Uncomplicated Firewall or UFW
In this article I am giving the basic knowledge anybody would need to setup a packet filtering system with the Uncomplicated Firewall or UFW. Even though there are other open source firewalls, here are the two main reasons UFW is so important in Ubuntu and Debian.
First, UFW is the default firewall in Ubuntu and Debian. It is installed, but not set-up and enabled. You only need to work on it little further to get it going.
Also, UFW is the front-end of iptables. Iptables provide an interface for managing netfilter, Linux kernel built-in packets filtering system. This makes UFW extremely suitable for host-based firewalls.
As you will see ufw lives up to its name – uncomplicated firewall. This is exactly what it is. Even newbie admins can use it without spending too much time to learn it.
Uncomplicated firewall or UFW is available by default in all Ubuntu installations after 8.04 LTS. The author has used the documentation and the manuals at the Ubuntu’s Wiki website
Lets Get Started
Before starting setting up the Uncomplicated Firewall, let us check, if it is installed. It is supposed to be installed by default in Ubuntu. If not, you can do this by typing:
$ sudo apt-get install ufw
Check the Status
Also you can check the status of the uncomplicated firewall by typing:
$ sudo ufw status verbose
On first installation the answer will be ‘Status: Inactive’. Al least we know it is there. Enable it using the command ‘enable’. It reloads the firewall and starts it when the machine boots.
$ sudo ufw enable
Enabling IPv6 at UFW
If your server is configured to work with Ipv6, you will need to enable the Uncomplicated Firewall to allow IPv6 as well. Open the main configuration file of UFW /etc/default/ufw in your favorite editor, nano or vi.
$ sudo nano /etc/default/ufw
Make sure to include the line: IPV6=yes. Save, quit the editor and restart the firewall with the command ‘reload’. After adding and removing rules we will need to reload the firewall.
$ sudo ufw reload
Setting Up the Default Policies
If you take a second look at the main configuration file of the Uncomplicated Firewall /etc/default/ufw. you will see the lines:
DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="ACCEPT" DEFAULT_FORWARD_POLICY="DROP"
As you can see the default policies are to drop input, routing and allow output The following two commands will help you to further strengthen this default configuration. Now we are denying the outgoing connections by default. This means we will have to allow both the incoming and outgoing ports we need.
$ sudo ufw default deny incoming $ sudo ufw default deny outgoing
Allow/ Deny SSH Connections & Ports
If you a setting a new VPS server, the chances are you are going to need a SSH to access the server. First thing to consider when setting the firewall is to enable the secure shell port 22, if it is not already enabled. We don’t want to get locked out of your server. right!
$ sudo ufw allow ssh
This command above is equivalent of the following command:
$ sudo ufw allow 22/tcp
A good rule of thumb is when modifying the ssh on our server, to always keep a open connection of a separate terminal. Once ready, restart the connection on the first terminal to make sure you can login to your server. After that you can close the second terminal with the backup connection.
Additionally, don’t forget to reload the UFW.
Other Important Ports to Setup
Your mileage may vary depending on the services you have installed on the server, but let’s assume we have an web and ftp servers installed. We will need to enable ports 80 and 443 for the web (Apache in our example) server.
$ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp
Alternatively we can set rules by name for some installed services. We can list the available services with the command:
$ sudo ufw app list
Available applications: Apache Apache Full Apache Secure CUPS OpenSSH
We can allow, deny or delete any named rule. The following command will allow TCP on ports 80 and 443.
$ sudo ufw allow 'Apache Full'
$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW 192.168.1.1/24 Apache Full ALLOW Anywhere 443 ALLOW Anywhere 21/tcp ALLOW 192.168.1.1/24 20/tcp ALLOW 192.168.1.1/24 Apache Full (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW 192.168.1.1/24 20/tcp (v6) ALLOW 192.168.1.1/24
Configuring by Port Ranges
In order to make our work easier, we can also specify port ranges with UFW. When allowing or denying port ranges with UFW, we must specify the protocol, either
udp, In our example we want to allow TCP port ranges 2000 to 2500:
$ sudo ufw allow 2000:2500/tcp
Similarly, if we want to allow only UDP ports 2000 to 2500, the command will be:
$ sudo ufw allow 2000:2500/udp
We can delete any rule by preceding it with delete. For example the command below will delete allow 2000:2500/udp
$ sudo ufw delete allow 2000:2500/udp
In conclusion, I can write that ufw is easy to learn, configure and use.