Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Simple Firewall Management with UFW

profile picture
Author
Marcel Deglau
Published
2021-07-09
Time to read
7 minutes reading time
Table of Contents

Introduction

UFW stands for "Uncomplicated Firewall" and provides an additional application wrapper for iptables, for end users to manage a netfilter firewall.

UFW is available on all Ubuntu installations since version 8.04 LTS. It can also be installed on any other Linux distribution.

Prerequisites

  • Any server you have at least root-access for with a Linux based distribution (recommended operating system: Ubuntu or Debian)
  • If you are not working with the servers root-user you may add the sudo command in front of all following console commands

Step 1 - Installing UFW

Ubuntu

By default, UFW is included in all operating system builds since Ubuntu 8.04 LTS and does not need to be installed later. If UFW cannot be found or has to be reinstalled, this is possible with the following commands:

$ apt-get install ufw

Debian

The installation package for UFW is already in the official Debian package repository and can also be easily installed using the following package manager command:

$ apt-get install ufw

CentOS

Unfortunately UFW is not included in the CentOS package repository by default. However, the package can be quickly installed via the EPEL repository:

$ yum install epel-release -y

After the EPEL repository has been installed successfully, UFW can be installed by referencing to the EPEL repository:

$ yum install --enablerepo="epel" ufw

Step 2 - Getting Started

After successfully installed UFW in your operating system, it is necessary to activate the UFW service, which ensures that UFW is also correctly reactivated when the server is restarted.

Setting Up Default Policies

When getting started with UFW there didn't exist any rules. It is recommended to set up the default policies which are used as fallback rules once there is not matching any explicit rule.

With the following commands we configure UFW to deny all incoming connections but allow all outgoing connections.

$ ufw default deny incoming
$ ufw default allow outgoing

These rules are not active yet, because we did not enable the UFW service at this point.

Important - Allowing SSH Connections

Attention at this point: If you are working on a remote system via SSH we should allow the SSH service or SSH port first, otherwise you may lock yourself out of the system.

If you are using the default SSH configuration, the SSH daemon listens at port 22. You can use a shortcut to allow the connections to this port by:

$ ufw allow ssh

However, if your SSH server listens to a different port you can create a manual rule by the following commend. In this case the example port is 2222:

$ ufw allow 2222/tcp

After this step we can go on to enable UFW on the server.

Enabling UFW

Once you have been configured a rule for you SSH server (see above) you can enable UFW by the command:

$ ufw enable

Maybe, you will see a warning message which remind you about creating a rule for SSH connections (see above), if you have created this rule, you can confirm it by press y and continue with ENTER.

The UFW firewall is enabled now and the UFW service active. You can check the current status of UFW by the following command at any time:

$ ufw status

Enabling IPv6 with UFW (Optional)

If you are using IPv6 as well, it is recommended to check the UFW configuration file for the option settings which enable the IPv6 component. For the most cases this option is already set. You can open the file for example by taking advantage of nano or any other text editor:

$ nano /etc/default/ufw

Now search for the key named IPV6 and set the value to yes as displayed by the example down below:

IPV6=yes

If the value already set to yes you can leave the file unchanged due to IPv6 for UFW is already enabled.

Step 3 - Configure UFW

Adding a Rule

Once you have been set up the basics for UFW you can continue to add the connection rules which may important for you. This can be done by two different ways:

Option 1

You need to use this option when you are not using the application default ports, or you don't want to take advantage of the pre-configured profiles from UFW.

The following example rule does open the port 25 on top of the TCP protocol:

$ ufw allow 25/tcp

By modify the port or also the protocol, for example to UDP when you need to allow a port for UDP connections, every network related application can be added to the firewall list.

Option 2

If you are using default application ports you can also use the shortcut configurations. To list the available services you can run the following command:

$ ufw app list
 Available applications:
   AIM
   Bonjour
   CIFS
   CUPS
   DNS
   Deluge
   IMAP
   IMAPS
   IPP
   KTorrent
   Kerberos Admin
   Kerberos Full
   Kerberos KDC
   Kerberos Password
   LDAP
   LDAPS
   LPD
   MSN
   MSN SSL
   Mail submission
   NFS
   POP3
   POP3S
   PeopleNearby
   SMTP
   OpenSSH
   Socks
   Telnet
   Transmission
   Transparent Proxy
   VNC
   WWW
   WWW Cache
   WWW Full
   WWW Secure
   XMPP
   Yahoo
   qBittorrent
   svnserve

To enable one of these profiles, you just need to call the UFW enable command using the service name as argument for example:

$ ufw allow OpenSSH

As confirmation UFW will tell you the rules/ports which has been added to the list.

List Rules

To get an overview about all enabled rules you can use this command:

$ ufw status

Deleting a Rule

Sometimes it happens you want to delete a rule. The easiest way is to display the numbed version of the "List Rules" and apply the delete command.

At first to show numbed version please run this command:

$ ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[..] [...]                      [...]       [...]

Then the according rule can be deleted by inserting the number of the rule into the following command:

$ ufw delete 1

Now the associated rule has been successfully deleted and is no longer active.

Disabling UFW

If needed to disable the UFW firewall for example for debug purposes you can trigger this by the following command:

$ ufw disable

Once you want to enable the firewall again, you can follow the instructions listed above at the point Step 2 - Getting Started / Enabling UFW.

Resetting UFW

Maybe you need to reset all rules and settings to the default values, for example to get started from scratch. For this you can take advantage of the following command:

$ ufw reset

Conclusion

Congratulations - you have successfully installed and configured the "Uncomplicated Firewall" on your server which provides some more security to your server and protect it from spam traffic.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue
Try Hetzner Cloud

Get 20€ free credit!

Valid until: 31 December 2024 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue