Introduction
UFW (Uncomplicated Firewall) is a front-end for iptables, aiming to simplify the process of configuring a firewall on Ubuntu. It provides an easy way to manage inbound and outbound traffic, allowing only necessary services while blocking unwanted access.
This guide will cover everything you need to know about installing, configuring, and using UFW on Ubuntu.
Step 1: Install UFW
UFW is installed by default in Ubuntu, but if for some reason it isn’t present, you can install it using the following commands:
sudo apt update sudo apt install ufw
Step 2: Check UFW Status
Before starting with configuration, it’s important to check if UFW is active:
sudo ufw status
If UFW is inactive, you’ll see something like:
Status: inactive
Step 3: Enable UFW
To activate UFW, you can enable it with:
sudo ufw enable
You might get a prompt warning that enabling UFW may disrupt your SSH connection. If you’re configuring a remote server via SSH, it’s essential to allow SSH connections first before enabling UFW.
Step 4: Allowing SSH Connections (For Remote Servers)
By default, UFW might block SSH traffic, which will lock you out of your server. To avoid this, allow SSH connections:
sudo ufw allow ssh
Alternatively, you can specify the port number for SSH (typically port 22):
sudo ufw allow 22/tcp
Step 5: Configuring Default Policies
UFW’s default behavior is to deny all incoming connections and allow all outgoing ones. This can be checked and set using the following commands:
sudo ufw default deny incoming
sudo ufw default allow outgoing
This ensures that any incoming traffic is blocked unless explicitly allowed, and all outgoing traffic is permitted.
Step 6: Allowing Specific Services or Ports
Now that UFW is enabled and has default policies, you can start allowing or denying specific services and ports. Here are some common configurations:
HTTP (Port 80)
Allow HTTP traffic if you’re running a web server:
sudo ufw allow http
Alternatively, you can use the port number:
sudo ufw allow 80/tcp
HTTPS (Port 443)
For secure web traffic, allow HTTPS:
sudo ufw allow https
Or by port number:
sudo ufw allow 443/tcp
FTP (Port 21)
To allow FTP connections:
sudo ufw allow ftp
Or by specifying the port:
sudo ufw allow 21/tcp
Allowing a Range of Ports
If you need to allow a range of ports, such as for passive FTP, you can do so as follows:
sudo ufw allow 30000:31000/tcp
Allowing Specific IP Addresses
You can restrict access to specific IP addresses. For example, to allow SSH only from a particular IP:
sudo ufw allow from 192.168.1.100 to any port 22
This will allow only the specified IP to connect via SSH.
Step 7: Denying Specific Services or Ports
Denying services is as simple as allowing them. For example, to block FTP traffic:
sudo ufw deny ftp
Or by specifying the port:
sudo ufw deny 21/tcp
Step 8: UFW Application Profiles
UFW has predefined application profiles for common services. You can view these profiles using the following command:
sudo ufw app list
The output will show a list of available profiles, for example:
Available applications:
OpenSSH
Apache
Apache Full
Apache Secure
To get more details about a specific profile, use:
sudo ufw app info <application_name>
For instance:
sudo ufw app info Apache Full
This will show you which ports and protocols the profile affects.
Step 9: Deleting UFW Rules
If you’ve mistakenly allowed or denied a service or port, you can delete the rule. First, list all current rules:
sudo ufw status numbered
You’ll see output like:
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
“`
To delete a rule, reference its number:
sudo ufw delete <rule_number>
For example:
sudo ufw delete 2
Step 10: Advanced UFW Rules
Allowing Specific Subnets
You can allow traffic from a whole subnet rather than just a single IP address:
sudo ufw allow from 192.168.1.0/24
This allows all IP addresses from `192.168.1.1` to `192.168.1.254`.
Rate Limiting SSH
To protect against brute force attacks, you can enable rate limiting for SSH:
sudo ufw limit ssh
This will limit SSH connections to 6 attempts within a 30-second window. If an IP exceeds that, it will be blocked temporarily.
Allowing Specific Network Interfaces
If your system has multiple network interfaces, you can specify which one the rule applies to. For example, to allow HTTP traffic only on the `eth0` interface:
sudo ufw allow in on eth0 to any port 80
Step 11: Logging and Monitoring
UFW can log traffic to help monitor your firewall’s activity. To enable logging:
sudo ufw logging on
Logs are stored in `/var/log/ufw.log` by default.
To disable logging:
sudo ufw logging off
To view UFW logs in real time, use the `tail` command:
sudo tail -f /var/log/ufw.log
Step 12: Resetting UFW
If you want to reset UFW to its default settings, you can do so with:
sudo ufw reset
This will disable UFW and delete all current rules.
Step 13: Disable UFW
If you need to turn off UFW temporarily or permanently:
sudo ufw disable
This will deactivate the firewall without removing any rules.
UFW provides a straightforward and effective way to manage your firewall on Ubuntu. With UFW, you can easily configure and manage rules to protect your system from unauthorized access while allowing necessary services. Follow the steps in this guide to set up and customize UFW according to your needs.
By ensuring you have the right rules in place, your server or system will be more secure and better protected against potential threats.