hosting image
How-to-Install-Enable-and-Manage-Firewall-Rules

UFW Command Explained: How to Install, Enable, and Manage Firewall Rules

UFW, short for Uncomplicated Firewall, is designed to make configuring a firewall straightforward and user-friendly. While IP tables offer robust and versatile functionality, their complexity can be daunting for beginners. If you’re new to network security and unsure where to begin, UFW is a great option.

In this tutorial, you’ll learn how to set up a firewall using UFW on Ubuntu version 18.04 and later.

How-to-Install-Enable-and-Manage-Firewall-Rules

Prerequisites

For users on Ubuntu version 16.04 or older, we strongly recommend upgrading to a more recent version as these older versions no longer receive support from Ubuntu. Our comprehensive guides can assist you in smoothly upgrading your Ubuntu version.

To proceed with this tutorial, ensure you have:

– A server running Ubuntu, and a non-root user with sudo privileges. If you need help setting this up, select your distribution from our list and follow the Initial Server Setup Guide.

UFW comes pre-installed on Ubuntu. If it’s missing, you can reinstall it using the command: `sudo apt install ufw`.

Step 1 — Ensuring IPv6 is Enabled

In the latest Ubuntu versions, IPv6 is typically enabled by default. This means that most firewall rules applied to your server will cover both IPv4 and IPv6, with IPv6 entries marked by v6 in UFW’s status output. To verify IPv6 is enabled, inspect your UFW configuration file located at /etc/default/ufw. You can open this file using nano or any preferred command line editor:

“`bash

sudo nano /etc/default/ufw

“`

Ensure the IPV6 setting is set to yes. The file should include the following line:

“`plaintext

IPV6=yes

“`

Save and close the file. If you’re using nano, you can do this by pressing `CTRL+X`, then `Y`, and `ENTER` to confirm.

When UFW is activated later in this guide, it will be set up to handle both IPv4 and IPv6 firewall rules.

Step 2 — Configuring Default Policies

When starting with UFW, it’s important to first review your default firewall policies. These policies determine how traffic that doesn’t match any specific rule is handled.

UFW’s default settings deny all incoming connections and allow all outgoing connections. This means that external attempts to connect to your server will be blocked, while internal applications can freely access the internet. Specific rules can be added to permit necessary services and ports, creating exceptions to this default behaviour.

Let’s set up your UFW default policies for incoming and outgoing traffic to ensure you can follow this tutorial smoothly.

Set the default policy for incoming traffic to deny by running:

“`bash

sudo ufw default deny incoming

“`

You should see the following output:

“`plaintext

Default incoming policy changed to ‘deny’

(be sure to update your rules accordingly)

“`

Next, set the default policy for outgoing traffic to allow by running:

“`bash

sudo ufw default allows outgoing

“`

You should see the following output:

“`plaintext

Default outgoing policy changed to ‘allow’

(be sure to update your rules accordingly)

“`

These commands establish a default policy of denying incoming and allowing outgoing connections. While this setup may be adequate for personal computers, servers typically need to accept incoming requests from external users. We’ll address this requirement in the next steps.

Step 3 — Allowing SSH Connections

If you activate your UFW firewall now, it will block all incoming connections. Therefore, you need to set rules to permit legitimate incoming connections, such as SSH or HTTP, to allow your server to respond to these requests. For cloud server users, enabling SSH connections is crucial for managing the server remotely.

See also  What Is RDP (Remote Desktop Protocol)

Enabling the OpenSSH UFW Application Profile

Most network-dependent applications automatically register an application profile with UFW during installation. This profile allows users to easily manage external access to the service. To see the list of currently registered profiles, run:

“`bash

sudo ufw app list

“`

You should see something like:

“`plaintext

Available applications:

OpenSSH

“`

To enable the OpenSSH application profile, use the following command:

“`bash

sudo ufw allow OpenSSH

“`

You will receive the following confirmation:

“`plaintext

Rule added

Rule added (v6)

“`

This command sets up firewall rules to allow all connections on port 22, the default port for the SSH daemon.

Allowing SSH by Service Name

Another method to permit SSH connections is by referencing its service name:

“`bash

sudo ufw allow ssh

“`

You will see:

“`plaintext

Rule added

Rule added (v6)

“`

UFW identifies the ports and protocols a service uses by consulting the `/etc/services` file.

