Hardened Ubuntu Repo: ufw firewall

vertices · Post by **vertices** » Aug 05, 2021 1:57 pm this post

The first one of these I set up, I didn't have the Ubuntu firewall enabled when I added it to Veeam. I enabled it later, and added only the following rules:

Code: Select all

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   DENY IN     [omitted]
[ 2] Anywhere                   DENY IN     [omitted]
[ 3] 22/tcp                     ALLOW IN    Anywhere
[ 4] 6162                       ALLOW IN    Anywhere
[ 5] 2501                       ALLOW IN    Anywhere
[ 6] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 7] 6162 (v6)                  ALLOW IN    Anywhere (v6)
[ 8] 2501 (v6)                  ALLOW IN    Anywhere (v6)

It works great with only those ports open. Good speed, all the jobs are running great.

So then I made my second repo, and I had my act together a little better this time and properly did everything according to my notes. This time I had the firewall enabled beforehand and Veeam is adding all kinds of stuff to it, which I had read in a guide, is how it's supposed to be.

Code: Select all

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 6162/tcp                   ALLOW IN    Anywhere                   # Veeam transport rule
[ 3] 6162/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam transport rule
[ 4] 2501/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[ 5] 2501/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[ 6] 2507/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[ 7] 2507/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[ 8] 2524/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[ 9] 2524/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[10] 2500/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[11] 2500/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[12] 2509/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[13] 2509/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[14] 2502/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[15] 2502/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[16] 2505/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[17] 2505/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[18] 2510/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[19] 2510/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[20] 2511/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[21] 2511/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[22] 2515/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[23] 2515/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[24] 2522/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[25] 2522/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[26] 2512/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[27] 2512/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[28] 2525/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[29] 2525/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[30] 2526/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[31] 2526/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[32] 2504/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[33] 2504/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[34] 2503/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[35] 2503/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[36] 2534/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[37] 2534/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[38] 2535/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[39] 2535/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[40] 2538/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[41] 2538/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[42] 2540/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[43] 2540/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[44] 2520/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[45] 2520/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[46] 2541/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[47] 2541/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[48] 2539/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[49] 2539/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[50] 2542/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[51] 2542/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[52] 2543/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[53] 2543/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[54] 2519/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[55] 2519/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[56] 2514/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[57] 2514/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[58] 2521/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[59] 2521/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[60] 2537/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[61] 2537/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[62] 2506/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[63] 2506/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[64] 2513/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[65] 2513/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[66] 2516/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[67] 2516/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[68] 2518/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[69] 2518/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[70] 2536/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[71] 2536/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[72] 2544/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[73] 2544/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[74] 2545/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[75] 2545/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[76] 2529/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[77] 2529/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[78] 2546/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[79] 2546/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[80] 2549/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[81] 2549/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[82] 2533/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[83] 2533/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[84] 2551/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[85] 2551/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[86] 2523/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[87] 2523/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[88] 2552/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[89] 2552/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[90] 2508/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[91] 2508/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[92] 2531/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[93] 2531/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[94] 2532/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[95] 2532/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[96] 2528/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[97] 2528/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[98] 2550/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[99] 2550/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[100] 2554/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[101] 2554/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[102] 2553/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[103] 2553/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[104] 2555/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[105] 2555/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[106] 2517/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[107] 2517/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[108] 2527/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[109] 2527/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[110] 2548/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[111] 2548/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[112] 2530/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[113] 2530/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[114] 2558/tcp                   ALLOW IN    Anywhere                   # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[115] 2558/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule bb7b0283-124f-421b-8db3-87c098ab3171
[116] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

I had read in a guide not to really worry about the firewall as Veeam handled it, but it seems Veeam doesn't turn it on, and only handles it if it was turned on when adding to Veeam.

To my question, is it possible to easily rectify this so the first one has the same firewall rules from Veeam? Does it even matter? Are the ones I have in the first example good enough and I don't even need to worry about it? Thanks!

Post by **HannesK** » Aug 06, 2021 5:27 am this post

Hello,
as you said, everything works as designed.

I would take the latest of your option: don't worry. Just let the software do

The 2500-3300 ports are for data transmission. You will see different rules during job runs and "idle times".

Best regards,
Hannes

vertices · Post by **vertices** » Aug 06, 2021 1:55 pm this post

I'd love to! But Veeam isn't actually doing anything to the first one. Those are two different servers. The first one Veeam didn't add any rules. The second one, it did. Veeam isn't touching the rules on the first one.

vertices · Post by **vertices** » Aug 06, 2021 3:27 pm this post

To be very clear, the first set of rules above is from repo1. The second is from repo2. Even while jobs are running, repo1 looks like that, and it shouldn't. It never changes. Repo2 has all kinds of rules from Veeam, as it should. Something is wrong with repo1 as I didn't have the firewall enabled when I first added it. I am seeking advice on what to do to remedy this.

Post by **HannesK** » Aug 16, 2021 12:03 pm this post

is it working, or not? If it's not working, I recommend checking with support.

I only checked the iptables rules because UFW is just a frontend for iptables.

R&D Forums

Hardened Ubuntu Repo: ufw firewall

Re: Hardened Ubuntu Repo: ufw firewall

Re: Hardened Ubuntu Repo: ufw firewall

Re: Hardened Ubuntu Repo: ufw firewall

Re: Hardened Ubuntu Repo: ufw firewall

Who is online