Tricks Of The Trades

Installing and Using UFW (Uncomplicated Firewall)

Pinterest LinkedIn Tumblr

UFW is a popular and convenient firewall configuration tool originating from Ubuntu distributions. It’s a more accessible way of using the iptables program. Which with some of its complexities can be more cumbersome or confusing for newcomers to learn. In reality UFW works as a wrapper for iptables, so is not a firewall in its own right but the iptables firewall in a simpler form. It serves both IPv4 and IPv6 host-based traffic.

In this post are commands containing options/arguments that contain two words and look like this: comment ssh. These extra parts add a comment to the firewall rules generated. If you are using a version of UFW priot to 0.35 you may have to remove these two extra pieces to avoid errors. Please bear this in mind when you come to using these types of commands later on should you receive errors.


1 – Install UFW

Using your systems package manager is a straight forward and easy way of obtaining UFW. Here are two examples for Arch Linux and Debian/Ubuntu.

Arch Linux

On Arch with Pacman it’s simply:

  1. $ sudo pacman -S ufw

Then enable it on boot through systemd using:

  1. $ sudo systemctl enable ufw
  2. $ sudo systemctl start ufw

Check out Arch Wiki – Uncomplicated Firewall

Debian / Ubuntu

UFW comes as part of most Ubuntu based distributions so you might already have it on your system, but to download the package on either Debian or Ubuntu use:

  1. $ sudo apt-get install ufw

To check the status of the program and confirm installation.

  1. $ sudo ufw status verbose

The output returned if installed successfully should be:

Output

  1. Status: inactive

2 – Enable Default Rules

As with several other firewall solutions, the standard practice is to block every possible incoming connection and allow any possible outgoing connections. Then open/block individual services and ports where necessary afterwards.

So deny all incoming connections.

  1. $ sudo ufw default deny incoming

And allow all outgoing connections.

  1. $ sudo ufw default allow outgoing

Remember that the firewall itself is still not active yet. All we have done so far is add these two overall base rules.


3 – Adding Rules

There are two primary styles available for adding rules – standard rule inputs and alias style inputs.

Here’s how to enable SSH connections to the server, using one of the built-in alias style inputs UFW provides.

  1. $ sudo ufw allow ssh comment ssh

This opens the default SSH TCP port – port number 22. Without this port open, SSH connections to your server would be blocked. Potentially making it inaccessible remotely.

Here’s the same rule again that opens the default SSH port, but using the standard rule input syntax.

  1. $ sudo ufw allow 22/tcp comment ssh

Anyone who does not use the default port number 22 for SSH and has altered it manually on their server, must use this standard rule syntax, and change the number in the command 22 to their chosen custom SSH port number.

Usually there is no need to restart UFW for newly added/removed rules to take effect. The effect of an action is applied immediately.

Further Methods

Specific IP addresses may be utilised in rules too. The next example (as suggested by the syntax) allows all traffic incoming access from the provided address.

  1. $ sudo ufw allow from 192.168.255.255

Port ranges are opened using a colon : and the number ranges you wish to use. The port type is given as /tcp or /udp appearing in the same manner as before.

  1. $ sudo ufw allow 3452:3478/tcp
  2. $ sudo ufw allow 3452:3478/udp

Although the default rules we applied in step two automatically block every network connection, you can still block individual items with the firewall if you wish. Such as with a different blanket rule setup.

The deny command is what blocks specific port numbers, IP addresses, or port ranges when passed.

This would block the default SSH port if in some scenarios it was required.

  1. $ sudo ufw deny ssh comment ssh

To deny FTP traffic using the standard rule input syntax you can use:

  1. $ sudo ufw deny 21/tcp comment ssh

Blocking a target IP address(s) is the same as allowing but again uses the deny option instead.

  1. $ sudo ufw deny from 192.168.254.254

Lastly blocking entire ranges with deny is just as possible:

  1. $ sudo ufw deny 3278:3282/tcp
  2. $ sudo ufw deny 3278:3282/udp

Blocking/denying entire subnets is also possible by using the IP address and mask (CIDR notation).

  1. $ sudo ufw deny 15.15.15.0/26

Lastly here, blocking via the host machines network interface/hardware is possible e.g. eth0 or whatever it is registered as. No examples for this will be shown here however. Simply note that it is possible.


4 – Commonly Applied Rules

Continuing on with the primary styles available for adding rules, the standard rule inputs and alias style inputs. Here are some common rules you might want to add to the firewall either now, or at some point in the future.

These two allow traffic on port 80 – the standard web server port.

  1. $ sudo ufw allow http comment http
  2. $ sudo ufw allow 80/tcp comment http

Note: Remember only one of the commands is required from these code blocks. Either the alias version (first line) or the standard input version (second line).

The same goes for the port assigned to encrypted traffic on web servers, port 443.

