From linux-av-manager
Set up UFW (Uncomplicated Firewall) on a Linux desktop with conservative, desktop-appropriate defaults — deny incoming, allow outgoing, allow established/related, allow common LAN-only services if present (mDNS, KDE Connect, syncthing) only after asking. Does NOT impose aggressive rules that break common desktop workflows. Triggers on "set up ufw", "configure firewall", "first-time ufw".
npx claudepluginhub danielrosehill/claude-code-plugins --plugin linux-av-managerThis skill uses the workspace's default tool permissions.
First-time UFW configuration tuned for a desktop, not a server. The principle: a sensible default that doesn't surprise the user by killing their printer / file sharing / smart-home discovery on day one. Add narrow allows only for services the user actually runs.
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
First-time UFW configuration tuned for a desktop, not a server. The principle: a sensible default that doesn't surprise the user by killing their printer / file sharing / smart-home discovery on day one. Add narrow allows only for services the user actually runs.
command -v ufw — install with sudo apt install ufw if missing.sudo ufw status verbose — if already active and has non-default rules, this is not a first-time setup. Surface that and route the user to ufw-maintain instead.ss -tulnp 2>/dev/null — sockets currently listening.from 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12) or wider? Default LAN-only.Build the rule set in this order, then activate:
sudo ufw --force reset # clean slate (only if user confirms; surfaces this is destructive)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw logging low # low = blocked packets only; 'medium'/'high' is too noisy for desktops
For each opt-in service the user accepted, add a LAN-scoped allow:
# Examples — only add the ones the user picked
sudo ufw allow from 192.168.0.0/16 to any port 5353 proto udp comment 'mDNS LAN'
sudo ufw allow from 192.168.0.0/16 to any port 1714:1764 proto udp comment 'KDE Connect LAN'
sudo ufw allow from 192.168.0.0/16 to any port 1714:1764 proto tcp comment 'KDE Connect LAN'
sudo ufw allow from 192.168.0.0/16 to any port 22000 proto tcp comment 'Syncthing LAN'
sudo ufw allow from 192.168.0.0/16 to any port 22000 proto udp comment 'Syncthing LAN'
sudo ufw allow from 192.168.0.0/16 to any port 21027 proto udp comment 'Syncthing discovery LAN'
sudo ufw allow from 192.168.0.0/16 to any port 631 proto tcp comment 'CUPS LAN'
Always tag rules with comment '<purpose> <scope>' so future audits make sense.
Then enable:
sudo ufw --force enable
sudo ufw status verbose
Write the resulting ruleset to:
${CLAUDE_USER_DATA:-${XDG_DATA_HOME:-$HOME/.local/share}/claude-plugins}/linux-av-manager/ufw/baseline-<ISO-timestamp>.rules
Source: sudo ufw status numbered > <path>. This baseline is the reference ufw-maintain diffs against later.
Also write to config.json:
"ufw": {
"enabled": true,
"baseline_path": "<path>",
"lan_cidrs": ["192.168.0.0/16", "10.0.0.0/8"],
"configured_at": "<ISO-8601>"
}
ufw allow ssh unless the host actually has sshd running. Most desktops don't./etc/default/ufw IPV6=yes); rules apply to both stacks.ufw limit) on a desktop — it's a server pattern.ufw-docker workaround, but don't auto-apply it.