Part 2: Installing Raspbian and a firewall

January 2, 2020 - Reading time: 55 minutes

We will divide our tasks into several blog posts over the coming weeks.  However, it is important to visualise what we are trying to accomplish.  The diagram below illustrates how our Raspberry Pi cluster and Cloudflare work together to provide visitors with the best possible browsing experience.

Layers interact with each other, forming a complete stack of necessary services.  The Raspberry Pi has all the components needed to host and serve content.  Cloudflare sits in the middle between our Pi and our visitors, replacing traditional network hardware such as routers, firewalls and load balancers.  Our hardware is hidden behind Cloudflare, while our content is now accelerated, secured, and fault tolerant.

The first step in our journey is to install Raspbian as an OS on your Raspberry Pi.  There are several ways to go about doing this.  The easiest is to download and copy the OS image (called Noobs) to a blank (and formatted with FAT) SD card.  You can then insert the SD card into your Pi, and power-on for the first time.  An installation wizard takes over, configuring the base OS, regional settings, and network/Wi-Fi connectivity.

There is an excellent step-by-step guide on installing Raspbian available here:

https://www.raspberrypi.org/documentation/installation/noobs.md 

Allow Remote Access:

Once configured, make sure to enable VNC and SSH.  This allows you to access your Pi remotely both via command line, and also via remote desktop.  You can do this via the GUI by navigating to… Alternatively, you can start a terminal session and type sudo raspi-config.  Then, navigate to “Interfacing Options”, and enable VNC and SSH. 

A detailed guide on raspi-config can be found here:

https://www.raspberrypi.org/documentation/configuration/raspi-config.md

Furthermore, here are some basic Linux commands which will help you get around using the CLI:

Copy files:  sudo cp source_file /target/path

Rename or move files: sudo mv /source/filename.ext /target/filename.ext

Remove or delete files: sudo rm filename

List files and folders: ls

Change directory: cd /directory_name/sub_directory

Move up and down directories: cd (to down back to root), and cd .. (go down one level)

Create Directory: sudo mkdir /path

Remove or delete folders: rm foldername (use -r to remove all files and sub-folders)

Open editor and create a text file: sudo nano /path/filename.txt

Start a service: sudo systemctl start servicename

Stop a service: sudo systemctl stop servicename

Enable a service on startup: sudo systemctl enable servicename

Check status of a service: sudo systemctl status servicename

Check IP address: Terminal -> hostname -I

Note: We need to use sudo each time you want to perform an operation while impersonating the root user.  This can involve copying and deleting files/folders, starting services etc.

Installing UFW:

Now let’s secure our Pi with a firewall.  This involves installing software which will block all external attempts to communicate with your Pi unless explicitly allowed.  Your Pi communicates via ports, which can be thought of as channels.  Different channels are used for different applications.  For example, web browser traffic typically uses ports 80 (http) and 443 (https).  Therefore, a firewall can be used on a web server to block all ports except for 80 and 443.  This reduces the exposed surface area of your Pi, protecting it from malicious traffic on non-used ports.

We can install a simple port-blocking firewall on your Pi, while allowing Cloudflare to use more sophisticated technology to provide more robust protection.  The software we will use is called ufw (aka. Uncomplicated Firewall).

First, start a new terminal session.  Then install the ufw package:

sudo apt install ufw

Once done, let’s blanket block all incoming connections regardless of port, and also enable all outgoing connections.  This allows our Pi to reach out to the Internet as needed, while blocking all attempts at communicating with it.

sudo ufw default deny incoming

sudo ufw default allow outgoing

Our Pi will be hosting our website content.  This means it needs to listen for connections on ports 80 and 443.  Furthermore, we need to reach our Pi remotely via VNC (port 5900) and SSH (port 22).  Let’s allow incoming connections to these ports as follows:

sudo ufw allow 22

sudo ufw allow 5900

sudo ufw allow 80

sudo ufw allow 443

Finally, let’s enable our firewall to start whenever our Pi is powered-on.

sudo ufw enable

We can also manually start/stop our firewall, and check its status via the following commands:

sudo systemctl start ufw

sudo systemctl stop ufw

systemctl status ufw (note you don’t need to use sudo here because it doesn’t involve changing configuration)

Recap:

You have now installed Raspbian on your Pi, configured WiFi, and enabled remote connectivity.  You’ve also learnt a few basic Linux commands to help do things from the CLI.  Finally, you’ve secured your Pi by blocking all external connections except when used for web traffic and remote access. 

About

A playground of creativity that combines Cloudflare technology with hobbyists.