Allowing SSH by Port Number

Alternatively, you can specify the port number directly to create the same rule. For example:

“`bash

sudo ufw allow 22

“`

You will get the same output:

“`plaintext

Rule added

Rule added (v6)

“`

If your SSH daemon listens on a different port, specify that port number. For instance, if SSH is configured on port 2222, use:

“`bash

sudo ufw allow 2222

“`

The output will confirm the rule addition:

“`plaintext

Rule added

Rule added (v6)

“`

With your firewall now set to allow incoming SSH connections, you are ready to enable UFW.

Step 4 — Activating UFW

At this point, your firewall should be configured to permit SSH connections. To review the rules that have been added so far, even if the firewall is not yet active, you can run:

“`bash

sudo ufw show added

“`

You should see an output like this:

“`plaintext

Added user rules (see ‘ufw status’ for running firewall):

ufw allow OpenSSH

“`

After confirming the presence of a rule that allows incoming SSH connections, you can enable the firewall with:

“`bash

sudo ufw enable

“`

You will encounter a warning:

“`plaintext

The command may disrupt existing SSH connections. Proceed with the operation (y|n)? y

The firewall is active and enabled on the system startup

“`

Although this warning suggests the command might interrupt existing SSH connections, you have already set up a rule to allow SSH, so it’s safe to proceed. Type `y` and press `ENTER` to continue.

The firewall is now active. To view the current rules, use:

“`bash

sudo ufw status verbose

“`

The rest of this tutorial will guide you through using UFW in greater detail, including how to allow or deny various types of connections.

Step 5 — Allowing Additional Connections

Now that SSH connections are permitted, it’s time to configure your firewall to allow other necessary connections based on your server’s specific requirements. You’ve already learned how to create rules using application profiles, service names, or port numbers, as demonstrated with SSH on port 22. Here’s how you can do the same for other services:

– HTTP (port 80): Used by unencrypted web servers. Allow it with:

“`bash

sudo ufw allow http

“`

or

“`bash

sudo ufw allow 80

“`

– HTTPS (port 443): Used by encrypted web servers. Allow it with:

“`bash

sudo ufw allow https

“`

or

“`bash

sudo ufw allow 443

“`

– Apache (HTTP and HTTPS): Allow both by using:

See also  How To Install OpenVpn On CentOS 7

“`bash

sudo ufw allow ‘Apache Full’

“`

– Nginx (HTTP and HTTPS): Allow both by using:

“`bash

sudo ufw allow ‘Nginx Full’

“`

You can see all available application profiles for your server with:

“`bash

sudo ufw app list

“`

Allowing Connections in Various Ways

Some applications require multiple ports. For instance, to allow X11 connections (ports 6000-6007), use:

“`bash

sudo ufw allow 6000:6007/tcp

sudo ufw allow 6000:6007/udp

“`

When specifying port ranges, you must include the protocol (TCP or UDP). Omitting the protocol will allow both by default, which is generally acceptable.

Specific IP Addresses

To allow connections from a specific IP, such as 203.0.113.4, use:

“`bash

sudo ufw allow from 203.0.113.4

“`

You can also restrict this to a specific port:

“`bash

sudo ufw allow from 203.0.113.4 to any port 22

“`

Subnets

To allow a range of IP addresses, use CIDR notation. For instance, to allow all IPs from 203.0.113.1 to 203.0.113.254, use:

“`bash

sudo ufw allow from 203.0.113.0/24

“`

To restrict this subnet to a specific port:

“`bash

sudo ufw allow from 203.0.113.0/24 to any port 22

“`

Connections to a Specific Network Interface

To apply rules to a specific network interface, identify your network interfaces with:

“`bash

ip addr

“`

You’ll see outputs like `eth0` or `enp3s2`. To allow HTTP traffic on a public interface `eth0`:

“`bash

sudo ufw allow in on eth0 to any port 80

“`

For MySQL on a private interface `eth1`:

“`bash

sudo ufw allow in on eth1 to any port 3306

“`

These configurations will ensure your server can handle necessary incoming connections while maintaining robust security.

Step 6 — Blocking Connections

If you haven’t altered the default policy for incoming connections, UFW is set to block all incoming traffic by default. This approach simplifies creating a secure firewall policy, as you only need to define rules for allowed ports and IP addresses.

Sometimes, however, you might need to block specific connections based on source IP addresses or subnets, such as if your server is under attack. Additionally, if you decide to change your default incoming policy to allow (though this is generally not recommended), you would need to create rules to block unwanted services or IP addresses.

To create block rules, simply replace “allow” with “deny” in the commands we’ve covered.

