This tutorial will be using firewalld to control access.

Install firewalld:

sudo apt install firewalld

Enable firewalld:

sudo systemctl enable firewalld

Reboot:

reboot

After rebooting, verify firewalld is running:

sudo firewall-cmd --state

First you need to identify your external interface and assign it to the correct zone; we will be using the “public” zone for our external interface, and assigning the interface and rules to this zone.

Identify interfaces:

ip addr

Add correct interface to “public” firewall zone (NOTE my interface is “ens3”, substitute your correct interface name):

firewall-cmd --zone=public --change-interface=ens3

Verify zones and interface:

firewall-cmd --get-active-zones

Access via HTTP and HTTPS has been added to the L3 ports listed on Ubiquiti’s site; we will implement port redirection to the non standard ports. If you prefer security via obscurity, and wish to use the non-standard ports, do not add the first (2) rules, and skip the port forwarding section.

Ubiquiti reference: https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used

firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-port=3478/udp
firewall-cmd --zone=public --permanent --add-port=6789/tcp
firewall-cmd --zone=public --permanent --add-port=8080/tcp
firewall-cmd --zone=public --permanent --add-port=8443/tcp
firewall-cmd --zone=public --permanent --add-port=8843/tcp
firewall-cmd --zone=public --permanent --add-port=8880/tcp

Enable port forwarding of HTTP to 8080 and HTTPS to 8443:

firewall-cmd --zone=public --permanent --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --zone=public --permanent --add-forward-port=port=443:proto=tcp:toport=8443
firewall-cmd --reload
reboot

Reboot may be required to test and verify. You should now be able to browse to the standard https url!