I realized that I should probably set up a firewall on t/suki’s machines.
Using nmap forum.tsuki.games from a remote machine, I can see:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 13:13 PDT
Nmap scan report for forum.tsuki.games (104.245.36.36)
Host is up (0.012s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
646/tcp filtered ldp
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 14.98 seconds
Looks like I have some ports open that I don’t want to have open. SSH’ing into the container, I know that I need to set up a firewall with ufw, but I’ve never used it before. Running ufw status shows:
Status: inactive
Well, okay. I guess the first step is to enable it, right? So, I run ufw enable:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? n
Aborted
Whoops. Looks like I probably need to configure the firewall first, since I don’t want my SSH connection to be terminated. But how do I see what rules are currently added? The status just says that the firewall is inactive. After a brief internet search, I find out in a StackOverflow thread that the command to run is sudo ufw show added: [^1]
Added user rules (see 'ufw status' for running firewall):
(None)
That makes sense, because I’ve never used ufw on this machine before. I add the ports I want to have open, and then enable the firewall:
ufw allow ssh
ufw allow http # So nginx can redirect http requests to https
ufw allow https
ufw enableRunning nmap again, I see:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 13:21 PDT
Nmap scan report for forum.tsuki.games (104.245.36.36)
Host is up (0.014s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
Now only the ports I want to have open are exposed! I went ahead and did the same for git.tsuki.games.