For instance, to block HTTP connections, use:

“`bash

sudo ufw deny http

“`

You should see:

“`plaintext

Rule added

Rule added (v6)

“`

To block all connections from a specific IP, such as 203.0.113.4, use:

“`bash

sudo ufw deny from 203.0.113.4

“`

You’ll see:

“`plaintext

Rule added

“`

In some situations, you might also want to block outgoing connections. To prevent all users from using a specific port on the server, such as port 25 for SMTP traffic, use:

“`bash

sudo ufw deny out 25

“`

The output will be:

“`plaintext

Rule added

Rule added (v6)

“`

This command will block all outgoing SMTP traffic on the server, enhancing security by preventing unauthorized email sending.

Step 7 — Removing Rules

Understanding how to remove firewall rules is as crucial as creating them. You can delete rules either by their rule number or by their description, similar to how they were defined when created.

Deleting a UFW Rule By Number

To remove a rule by its number, first, you need a numbered list of all your firewall rules. Use the `ufw status` command with the `numbered` option:

“`bash

sudo ufw status numbered

“`

See also  how to turn off windows firewall?

Example output:

“`plaintext

Status: Active

To                         Action      From

—                         ——      —-

[ 1] 22                         ALLOW IN    15.15.15.0/24

[ 2] 80                         ALLOW IN    Anywhere

“`

To delete rule number 2, which allows port 80 (HTTP) connections, run:

“`bash

sudo ufw delete 2

“`

Output:

“`plaintext

Deleting:

allow 80

Proceed with the operation (y|n)? y

Rule deleted

“`

This prompts for confirmation and then removes rule 2, which permits HTTP connections. If IPv6 is enabled, remember to delete the corresponding IPv6 rule as well.

Deleting a UFW Rule By Name

Alternatively, you can refer to a rule by its description. This includes the type of rule (allow or deny) and the service name or port number, or the application profile name if used. For instance, to delete an allow rule for an application profile named “Apache Full,” use:

“`bash

sudo ufw delete allow “Apache Full”

“`

Output:

“`plaintext

Rule deleted

Rule deleted (v6)

“`

This method also applies to rules created with a service name or port number. For example, if you allowed HTTP connections with `sudo ufw allow http`, delete it with:

“`bash

sudo ufw delete allow http

“`

Output:

“`plaintext

Rule deleted

Rule deleted (v6)

“`

Similarly, since service names are interchangeable with port numbers, you can delete the same rule with:

“`bash

sudo ufw delete allow 80

“`

Output:

“`plaintext

Rule deleted

Rule deleted (v6)

“`

Deleting rules by name removes both IPv4 and IPv6 rules if they exist.

Step 8 — Checking UFW Status and Rules

You can check the current status of UFW at any time with the following command:

“`bash

sudo ufw status verbose

“`

If UFW is disabled (its default state), you’ll see:

 

“`plaintext

Status: Inactive

“`

If UFW is active (as it should be if you followed Step 3), you will see it marked as active along with any set rules. For instance, if SSH (port 22) is allowed from anywhere, the output may look like this:

“`plaintext

Status: Active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip

To                         Action      From

—                         ——      —-

22/tcp                     ALLOW IN    Anywhere

“`

Use this command to review how UFW is configured and which rules are currently in effect.

Step 9 — Disabling or Resetting the Firewall

If you decide to stop using the UFW firewall, you can turn it off with:

“`bash

sudo ufw disable

“`

Output:

“`plaintext

The firewall stopped and disabled on the system startup

“`

This command deactivates UFW, and any rules you have created will no longer be enforced. To re-enable it later, simply run `sudo ufw enable`.

If you want to reset your UFW configuration and start fresh, use the reset command:

“`bash

sudo ufw reset

“`

Output:

“`plaintext

Resetting all rules to installed defaults. This may disrupt existing SSH connections. Proceed with the operation (y|n)? y

Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20210729_170353’

Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20210729_170353’

Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20210729_170353’

Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20210729_170353’

Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20210729_170353’

Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20210729_170353’

“`

This command disables UFW and removes all previously defined rules, giving you a clean slate. Note that it does not revert any changes made to the default policies.

Conclusion

Your firewall is now set up to permit SSH connections. Remember to configure additional rules for any other services your server needs to accept while restricting any superfluous connections. This approach will ensure your server remains both functional and secure.

5/5 - (1 vote)

1 Comments

  • Hey people!!!!!
    Good mood and good luck to everyone!!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Setup Your Server