Ufw firewall in practice => configure it for Skype

Wisermans · 30 September 2022 08:53

To illustrate how easy it can be to configure ufw firewall, here is a simple script for Skype and the links to the needed documentation.

… and a simple script illustrating it.

#! /bin/zsh

# created: 22-0928
# modified: 22-0928

echo ufw firewall configuration
echo --------------------------
echo .
echo see: https://wiki.manjaro.org/index.php/Firewalls
echo see: https://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html
echo .
echo to check if ufw is intalled
echo sudo ufw status
echo .
echo to innstall ufw on a Manjaro system
echo pamac install ufw
echo .
echo once ufw is intalled, restart and enable it
echo sudo ufw enable
echo sudo systemctl enable ufw.service
echo .
read -s -k $'?Press any key to continue or Ctl-C to stop.\n'
echo .

#--------------------------------------
# usual parameters
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http comment "http"
sudo ufw allow https comment "https"

# to activate the ability to connect from outside
## sudo ufw allow ssh

#--------------------------------------
echo Set parameters for Skype
# see https://support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-on-desktop
# to work (PS: comment out 443/tcp line if using Phoenix Firestorm / see my other post)
sudo ufw allow 443/tcp comment "Skype"
sudo ufw allow 3478:3481/udp comment "Skype"
sudo ufw allow 50000:60000/udp comment "Skype"
# for best quality
sudo ufw allow 1000:10000/tcp comment "Skype"
sudo ufw allow 50000:65000/tcp comment "Skype"
sudo ufw allow 16000:26000/tcp comment "Skype"

#--------------------------------------
# echo disable ufw logging
# sudo ufw logging off

echo enable ufw logging
sudo ufw logging on

# -------------------------------------
# display status
echo .
sudo ufw status verbose numbered

PS: Another solution would be to update the applications configurations files from within ufw firewall, but it seems to be so poor in terms of configurations initially provided that i’ll stick to scripting.

mithrial · 30 September 2022 10:54

Skype has incoming connections on port 443?

And isn’t it using UDP?

And why do you actually need a firewall if you’re manually opening tens of thousands ports anyway?

Wisermans · 30 September 2022 11:31

It was just an example apart from the point that Skype is a big “sxxx” as for opened ports, knowing too that in some secured world there are much better practices like changing ports to avoid using the predefined ones + using DMZ etc.

moson · 30 September 2022 11:44

Normally this should not be needed. It uses hole-punching to have incoming packages pass the firewall / NAT.

And I guess even if that fails it’ll fallback to use an intermediate server to forward traffic between clients.

Wisermans · 30 September 2022 11:58

Totally agree but i tried not to be too technical in my previous post Knowing too that as far as i know a simple isolated Manjaro desktop system doesn’t have hole-punching managed as usually you have it through routers and solutions like the ones implemented by certificall.net where you can also manage tokens to harden security.

mithrial · 30 September 2022 14:29

It’s Skype that does “hole-punching” not Manjaro.

Wisermans · 30 September 2022 14:58

@mithrial OK i replaced "“implemented” by “managed” not to make books about “hole punching” or what solutions like Juniper + Certifical etc. implement to secure connections. Subject too long to fit in a post and anyway not for a desktop system working alone connected to internet and far from just a simple ufw firewall demo script.

As for Skype, the “cleaner” solution is to use the web version.