sudo ufw allow 16384:32767/udp  # RTP (Real-Time Protocol) for voice streaming
24sudo ufw allow 3478
25sudo ufw allow 5514
26sudo ufw allow 6789
27sudo ufw allow 27117
28sudo ufw allow 5656:5699/udp
29sudo ufw allow 1900
30sudo ufw allow 7550
31sudo ufw allow 7442

UniFi Port Details

PortProtocolServiceDescription
8080TCPDevice InformDevice communication with controller
8443TCPHTTPSController web interface (admin)
8880TCPHTTPPortal HTTP redirect
8843TCPHTTPSPortal HTTPS redirect
6789TCPSpeed TestUniFi mobile speed test
3478UDPSTUNSession traversal for NAT
10001UDPDevice DiscoveryAP discovery
1900UDPSSDPSimple Service Discovery Protocol
5514UDPSyslogRemote logging

Security Recommendations for UniFi

bash
1# Restrict controller access to local network only
2sudo ufw allow from 192.168.1.0/24 to any port 8443
3

4# Allow device inform from managed network only
5sudo ufw allow from 10.0.0.0/8 to any port 8080
6

7# Restrict MongoDB to localhost (if DB is on same server)
8sudo ufw delete allow 27017
9sudo ufw allow from 127.0.0.1 to any port 27017

Advanced UFW Management

Allowing Specific IP Addresses

bash
1# Allow all traffic from specific IP
2sudo ufw allow from 192.168.1.50
3

4# Allow specific port from specific IP
5sudo ufw allow from 192.168.1.50 to any port 22
6

7# Allow from IP range (CIDR notation)
8sudo ufw allow from 192.168.1.0/24

Denying Connections

bash
1# Deny specific port
2sudo ufw deny 23
3

4# Deny from specific IP
5sudo ufw deny from 203.0.113.51
6

7# Deny to specific port from IP
8sudo ufw deny from 203.0.113.51 to any port 22

Deleting Rules

bash
1# Delete by rule specification
2sudo ufw delete allow 8080
3

4# Delete by rule number (use 'ufw status numbered' first)
5sudo ufw delete 5
6

7# Delete rule for specific IP
8sudo ufw delete allow from 192.168.1.100

Application Profiles

UFW includes predefined application profiles in /etc/ufw/applications.d/:

bash
1# List available application profiles
2sudo ufw app list
3

4# Show application profile info
5sudo ufw app info 'Nginx Full'
6

7# Allow application profile
8sudo ufw allow 'Nginx Full'
9sudo ufw allow 'OpenSSH'
10sudo ufw allow 'Apache Full'

Port Ranges

bash
1# Allow TCP port range
2sudo ufw allow 6000:6007/tcp
3

4# Allow UDP port range
5sudo ufw allow 6000:6007/udp
6

7# Allow port range from specific IP
8sudo ufw allow from 192.168.1.100 to any port 6000:6007 proto tcp

Interface-Specific Rules

bash
1# Allow on specific network interface
2sudo ufw allow in on eth0 to any port 80
3

4# Allow from specific interface to specific port
5sudo ufw allow in on eth1 to any port 3306
6

7# Deny on specific interface
8sudo ufw deny in on eth0 from 203.0.113.0/24

Common Web Application Ports

bash
1# Node.js development
2sudo ufw allow 3000
3

4# React development
5sudo ufw allow 3001
6

7# Vue.js/Vite development
8sudo ufw allow 5173
9

10# Next.js development
11sudo ufw allow 3000
12

13# Django development
14sudo ufw allow 8000
15

16# Flask development
17sudo ufw allow 5000
18

19# Ruby on Rails
20sudo ufw allow 3000
21

22# Tomcat
23sudo ufw allow 8080
24sudo ufw allow 8009
25

26# Jenkins
27sudo ufw allow 8080
28

29# Grafana
30sudo ufw allow 3000
31

32# Prometheus
33sudo ufw allow 9090
34

35# Elasticsearch
36sudo ufw allow 9200
37sudo ufw allow 9300
38

39# Redis
40sudo ufw allow 6379
41

42# RabbitMQ
43sudo ufw allow 5672
44sudo ufw allow 15672
45

46# Kafka
47sudo ufw allow 9092
48

49# MinIO (S3 compatible)
50sudo ufw allow 9000
51sudo ufw allow 9001

Container and Orchestration Ports

bash
1# Docker
2sudo ufw allow 2375  # Docker daemon API (unencrypted)
3sudo ufw allow 2376  # Docker daemon API (TLS)
4sudo ufw allow 2377  # Docker Swarm cluster management
5

