A properly configured firewall is one of the most important aspects of the overall system security. By default Ubuntu comes with a firewall configuration tool called UFW (Uncomplicated Firewall).
UFW is a user-friendly front-end for managing iptables firewall rules and its main goal is to make managing iptables easier or as the name says uncomplicated. Ubuntu’s firewall is designed as an easy way to perform basic firewall tasks without learning iptables. It doesn’t offer all the power of the standard iptables commands, but it’s less complex.
In this tutorial you will learn:
- What is UFW and its Overview.
- How to Install UFW and Perform Status Check.
- How to Use IPv6 with UFW.
- UFW Default Policies.
- Application Profiles.
- How to Allow and Deny Connections.
- Firewall Log.
- How to Delete UFW Rules.
- How to Disable and Reset UFW.
Software Requirements and Conventions Used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu 18.04 |
| Software | Ubuntu Inbuilt Firewall UFW |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
UFW Overview
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
The kernel’s packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables: When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall, if you’re familiar with it, but many frontends are available to simplify the task.
UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distributions. As such, it’s a great way to get started securing your sever.
Install UFW and Status Check
Uncomplicated Firewall should be installed by default in Ubuntu 18.04, but if it is not installed on your system, you can install the package by using the command:
$ sudo apt-get install ufw
Once the installation is completed you can check the status of UFW with the following command:
$ sudo ufw status verbose
ubuntu1804@linux:~$ sudo ufw status verbose [sudo] password for ubuntu1804: Status: inactive ubuntu1804@linux:~$
ubuntu1804@linux:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup ubuntu1804@linux:~$
ubuntu1804@linux:~$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip ubuntu1804@linux:~$
Using IPv6 with UFW
If your server is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:
$ sudo vim /etc/default/ufw
Then make sure IPV6 is set to yes, like so:
IPV6=yes
Save and quit. Then restart your firewall with the following commands:
$ sudo ufw disable $ sudo ufw enable
Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.
UFW Default Policies
By default, UFW will block all of the incoming connections and allow all outbound connections. This means that anyone trying to access your server will not be able to connect unless you specifically open the port, while all applications and services running on your server will be able to access the outside world.
The default polices are defined in the /etc/default/ufw file and can be changed using the sudo ufw default <policy> <chain> command.
$ sudo ufw default deny outgoing
Firewall policies are the foundation for building more detailed and user-defined rules. In most cases the initial UFW Default Policies are a good starting point.
Application Profiles
When installing a package with the apt command it will add an application profile to /etc/ufw/applications.d directory. The profile describes the service and contains UFW settings.
You can list all application profiles available on your server using the command:
$ sudo ufw app list
Depending on the packages installed on your system the output will look similar to the following:
ubuntu1804@linux:~$ sudo ufw app list [sudo] password for ubuntu1804: Available applications: CUPS OpenSSH ubuntu1804@linux:~$
To find more information about a specific profile and included rules, use the following command:
$ sudo ufw app info ‘<app_name>’
ubuntu1804@linux:~$ sudo ufw app info 'OpenSSH' Profile: OpenSSH Title: Secure shell server, an rshd replacement Description: OpenSSH is a free implementation of the Secure Shell protocol. Port: 22/tcp
As you can see from the output above the OpenSSH profile opens port 22 over TCP.
Allow and Deny Connections
If we turned on the firewall , it would by default deny all incoming connections. Hence you need to allow/enable the connections depending your needs. The connection can be open by defining the port, service name or application profile.
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow 80/tcp
$ sudo ufw allow 'HTTP'
Instead of allowing access to single ports UFW also allows us to access to port ranges.
$ sudo ufw allow 1000:2000/tcp
$ sudo ufw allow 3000:4000/udp
To allow access on all ports from a machine with IP address or allow access on a specific port you can following commands:
$ sudo ufw allow from 192.168.1.104
$ sudo ufw allow from 192.168.1.104 to any port 22
The command for allowing connection to a subnet of IP addresses:
$ sudo ufw allow from 192.168.1.0/24 to any port 3306
To allow access on a specific port and only to specific network interface you need to use following command:
$ sudo ufw allow in on eth1 to any port 9992
The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you specifically open the connection.
To deny all connections from a subnet and with a port:
$ sudo ufw deny from 192.168.1.0/24
$ sudo ufw deny from 192.168.1.0/24 to any port 80
Firewall Log
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule.
$ sudo ufw logging on
The log will also in /var/log/messages, /var/log/syslog, and /var/log/kern.log
Deleting UFW Rules
Tere are two different ways to delete UFW rules, by rule number and by specifying the actual rule.
Deleting UFW rules by rule number is easier especially if you are new to UFW. To delete a rule by a rule number first you need to find the number of the rule you want to delete, you can do that with the following command:
$ sudo ufw status numbered
ubuntu1804@linux:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Anywhere ALLOW IN 192.168.1.104
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
To delete rule number 2, the rule that allows connections to any port from the IP address 192.168.1.104, use the following command:
$ sudo ufw delete 2
ubuntu1804@linux:~$ sudo ufw delete 2 Deleting: allow from 192.168.1.104 Proceed with operation (y|n)? y Rule deleted ubuntu1804@linux:~$
The second method is to delete a rule by specifying the actual rule.
$ sudo ufw delete allow 22/tcp
Disable and Reset UFW
If for any reason you want to stop UFW and deactivate all rules you can use:
$ sudo ufw disable
ubuntu1804@linux:~$ sudo ufw disable Firewall stopped and disabled on system startup ubuntu1804@linux:~$
Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh. To reset UFW use the following command:
$ sudo ufw reset
ubuntu1804@linux:~$ sudo ufw reset Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20181213_084801' Backing up 'before.rules' to '/etc/ufw/before.rules.20181213_084801' Backing up 'after.rules' to '/etc/ufw/after.rules.20181213_084801' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20181213_084801' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20181213_084801' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20181213_084801' ubuntu1804@linux:~$
Conclusion
UFW is Developed to ease iptables firewall configuration and provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. There are many other firewall utilities and some that may be easier, but UFW is a good learning tool, if only because it exposes some of the underlying netfilter structure and because it is present in so many systems.