secops/harden-ufw.sh

#!/bin/bash

# Reset firewall to a clean state
sudo ufw --force reset

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Enable IPv6 (if used)
sudo sed -i 's/IPV6=no/IPV6=yes/' /etc/default/ufw

# Enable SSH (required for remote access)
sudo ufw allow 22/tcp comment "SSH access"

# Web services (accessible to public)
sudo ufw allow 80/tcp comment "HTTP web traffic"
sudo ufw allow 443/tcp comment "HTTPS web traffic"

# LAN-only ports
LAN="192.168.1.0/24"

sudo ufw allow from $LAN to any port 8080 proto tcp comment "Web UI (possibly internal service)"
sudo ufw allow from $LAN to any port 8188 proto tcp comment "LAN-only service (e.g. streaming or local API)"
sudo ufw allow from $LAN to any port 9090 proto tcp comment "Cockpit system management"
sudo ufw allow from $LAN to any port 11434 proto tcp comment "Ollama / custom local AI inference port"
sudo ufw allow from $LAN to any port 2377 proto tcp comment "Docker Swarm manager traffic (TCP)"
sudo ufw allow from $LAN to any port 4789 proto udp comment "Docker Swarm overlay networking (UDP)"
sudo ufw allow from $LAN to any port 7946 proto udp comment "Docker Swarm node discovery (UDP)"
sudo ufw allow from $LAN to any port 7946 proto tcp comment "Docker Swarm cluster communication (TCP)"
sudo ufw allow from $LAN to any port 24800 proto tcp comment "Barrier / Synergy keyboard/mouse sharing"
sudo ufw allow from $LAN to any port 3000 proto tcp comment "Web dashboard or Grafana-style service"

# Samba (SMB) - LAN only
sudo ufw allow from $LAN to any port 445 proto tcp comment "SMB file sharing"
sudo ufw allow from $LAN to any port 139 proto tcp comment "NetBIOS Session (SMB)"
sudo ufw allow from $LAN to any port 137 proto udp comment "NetBIOS Name Service"
sudo ufw allow from $LAN to any port 138 proto udp comment "NetBIOS Datagram Service"

# Allow Cockpit via web interface
sudo ufw allow from $LAN to any port 9090 proto tcp comment "Cockpit management interface"

# Cluster peer access (custom IPs)
sudo ufw allow from 192.168.1.72 comment "ACACIA cluster peer"
sudo ufw allow from 192.168.1.113 comment "IRONWOOD cluster peer"
sudo ufw allow from 192.168.1.132 comment "ROSEWOOD cluster peer"
sudo ufw allow from 192.168.1.27 comment "WALNUT cluster peer"
# VNC (LAN only)
sudo ufw allow from $LAN to any port 5900 proto tcp comment "VNC screen sharing"
sudo ufw allow from $LAN to any port 5901 proto tcp comment "VNC second session"

# mDNS (LAN only – optional)
sudo ufw allow from $LAN to any port 5353 proto udp comment "mDNS / Avahi for local service discovery"

# Enable UFW
sudo ufw enable

# Status check
sudo ufw status verbose