AdGuard Home Firewall profiles

[szhu25]

I just created some firewall client profiles for ufw and firewalld, thought I probably should share it to the community.
Why do i want to create a "profile" for AdGuard Home? Because in that sense, you'll have your firewall list cleaner (instead of a list of ports, you'll simply see "AdGuard Home xxx")

Warning: The profile does not contain port for AdGuard Home management interface
There are three profiles for each firewall:
AdGuard Home DNS-Only - service ports for regular DNS, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt server
AdGuard Home DHCP-Only - service ports for DHCP
AdGuard Home Full - service ports for all services

Profiles:

FirewallD:

DNS-Only

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>AdGuard Home DNS-Only</short>
  <description>AdGuard Home DNS-Only contains service ports that would allow traffic for regular DNS, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt server. This profile does not allow public access to AdGuard Home management interface or DHCP server. </description>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="53"/>
  <port protocol="tcp" port="443"/>
  <port protocol="udp" port="443"/>
  <port protocol="udp" port="784"/>
  <port protocol="tcp" port="853"/>
  <port protocol="tcp" port="5443"/>
  <port protocol="udp" port="5443"/>
</service>

DHCP-Only

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>AdGuard Home DHCP-Only</short>
  <description>AdGuard Home DHCP-Only contains service ports that would allow traffic for DHCP server only. This profile does not allow public access to AdGuard Home management interface, regular DNS, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC or DNSCrypt server. </description>
  <port protocol="udp" port="67"/>
  <port protocol="tcp" port="68"/>
  <port protocol="udp" port="68"/>
</service>

Full

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>AdGuard Home Full</short>
  <description>AdGuard Home Full contains service ports that would allow traffic for regular DNS, DHCP, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt server. This profile does not allow public access to AdGuard Home management interface. </description>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="53"/>
  <port protocol="udp" port="67"/>
  <port protocol="tcp" port="68"/>
  <port protocol="udp" port="68"/>
  <port protocol="tcp" port="443"/>
  <port protocol="udp" port="443"/>
  <port protocol="udp" port="784"/>
  <port protocol="tcp" port="853"/>
  <port protocol="tcp" port="5443"/>
  <port protocol="udp" port="5443"/>
</service>

ufw:

[AdGuard Home Full]
title=AdGuard Home Full
description=AdGuard Home Full contains service ports that would allow traffic for regular DNS, DHCP, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt server. This profile does not allow public access to AdGuard Home management interface.
ports=53|67/udp|68|443|784/udp|853/tcp|5443

[AdGuard Home DHCP-Only]
title=AdGuard Home DHCP-Only
description=AdGuard Home DHCP-Only contains service ports that would allow traffic for DHCP server only. This profile does not allow public access to AdGuard Home management interface, regular DNS, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC or DNSCrypt server. 
ports=67/udp|68

[AdGuard Home DNS-Only]
title=AdGuard Home DNS-Only
description=AdGuard Home DNS-Only contains service ports that would allow traffic for regular DNS, DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt server. This profile does not allow public access to AdGuard Home management interface or DHCP server. 
ports=53|443|784/udp|853/tcp|5443

How to use:

FirewallD:

1. Place xml file content from previous section to /etc/firewalld/services as .xml
2. sudo firewall-cmd --new-service-from-file=myservice.xml (replace myservice.xml with whatever filename you put) and other arguments such as --permanent --zone

ufw:

1. Place file content from previous section to /etc/ufw/applications.d/adguard-home.
2. Validate file is correct and available by executing sudo ufw app info 'AdGuard Home Full'.
3. sudo ufw allow 'AdGuard Home Full' or sudo ufw allow 'AdGuard Home DNS-Only' or sudo ufw allow 'AdGuard Home DHCP-Only'

[ainar-g]

Just as a tip, you can see the more-or-less current list of ports and protocols in our Dockerfile (permalink to the current version as of the 9th of July 2021).

[lobisfondati]

[lobisfondati]

Mh on status verbose i can't see the new port (8083) but when i launch "ufw app info 'AdGuard Home Full'" yes, why ?

[szhu25]

Mh on status verbose i can't see the new port (8083) but when i launch "ufw app info 'AdGuard Home Full'" yes, why ?

You need to reload the application profile for AdGuard. UFW do not dynamically pull from the profile, so you'll need to inform UFW that the profile changed.

[lobisfondati]

It is not enough "ufw reload" ?

[szhu25]

Nope

[lobisfondati]

Ok, i reload the application profile and now it works perfectly. Thank you so much for your support ! So helpful.

[AaronIsMyBrother]

I would like to ask you a question. Did you try to start AG with not 'root' user?

[bogachenko]

@szhu25 hi, which program listens to the ports exactly - 784 and 5443?

If believe this manual, then it served, draw your attention to the past tense in the article, for DoQ, but now they have abandoned this port and use 853/udp (and for DoT 853/tcp). Is port 784/udp now needed in your rules if it is no longer used?

Based on this manual, the port is 5443 for DNSCrypt, but the wiki page says that the default port is 443?

[szhu25]

Hi @bogachenko,

Port 784 used to be DoQ, however since DoQ are now sharing the port with DoT, I probably could update it but didn't yet.
For the DNSCrypt question, I do not have an answer why and just used the default port listed on AdGuard Home docker page.

The profiles are what I had as of the discussion created date. If you have better profile or suggestions, feel free to post it here and I can edit my post to direct them to use your version instead.

[bogachenko]

@szhu25

sudo ufw default deny incoming - the basic rule is to deny all incoming
sudo ufw default allow outgoing - the basic rule is to allow all outgoing
sudo ufw allow 3000/tcp - AdGuard Home setup web page
sudo ufw allow 6060/tcp - AdGuard Home debugging profiles (optional)
sudo ufw allow 67/udp - DHCP server v4
sudo ufw allow 68/udp - DHCP client v4
sudo ufw allow 546/udp - DHCP client v6
sudo ufw allow 547/udp- DHCP server v6
sudo ufw allow 853 - DoT is used for TCP port, DoQ is used for UDP port
sudo ufw allow 443 - HTTPS and DNSCrypt
sudo ufw allow 80 - HTTP
sudo ufw allow 53 - DNS
sudo ufw allow 5353 - mDNS (optional)

Here are my settings for ADGH only. I'm not insisting on editing your first post, I just asked.

Regarding DNSCrypt, for some reason I don't understand, ADG is still using the old port 5443 (I just got acquainted with these DNS servers, look at servers named adguard-[*]), it's strange, but it looks like I'll have to add it (although before adding it, is it best to ask an ADG employee?), although I don't know if I'll use DNSCrypt.