A Guide to the Uncomplicated Firewall (UFW) for Linux
Firewalls are too import to be convoluted. UFW allows mere mortals to create firewall rules. In this post, I will walk you though all you need to know about using this awesome Linux security tool.Warning: If you are using a remote system be careful. It is very easy to lock yourself out of remote system. If are using SSH and the firewall blocks the SSH port, you are gonna have a bad time.
Install
UFW was made for Ubuntu, but now is available for most distributions. Check your distro’s package management system. For Ubuntu just run:
sudo apt-get install ufwReset
Before we do anything, we should know how to reset the firewall.
sudo ufw resetThis command will return UFW to its defaults. Removing any mistakes we might make.
Defaults
The default settings for UFW is to allow all outgoing connections and block all incoming connections. It should also bedisabled by default.
Status
We can check status of our newly installed firewall.
sudo ufw statusA brand new install will probably return:
Status: inactiveAn enabled system will return something much more interesting. A nice table of rules.
Status: activeTo Action From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 DENY Anywhere Verbous
We can make the status option show some extra information with:
sudo ufw status verboseThis view is a bit more detailed.
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skipTo Action From
-- ------ ----
22/tcp (OpenSSH) DENY IN Anywhere
8080 ALLOW IN Anywhere
2020 ALLOW IN Anywhere
22 DENY IN Anywhere Numbered
We can also see the rules numbered for convience:
sudo ufw status numberedThis view will be very useful later, when we are deleting rules.
Status: activeTo Action From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN AnywhereReload
As we add and remove rules we will need to reload the firewall.
sudo ufw reloadEnable
Enable reloads the firewall and starts it when the machine boots.
sudo ufw enableDisable
Unloads the firewall and it will not start automatically when the machine boots.
sudo ufw disableAllow/Deny
A firewall is really just a set of rules for networking. These are rules about who can connect with a machine and who the machine can connect with. Rules about how ports, protocols, and hardware be used. UFW makes it pretty easy to write these rules. The rules we create with UFW are all about what we allow and what we deny.
Ports
Let us say we want to allow connection is our SSH server. It is listening on a non-standard port of 2020.
sudo ufw allow 2020This allows TCP and UDP connections to port 2020. And if we want to block TCP and UDP connections on port 22.
sudo ufw deny 22Services
You can also create rules by name for some installed services. We can list the available services with:
sudo ufw app listOn my system at home, I get back:
Available applications:
CUPS
OpenSSHIf we want to allow OpenSSH. I run:
sudo ufw allow OpenSSHAnd of course we could also block OpenSSH with:
sudo ufw deny OpenSSHAlthough this would be a very bad idea on a remote machine.
Address
We can allow connections for specific IP addresses too.
sudo ufw allow from 192.168.1.2Or we can block specific IP addresses.
sudo ufw deny from 192.168.1.2Protocols
Earlier I mentioned UDP and TCP. We can create rules for these protocols specifically.
sudo ufw allow 80/tcpThis will only allow TCP connections on port 80. And if we want, we can explicitly block UDP connections also.
sudo ufw deny 80/udpInterface
If you have multiple network interfaces, than you will probably want different rules for them. We want want eth0 to have port 80 open.
sudo ufw allow in on eth0 to any port 80In and Out
We can allow or deny certain connections based on whether or not they are incoming or outgoing. The following will allow incoming connections on port 80.
sudo ufw allow in 80And we could also block outgoing connections on port 3389.
sudo ufw deny out 3389Combinations
We can compose complex rules by combining some elements here. Let us say that I want to only allow a specific IP to access port 22.
sudo ufw allow from 192.168.0.1 to any port 22Limit
We can rate limit connection. This will limit connection attempts to 6 within 30 seconds for the rule.
sudo ufw limit sshReject
Some times we want to explicitly reject a connection. This will let the sender know they are being rejected.
sudo ufw reject 666Delete Rule
Eventually, we will want delete a rule we created. That can be pretty simple.
sudo ufw delete allow 80Or we can delete a rule by number. Remember:
sudo ufw status numberedWe got this nice table with all the rules numbered.
Status: activeTo Action From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN AnywhereWe can delete a rule using its number.
sudo ufw delete 8Comment
Commenting your code is always a good idea. After the command add comment and then a string in quotes.
sudo ufw allow 22 comment 'for my SSH'Now when we run:
sudo ufw statusWe get our little comment helper.
Status: activeTo Action From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 ALLOW Anywhere # for my SSH
80 REJECT AnywhereLogs
We can also instruct our firewall to maintain logs.
sudo ufw logging onConclusion
Firewall rules can get complex pretty fast. I hope this little tutorial can make it a little easier.
Hot topic. Thanks. Almost complete. Some very important aspects I'm missing here. How to define limits/thresholds? How to enable routing? How to enable/setup NAT/IP masquerading ? To me These + firewall topic are chained together.
The Uncomplicated Firewall only takes care of the basics. You can not change the limits/thresholds. Routing, IP masquerading are little beyond the scope of this tool. While you can create custom rules for UFW to achieve this, I do not recommend it. I would recommend just sticking with other tools like, iptables.