From 86344edd01dda6eb622dad9f899c354b885298b7 Mon Sep 17 00:00:00 2001 From: darkexplosiveqwx Date: Tue, 11 Mar 2025 18:08:36 +0100 Subject: [PATCH] Add NTP and HTTPS ports to firewalls Add NTP as a used port, adds NTP and HTTPS to firewalls and adds an abbreviation for NTP. Signed-off-by: darkexplosiveqwx --- docs/abbreviations.md | 1 + docs/main/prerequisites.md | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/abbreviations.md b/docs/abbreviations.md index af4e99c..f124e8f 100644 --- a/docs/abbreviations.md +++ b/docs/abbreviations.md @@ -48,3 +48,4 @@ *[URL]: Uniform Resource Locator, commonly known as "web address" *[REST]: Representational State Transfer - a software architecture for distributed systems like the World Wide Web (WWW) *[XSS]: Cross-site scripting +*[NTP]: Network Time Protocol is used to synchronize the clocks of computers over a network diff --git a/docs/main/prerequisites.md b/docs/main/prerequisites.md index a0f1738..f39f5df 100644 --- a/docs/main/prerequisites.md +++ b/docs/main/prerequisites.md @@ -78,9 +78,11 @@ Pi-hole needs a static IP address to properly function (a DHCP reservation is ju | pihole-FTL | 547 (DHCPv6) | IPv6 UDP | The DHCP server is an optional feature that requires additional ports. | | pihole-FTL | 80 (HTTP)
443 (HTTPS) | TCP | If you have another webserver already listening on port `80`/`443`, then `pihole-FTL` will attempt to bind to `8080`/`8443` instead. If neither of these ports are available, `pihole-FTL`'s webserver will be unavailable until ports are configured manually (see configuration option `webserver.port`) | | pihole-FTL | 4711 | TCP | FTL is our API engine and uses port 4711 on the localhost interface. This port should not be accessible from any other interface.| +| pihole-FTL | 123 (NTP) | UDP | The NTP server is an optional feature that requires an additional port. | !!! info The use of pihole-FTL on ports _67_ or _547_ is optional, but required if you use the DHCP functions of Pi-hole. + The use of port _123_ is required when using pihole-FTL as NTP-Server. ### Firewalls @@ -97,12 +99,14 @@ IPTables (IPv4) ```bash iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT +iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT iptables -I INPUT 1 -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT iptables -I INPUT 1 -s 127.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT iptables -I INPUT 1 -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT iptables -I INPUT 1 -p tcp -m tcp --dport 4711 -i lo -j ACCEPT +iptables -I INPUT 1 -p udp --dport 123 -j ACCEPT iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` @@ -118,7 +122,7 @@ ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT Using the `--permanent` argument will ensure the firewall rules persist reboots. If only IPv4 blocking is used for the Pi-hole installation, the `dhcpv6` service can be removed from the commands below. Create a new zone for the local interface (`lo`) for the pihole-FTL ports to ensure the API is only accessible locally. Finally `--reload` to have the new firewall configuration take effect immediately. ```bash -firewall-cmd --permanent --add-service=http --add-service=dns --add-service=dhcp --add-service=dhcpv6 +firewall-cmd --permanent --add-service=http --add-service=https --add-service=dns --add-service=dhcp --add-service=dhcpv6 --add-service=ntp firewall-cmd --permanent --new-zone=ftl firewall-cmd --permanent --zone=ftl --add-interface=lo firewall-cmd --permanent --zone=ftl --add-port=4711/tcp @@ -133,10 +137,12 @@ IPv4: ```bash ufw allow 80/tcp +ufw allow 443/tcp ufw allow 53/tcp ufw allow 53/udp ufw allow 67/tcp ufw allow 67/udp +ufw allow 123/udp ``` IPv6 (include above IPv4 rules):