How to setup your firewall on Ubuntu

This howto assumes you already have ssh access to your server which is otherwise outside of the scope of this discussion.

When you setup your first Vircadia server in Ubuntu there are no firewall rules enacted. Security is up to you. This is necessary to protect your Vircadia server from agents who have ill intentions toward your environment. I will explain to you how to quickly setup your firewall rules in Ubuntu. The ports required by Vircadia are described in the documentation.

Namely you have the following ports:

  • 40100 (+0): (tcp) administrative http connection
  • 40101 (+1): (tcp) administrative https (encrypted) connection
  • 40102 (+2): (udp) main connection from clients
  • 40103 (+3): (udp) main connection from clients (encrypted)

I am adding port 80 (html) and 443 (secure html) so that you will be able to reach out and in through standard internet protocols. Those ports are optional. We will also add port 22 to allow ssh to continue working.

EDIT: I am adding the ephemeral ports 32768-60999 for all the additional servers and mixers. You can read about this in the comments below. Thank you @madders for pointing this out.

The most basic firewall which comes standard on Ubuntu 18.04 is UFW (Uncomplicated Firewall). If you are using a standard Ubuntu installation then it is already installed and running. It however has NO rules enabled. This basically means your server is wide open for attacks of various kinds. Let’s remedy this security hole right now.

SSH into your Vircadia server and type the following:

     sudo ufw status numbered

When you use the ‘numbered’ tag it will list all rules setup by number… if however you have no rules it will look something like this.

Fist there are no numbered rules (the first hint it isn’t configured) and second you can tell it is running and enabled. Let’s setup our rules.

From your ssh prompt type in and enter the following lines, one by one.

	sudo ufw disable 
	sudo ufw default deny incoming
	sudo ufw default allow outgoing
	sudo ufw allow 22/tcp
	sudo ufw allow 40100/tcp
	sudo ufw allow 40101/tcp 
	sudo ufw allow 40102/udp 
	sudo ufw allow 40103/udp
	sudo ufw allow 32768:60999/tcp
	sudo ufw allow 32768:60999/udp
	sudo ufw allow 80/tcp
	sudo ufw allow 443/tcp
	sudo ufw enable

The first command ensures that UFW is disabled while you setup the commands, otherwise you will get locked out before you setup port 22 for ssh access.

The next two lines do the heavy lifting of protecting your system. They basically deny everything except outgoing requests so you will have to tell it what ports are safe by enabling them.

The remaining lines up to the last one will open access to the ports we want open to visitors and ourselves.

The last command enables, activates UFW and ensures your ports are open as desired. You can choose to use different ports but that is outside the scope of this howto… please feel free to ask questions. Run the following command to see your configuration:

     sudo ufw status numbered

Your output should look something like this:

ufw

2 Likes

I will retry these on my ubuntu 18.04 box, When I tried to open only 4010x ports is didnt work correctly.
I am curious on why you suggest to open 80 and 443 port, are they being used by vircadia as well? Or you just suggested them because it is “normal” to have services on those ports, but Vircadia does not use them explicitly?

One thing that took me was that there is NO content in the Ubuntu server. The documentation fails to tell us that. So, it appears that you are just floating around. Try creating a few boxes and leave the server. Then come back it you have boxes you are good to go. I suggest port 80 and 443 just in case because I am not aware of how the web page widget works. It doesn’t hurt anything…

I can confirm that 80 and 443 are not required.

Additionally you need to ensure the ports for the mixers are opened. You can see the ports inuse on the nodes tab of the web admin page.

1 Like

Other than 80 and 443 the rest are the ports in the documentation… What other ports would be necessary? I can attest that the audio mixer is working but haven’t thoroughly tested anything else. Edit: I do see the ports for the mixers… that is confusing… why do they work when UFW does not allow them… because they are local…

I think you will only need to worry about the mixer/servers if you are running them on a different server.

My server didn’t work correctly for external access until I opened the ephemeral port range as mentioned in the documentation. I opened the entire range so I didn’t have to worry about the mixers potentially switching ports. I believe it’s also possible to set which ports the mixers run on to make it easier to setup firewalls (tivoli has them fixed by default), but am not sure how to do that for vircadia

1 Like

Well… I can tell that the audio mixer doesn’t have an open port but audio works for my guests and I… I will have to look into the ephemeral ports to see if we have to manually set them but for now everything works fine. I’ll post that information here when I track it down. Everyone should be aware this is a concern especially if you are running mixers on a different server.

“My server didn’t work correctly for external access until I opened the ephemeral port range as mentioned in the documentation.”

The documentation does not actually list an ephemeral port range but points to Wikipedia which provides examples which are all over the place… Which port range did you actually use?

I think it was actually quite lazy for the writer not to include the actual range in the docs.

1 Like

I opened 32768-60999 which fixed various connections problems I was having.

1 Like

Thank you @madders ! I didn’t want to open the wider range suggested in the Wiki. Doing so would create a much wider attack surface. I will add those ports to the instructions.

1 Like

If the standard http(s) ports are open, is it possible to use a port proxy (e.g. apache, nginx, haproxy etc.) for the main ports 40100:40103 for easier accessibility? For instance, redirecting access to standard and admin interface via subdomain without stating the port with the following nginx configuration:

  • server {*
  •    listen      443 ssl http2;*
    
  •    listen [::]:443 ssl http2;*
    
  •    server_name admin.myvircadia.edu;*
    

  •   location / {*
    
  •        proxy_set_header        Host $host;*
    
  •        proxy_set_header        X-Real-IP $remote_addr;*
    
  •        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;*
    
  •        proxy_set_header        X-Forwarded-Proto $scheme;*
    
  •        proxy_pass              http://127.0.0.1:40101;*
    
  •        proxy_redirect          http://$host https://$host;*
    

  •    }*
    
  • }*

Does anybody use this setting and does it work?

Sounds like you are attempting port forwarding which should be possible with Nginx, Haproxy or Squid… I don’t know about Apache however… You many have to do that in the htaccess file in Apache but I have never done that… my experience is with Squid which I have accomplished port forwarding with in a couple of situations. I tried with Nginx once but grew impatient with it.

I recommend using Squid… It has been around for a decades and there are allot of examples on the web to figure it out. IMHO