Securing IPFS with UFW Firewall on Debian 10

  Firewall, IPFS

First lets install UFW

$ sudo apt-get install ufw

Check the Status

$ sudo ufw status verbose

By default, UFW is disabled so you should see something like this:

$ Status: inactive

Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:

$ sudo ufw default deny incoming

Output:
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)

$ sudo ufw default allow outgoing

Output:
Default outgoing policy changed to ‘allow’
(be sure to update your rules accordingly)

Allow SSH Connections

To configure your server to allow incoming SSH connections, you can use this UFW command:

$ sudo ufw allow ssh

Output:
Rules updated
Rules updated (v6)
this command works the same as the one above:

$ sudo ufw allow 22

Or if ssh is on a different port

$ sudo ufw allow 2222

Now that your firewall is configured to allow incoming SSH connections, we can enable it

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Now lets add the port access for IPFS
4001 – default libp2p swarm port – should be open to public for all nodes if possible
5001 – API port – provides write/admin access to the node – should be locked down or only to your IP.
8080 – Gateway

$ sudo ufw allow 4001
$ sudo ufw allow 5001
$ sudo ufw allow 8080/tcp

Reload

$ sudo ufw reload

Remove a Port

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 4001                       ALLOW IN    Anywhere
[ 3] 5001                       ALLOW IN    Anywhere
[ 4] 8080/tcp                   ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 4001 (v6)                  ALLOW IN    Anywhere (v6)
[ 7] 5001 (v6)                  ALLOW IN    Anywhere (v6)
[ 8] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)

$ sudo ufw delete 2

Delete all firewall rules

$ sudo ufw reset

To Allow connections for the Webui on a specific IP:

$ sudo ufw allow from 1.2.3.4 to any port 5001
sudo ufw reload