  1. $ sudo ufw allow https comment https
  2. $ sudo ufw allow 443/tcp comment https

Always use sftp instead of ftp when transferring files on the command line. The choice of commands to allow traffic on the default sftp port is:

  1. $ sudo ufw allow sftp comment sftp
  2. $ sudo ufw allow 115/tcp comment sftp

When working with LDAP (Lightweight Directory Access Protocol) the alias command is best suited as it saves you having to open up both the TCP and UDP ports with two commands, so open up port 389 on both using:

  1. $ sudo ufw allow ldap comment ldap

For SMTP traffic there’s:

  1. $ sudo ufw allow smtp comment smtp
  2. $ sudo ufw allow 25 comment smtp

And for IMAP you’d enter:

  1. $ sudo ufw allow imap comment imap
  2. $ sudo ufw allow 143 comment imap

Since UFW reads from the /etc/services file you can add any of the service names listed in there.

  1. $ sudo less /etc/services

Note: Ping or ICMP reply should be enabled already by UFW. Meaning the server can be pinged even when the firewall is active.

Check this Digital Ocean article for even more specific rules to add to your servers UFW config.


5 – Enabling and Disabling UFW

Once the rules are all added and ready for use, the final step is to activate the firewall.

This is easily done by issuing the command:

  1. $ sudo ufw enable

After entering the sudo password and confirming any prompts, you receive the message:

  1. Firewall is active and enabled on system startup

From here onward the rules are applied and working as entered.

To see the entire rules and status of the firewall now it’s running enter the command from the start again.

  1. $ sudo ufw status verbose

Should you ever need to reload the firewall, use the reload option. Although this will probably be a rare occasion as remember rules are applied instantly upon entering.

  1. $ sudo ufw reload

More commonly the entire firewall can be disabled with one command.

  1. $ sudo ufw disable

Your rules and configuration is not list when the firewall is disabled, only inactive until you enable them again. To delete and remove rules see the next section.


6 – Deleting Rules

Removing rules using the syntax you’re now likely familiar with. All you need to do is use the delete option as part of your command structure.

For example:

  1. $ sudo ufw delete allow ssh
  2. $ sudo ufw delete allow 22/tcp

Note: Once again remember only one of the commands is required from the above code block. Either the alias version (first line) or the standard input version (second line).

A smart way to remove rules uses the numbered output command.

  1. $ sudo ufw status numbered

Here’s some example output:

Output

  1. Status: active

     

  2. To Action From
  3. — —— —-
  4. [ 1] 22 ALLOW IN Anywhere
  5. [ 2] 21/tcp ALLOW IN Anywhere
  6. [ 3] 80 ALLOW IN Anywhere
  7. [ 4] 443 ALLOW IN Anywhere
  8. [ 5] 22 (v6) ALLOW IN Anywhere (v6)
  9. [ 6] 21/tcp (v6) ALLOW IN Anywhere (v6)
  10. [ 7] 80 (v6) ALLOW IN Anywhere (v6)
  11. [ 8] 443 (v6) ALLOW IN Anywhere (v6)

The number featured in the resultant output (on the left column) can be referenced to delete rules.

As in this next example, which deletes rule 4 from the firewall.

Output

  1. $ sudo ufw delete 4

Be aware that if you have IPv6 enabled – which is the case on many distributions now by default after installation – there is always an equivalent rule added for IPv6; whenever you add a rule. So you need to delete that corresponding rule also when using this method.

In my example it would have been rule 8 which you can see in the output(s).

Output

  1. [ 8] 443 (v6) ALLOW IN Anywhere (v6)

If for some reason you want to redo the entire rule-set of the firewall. You can reset the whole of your current configuration with one command.

  1. $ sudo ufw reset

Be careful using this of course.


7 – Enabling and Disabling Logging

If you want to use logging for the firewall you must enable it to do so.

To enable logging use:

  1. $ sudo ufw logging on

The location of the log file may differ but in general, here’s the place to start looking.

  1. $ sudo ls /var/log/ufw

For information on how to interpret log entries in UFW, read through this section here.

To disable logging if needed you can use:

  1. $ sudo ufw logging off

8 – Miscellaneous

Rule comments were introduced as of February 2016 but you will require at least version 0.35 of UFW to be able to use them.

To use IPv6 with UFW you need to ensure you have it enabled in the configuration file:

  1. $ sudo vim /etc/default/ufw

Change the the value of IPV6 to equal yes in this file if it is set to “no”.

/etc/default/ufw excerpt

  1. IPV6=yes

Save and leave the file.

Reloading the firewall here might be a wise step if you already had it running before doing this (the command for reloading is given in an earlier step). After this the IPv6 rules alongside the regular IPv4 rules should be active and added to the firewall.

Lastly here’s several aliases you might want to incorporate into your .bashrc or .alias file to make things slightly quicker.

~/.alias

  1. # ufw
  2. alias ufw=’sudo ufw’
  3. alias ufwstatver=’sudo ufw status verbose’
  4. alias ufwstatnum=’sudo ufw status numbered’

This post in its entirety covers most of the information required when it comes to getting to know UFW. Some of the external links also provide a vast amount of information should it be needed.

Write A Comment