UFW is a popular and convenient firewall configuration tool originating from Ubuntu distributions. It’s a more accessible way of using the
iptables program. Which with some of its complexities can be more cumbersome or confusing for newcomers to learn. In reality UFW works as a wrapper for iptables, so is not a firewall in its own right but the iptables firewall in a simpler form. It serves both IPv4 and IPv6 host-based traffic.
In this post are commands containing options/arguments that contain two words and look like this:
comment ssh. These extra parts add a comment to the firewall rules generated. If you are using a version of UFW priot to
0.35 you may have to remove these two extra pieces to avoid errors. Please bear this in mind when you come to using these types of commands later on should you receive errors.
1 – Install UFW
Using your systems package manager is a straight forward and easy way of obtaining UFW. Here are two examples for Arch Linux and Debian/Ubuntu.
On Arch with Pacman it’s simply:
Then enable it on boot through systemd using:
Check out Arch Wiki – Uncomplicated Firewall
Debian / Ubuntu
UFW comes as part of most Ubuntu based distributions so you might already have it on your system, but to download the package on either Debian or Ubuntu use:
To check the status of the program and confirm installation.
The output returned if installed successfully should be:
2 – Enable Default Rules
As with several other firewall solutions, the standard practice is to block every possible incoming connection and allow any possible outgoing connections. Then open/block individual services and ports where necessary afterwards.
So deny all incoming connections.
And allow all outgoing connections.
Remember that the firewall itself is still not active yet. All we have done so far is add these two overall base rules.
3 – Adding Rules
There are two primary styles available for adding rules – standard rule inputs and alias style inputs.
Here’s how to enable SSH connections to the server, using one of the built-in alias style inputs UFW provides.
This opens the default SSH TCP port – port number
22. Without this port open, SSH connections to your server would be blocked. Potentially making it inaccessible remotely.
Here’s the same rule again that opens the default SSH port, but using the standard rule input syntax.
Anyone who does not use the default port number
22 for SSH and has altered it manually on their server, must use this standard rule syntax, and change the number in the command
22 to their chosen custom SSH port number.
Usually there is no need to restart UFW for newly added/removed rules to take effect. The effect of an action is applied immediately.
Specific IP addresses may be utilised in rules too. The next example (as suggested by the syntax) allows all traffic incoming access from the provided address.
Port ranges are opened using a colon
: and the number ranges you wish to use. The port type is given as
/udp appearing in the same manner as before.
Although the default rules we applied in step two automatically block every network connection, you can still block individual items with the firewall if you wish. Such as with a different blanket rule setup.
deny command is what blocks specific port numbers, IP addresses, or port ranges when passed.
This would block the default SSH port if in some scenarios it was required.
To deny FTP traffic using the standard rule input syntax you can use:
Blocking a target IP address(s) is the same as allowing but again uses the
deny option instead.
Lastly blocking entire ranges with
deny is just as possible:
Blocking/denying entire subnets is also possible by using the IP address and mask (CIDR notation).
Lastly here, blocking via the host machines network interface/hardware is possible e.g.
eth0 or whatever it is registered as. No examples for this will be shown here however. Simply note that it is possible.
4 – Commonly Applied Rules
Continuing on with the primary styles available for adding rules, the standard rule inputs and alias style inputs. Here are some common rules you might want to add to the firewall either now, or at some point in the future.
These two allow traffic on port
80 – the standard web server port.
Note: Remember only one of the commands is required from these code blocks. Either the alias version (first line) or the standard input version (second line).
The same goes for the port assigned to encrypted traffic on web servers, port
sftp instead of
ftp when transferring files on the command line. The choice of commands to allow traffic on the default
sftp port is:
When working with LDAP (Lightweight Directory Access Protocol) the alias command is best suited as it saves you having to open up both the TCP and UDP ports with two commands, so open up port
389 on both using:
For SMTP traffic there’s:
And for IMAP you’d enter:
Since UFW reads from the
/etc/services file you can add any of the service names listed in there.
Note: Ping or ICMP reply should be enabled already by UFW. Meaning the server can be pinged even when the firewall is active.
Check this Digital Ocean article for even more specific rules to add to your servers UFW config.
5 – Enabling and Disabling UFW
Once the rules are all added and ready for use, the final step is to activate the firewall.
This is easily done by issuing the command:
After entering the
sudo password and confirming any prompts, you receive the message:
From here onward the rules are applied and working as entered.
To see the entire rules and status of the firewall now it’s running enter the command from the start again.
Should you ever need to reload the firewall, use the
reload option. Although this will probably be a rare occasion as remember rules are applied instantly upon entering.
More commonly the entire firewall can be
disabled with one command.
Your rules and configuration is not list when the firewall is disabled, only inactive until you
enable them again. To delete and remove rules see the next section.
6 – Deleting Rules
Removing rules using the syntax you’re now likely familiar with. All you need to do is use the
delete option as part of your command structure.
Note: Once again remember only one of the commands is required from the above code block. Either the alias version (first line) or the standard input version (second line).
A smart way to remove rules uses the
numbered output command.
Here’s some example output:
The number featured in the resultant output (on the left column) can be referenced to delete rules.
As in this next example, which deletes rule
4 from the firewall.
Be aware that if you have IPv6 enabled – which is the case on many distributions now by default after installation – there is always an equivalent rule added for IPv6; whenever you add a rule. So you need to delete that corresponding rule also when using this method.
In my example it would have been rule
8 which you can see in the output(s).
If for some reason you want to redo the entire rule-set of the firewall. You can
reset the whole of your current configuration with one command.
Be careful using this of course.
7 – Enabling and Disabling Logging
If you want to use logging for the firewall you must enable it to do so.
To enable logging use:
The location of the log file may differ but in general, here’s the place to start looking.
For information on how to interpret log entries in UFW, read through this section here.
To disable logging if needed you can use:
8 – Miscellaneous
Rule comments were introduced as of February 2016 but you will require at least version
0.35 of UFW to be able to use them.
To use IPv6 with UFW you need to ensure you have it enabled in the configuration file:
Change the the value of
IPV6 to equal
yes in this file if it is set to “no”.
Save and leave the file.
Reloading the firewall here might be a wise step if you already had it running before doing this (the command for reloading is given in an earlier step). After this the IPv6 rules alongside the regular IPv4 rules should be active and added to the firewall.
Lastly here’s several aliases you might want to incorporate into your
.alias file to make things slightly quicker.
This post in its entirety covers most of the information required when it comes to getting to know UFW. Some of the external links also provide a vast amount of information should it be needed.