UFW, short for “uncomplicated firewall”
iptablesUsefulness. It is designed to make managing a firewall as easy as setting open and closed ports and regulating allowed traffic.
Set up UFW
UFW installs by default in Ubuntu, but if it doesn’t, you can install it from
sudo apt-get install ufw
If you run a different distribution you will have to use that distribution’s package manager, but UFW is widely used. You can check the status of the firewall with:
sudo ufw status
What “Inactive” should say if you haven’t configured it already.
A good starting point for any firewall is to close all inbound traffic and allow outbound traffic. Don’t worry, this will not interrupt your SSH connection immediately as the firewall is not yet activated.
sudo ufw default deny incoming sudo ufw default allow outgoing
This gives us a blank board to work with and add rules to.
Open ports with UFW
Use the command to open ports
ufw allow. For example, you need to open port 22, so go ahead:
sudo ufw allow 22
You can also leave a note for your future self when adding a rule:
sudo ufw allow 8080/tcp comment 'Open port for Express API'
Many applications install profiles for UFW, including SSH. So you can also allow certain applications to open the required ports by specifying the name:
sudo ufw allow ssh
You can display a list of the available applications with
ufw app listand display details of an application with
ufw app info [name].
You can also allow a wide variety of ports using a colon as a separator, and you can specify a protocol. For example, to only allow TCP traffic on ports 3000 through 3100, you could do the following:
sudo ufw allow 3000:3100/tcp
Since the default setting is to reject incoming messages, you do not have to manually close any ports. If you want to close an outgoing port, you have to specify a direction next to it
sudo ufw reject out 3001
Whitelisting and rate limiting with UFW
You can assign different permissions to specific IP addresses. For example, to allow all traffic from your IP address, you can do the following:
sudo ufw allow 192.168.1.1
To whitelist certain ports, you need to use the more comprehensive syntax:
sudo ufw allow proto tcp from 192.168.1.1 to any port 22
You probably don’t want to whitelist SSH access this way unless you’ve set up a backup connection or some kind of port knocking, as IP addresses change frequently. One option if you want to limit SSH access to just you is to set up an OpenVPN server on the same private cloud and allow whitelisted access to that server.
If you want to whitelist an entire block of IP addresses, as is the case when you run your servers through a virtual private cloud provider, you can use the standard CIDR subnet notation:
sudo ufw allow 192.168.0.0/24
Subnets are pretty complicated, so you can read our guide on how to work with them to learn more.
Rate limiting is another useful feature of firewalls that can block connections that are obviously fraudulent. This is used to protect against an attacker who is trying to brutally force an open SSH port. Of course, you can whitelist the port to fully protect it, but rate limiting is still useful. By default, the UFW rate limits 6 connections per 30 seconds and is intended for SSH:
sudo ufw limit ssh
Switch on UFW
Once you’ve configured your rules, you can enable UFW. Make sure SSH is open on port 22or you’ll lock yourself out. If you’d like, you can disable UFW from running at boot so a reset can fix potential problems:
sudo systemctl disable ufw
You can then activate UFW with:
sudo ufw enable
If all is well, you can run
ufw status to view the current status of the firewall. If you are unlocked and the firewall is running, set it to run at boot with:
sudo systemctl enable ufw
Every time you make changes you have to reload the firewall with:
sudo ufw reload
You can also enable logging to record connections
sudo ufw logging on
Manage and delete rules
If you want to delete a rule you have to get its number with:
sudo ufw status numbered
Notice that the numbers start at 1, not 0. You can delete a rule by numbers:
sudo ufw delete [number]
Again, make sure you don’t delete your rule and keep port 22 open. You can use the …
--dry-run Parameters for UFW to ask you for confirmation:
If you make any changes, you will need to reload the firewall.