6# Kubernetes
7sudo ufw allow 6443      # Kubernetes API server
8sudo ufw allow 2379:2380 # etcd server client API
9sudo ufw allow 10250     # Kubelet API
10sudo ufw allow 10251     # kube-scheduler
11sudo ufw allow 10252     # kube-controller-manager
12sudo ufw allow 10255     # Read-only Kubelet API
13

14# Kubernetes NodePort range
15sudo ufw allow 30000:32767/tcp
16

17# Portainer
18sudo ufw allow 9443  # Portainer HTTPS
19sudo ufw allow 9000  # Portainer HTTP
20sudo ufw allow 8000  # Portainer Edge Agent

Troubleshooting

Check if UFW is Running

bash
1sudo ufw status verbose
2sudo systemctl status ufw

Reset UFW to Default

bash
1# WARNING: This removes all rules
2sudo ufw --force reset
3sudo ufw default deny incoming
4sudo ufw default allow outgoing
5sudo ufw enable

Test Connection to Port

bash
1# Test if port is open from another machine
2nc -zv server_ip 80
3telnet server_ip 80
4

5# Check listening ports on server
6sudo ss -tlnp
7sudo netstat -tlnp

Common Issues

Issue: Can't connect after enabling UFW

bash
1# Check if SSH is allowed before enabling UFW
2sudo ufw allow 22
3sudo ufw enable

Issue: Rules not working

bash
1# Reload UFW
2sudo ufw reload
3

4# Check rule order (first match wins)
5sudo ufw status numbered

Issue: IPv6 connections not working

bash
1# Verify IPv6 is enabled in UFW config
2sudo nano /etc/default/ufw
3# Set IPV6=yes
4sudo ufw reload

Best Practices

  1. Principle of Least Privilege: Only open ports that are absolutely necessary
  2. SSH Security: Change default SSH port and use key-based authentication
  3. Use IP Restrictions: Limit administrative ports to known IP addresses
  4. Regular Audits: Periodically review open ports with sudo ufw status numbered
  5. Enable Logging: Monitor suspicious activity with sudo ufw logging medium
  6. Rate Limiting: Protect against brute force attacks
  7. Document Changes: Keep track of why each port is opened

Rate Limiting SSH

bash
1# Limit SSH connections to prevent brute force
2sudo ufw limit 22/tcp
3

4# This allows maximum 6 connections per 30 seconds from single IP

Backup and Restore UFW Rules

bash
1# Backup UFW rules
2sudo cp /etc/ufw/user.rules /etc/ufw/user.rules.backup
3sudo cp /etc/ufw/user6.rules /etc/ufw/user6.rules.backup
4

5# Restore UFW rules
6sudo cp /etc/ufw/user.rules.backup /etc/ufw/user.rules
7sudo cp /etc/ufw/user6.rules.backup /etc/ufw/user6.rules
8sudo ufw reload

Quick Reference

bash
1# Enable/Disable UFW
2sudo ufw enable
3sudo ufw disable
4

5# Default policies
6sudo ufw default deny incoming
7sudo ufw default allow outgoing
8sudo ufw default reject routed
9

10# Allow/Deny
11sudo ufw allow <port>
12sudo ufw deny <port>
13sudo ufw reject <port>
14

15# Delete rules
16sudo ufw delete allow <port>
17sudo ufw status numbered
18sudo ufw delete <number>
19

20# Reset all rules
21sudo ufw reset
22

23# Status and logging
24sudo ufw status
25sudo ufw status verbose
26sudo ufw status numbered
27sudo ufw logging on
28sudo ufw logging off

UniFi Port Details

PortProtocolServiceDescription
8080TCPDevice InformDevice communication with controller
8443TCPHTTPSController web interface (admin)
8880TCPHTTPPortal HTTP redirect
8843TCPHTTPSPortal HTTPS redirect
6789TCPSpeed TestUniFi mobile speed test
3478UDPSTUNSession traversal for NAT
10001UDPDevice DiscoveryAP discovery
1900UDPSSDPSimple Service Discovery Protocol
5514UDPSyslogRemote logging

Security Recommendations for UniFi

bash
1# Restrict controller access to local network only
2sudo ufw allow from 192.168.1.0/24 to any port 8443
3

4# Allow device inform from managed network only
5sudo ufw allow from 10.0.0.0/8 to any port 8080
6

7# Restrict MongoDB to localhost (if DB is on same server)
8sudo ufw delete allow 27017
9sudo ufw allow from 127.0.0.1 to any port 27017