uncomlicated firewall

Uncomplicated Firewall

Uncomplicated Firewall or UFW

In this article I am giving the basic knowledge anybody would need to setup a packet filtering system with the Uncomplicated Firewall or UFW. Even though there are other open source firewalls, here are the two main reasons UFW is so important in Ubuntu and Debian.

First, UFW is the default firewall in Ubuntu and Debian. It is installed, but not set-up and enabled. You only need to work on it little further to get it going.

Also, UFW is the front-end of iptables. Iptables provide an interface for managing netfilter, Linux kernel built-in packets filtering system. This makes UFW extremely suitable for host-based firewalls. 

As you will see ufw lives up to its name – uncomplicated firewall. This is exactly what it is. Even newbie admins can use it without spending too much time to learn it.

Uncomplicated firewall or UFW is available by default in all Ubuntu installations after 8.04 LTS. The author has used the documentation and the manuals at the Ubuntu’s Wiki website

Lets Get Started

Before starting setting up the Uncomplicated Firewall, let us check, if it is installed. It is supposed to be installed by default in Ubuntu. If not, you can do this by typing:

$ sudo apt-get install ufw

Check the Status

Also you can check the status of the uncomplicated firewall by typing:

$ sudo ufw status verbose

On first installation the answer will be ‘Status: Inactive’. Al least we know it is there. Enable it using the command ‘enable’. It reloads the firewall and starts it when the machine boots.

$ sudo ufw enable

Enabling IPv6 at UFW

If your server is configured to work with Ipv6, you will need to enable the Uncomplicated Firewall to allow IPv6 as well. Open the main configuration file of UFW /etc/default/ufw in your favorite editor, nano or vi.

$ sudo nano /etc/default/ufw

Make sure to include the line: IPV6=yes. Save, quit the editor and restart the firewall with the command ‘reload’. After adding and removing rules we will need to reload the firewall.

$ sudo ufw reload

Setting Up the Default Policies

If you take a second look at the main configuration file of the Uncomplicated Firewall /etc/default/ufw. you will see the lines:

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"

As you can see the default policies are to drop input, routing and allow output The following two commands will help you to further strengthen this default configuration. Now we are denying the outgoing connections by default. This means we will have to allow both the incoming and outgoing ports we need.

$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing

Allow/ Deny SSH Connections & Ports

If you a setting a new VPS server, the chances are you are going to need a SSH to access the server. First thing to consider when setting the firewall is to enable the secure shell port 22, if it is not already enabled. We don’t want to get locked out of your server. right!

$ sudo ufw allow ssh

This command above is equivalent of the following command:

$ sudo ufw allow 22/tcp

A good rule of thumb is when modifying the ssh on our server, to always keep a open connection of a separate terminal. Once ready, restart the connection on the first terminal to make sure you can login to your server. After that you can close the second terminal with the backup connection.

Additionally, don’t forget to reload the UFW.

Other Important Ports to Setup

Your mileage may vary depending on the services you have installed on the server, but let’s assume we have an web and ftp servers installed. We will need to enable ports 80 and 443 for the web (Apache in our example) server.

$ sudo ufw allow 80/tcp 
$ sudo ufw allow 443/tcp

Alternatively we can set rules by name for some installed services. We can list the available services with the command:

$ sudo ufw app list
Available applications:
  Apache
  Apache Full
  Apache Secure
  CUPS
  OpenSSH

We can allow, deny or delete any named rule. The following command will allow TCP on ports 80 and 443.

$ sudo ufw allow 'Apache Full'
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       192.168.1.1/24                  
Apache Full                ALLOW       Anywhere                               
443                        ALLOW       Anywhere                                  
21/tcp                     ALLOW       192.168.1.1/24                  
20/tcp                     ALLOW       192.168.1.1/24                       
Apache Full (v6)           ALLOW       Anywhere (v6)                        
443 (v6)                   ALLOW       Anywhere (v6)                       
21/tcp (v6)                ALLOW       192.168.1.1/24             
20/tcp (v6)                ALLOW       192.168.1.1/24            

Configuring by Port Ranges

In order to make our work easier, we can also specify port ranges with UFW. When allowing or denying port ranges with UFW, we must specify the protocol, either tcp or udp, In our example we want to allow TCP port ranges 2000 to 2500:

$ sudo ufw allow 2000:2500/tcp

Similarly, if we want to allow only UDP ports 2000 to 2500, the command will be:

$ sudo ufw allow 2000:2500/udp

Deleting Rules

We can delete any rule by preceding it with delete. For example the command below will delete allow 2000:2500/udp

$ sudo ufw delete allow 2000:2500/udp

In conclusion, I can write that ufw is easy to learn, configure and use.

Leave a Comment

Your email address will not be published. Required fields are marked *