UFW is a user-friendly front-end for managing iptables firewall rules and its main goal is to make managing iptables easier or as the name says uncomplicated. Ubuntu’s firewall is designed as an easy way to perform basic firewall tasks without learning iptables. It doesn’t offer all the power of the standard iptables commands, but it’s less complex.
In this tutorial you will learn:
- What is UFW and its Overview.
- How to Install UFW and Perform Status Check.
- How to Use IPv6 with UFW.
- UFW Default Policies.
- Application Profiles.
- How to Allow and Deny Connections.
- Firewall Log.
- How to Delete UFW Rules.
- How to Disable and Reset UFW.
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Ubuntu 18.04 |
Software | Ubuntu Inbuilt Firewall UFW |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions | # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ - requires given linux commands to be executed as a regular non-privileged user |
UFW Overview
Subscribe to RSS and NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables: When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall, if you're familiar with it, but many frontends are available to simplify the task.
UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distributions. As such, it’s a great way to get started securing your sever.Install UFW and Status Check
Uncomplicated Firewall should be installed by default in Ubuntu 18.04, but if it is not installed on your system, you can install the package by using the command:$ sudo apt-get install ufwOnce the installation is completed you can check the status of UFW with the following command:
$ sudo ufw status verbose
ubuntu1804@linux:~$ sudo ufw status verbose [sudo] password for ubuntu1804: Status: inactive ubuntu1804@linux:~$
ubuntu1804@linux:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup ubuntu1804@linux:~$
ubuntu1804@linux:~$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip ubuntu1804@linux:~$
Using IPv6 with UFW
$ sudo vim /etc/default/ufwThen make sure
IPV6
is set to yes
, like so: IPV6=yesSave and quit. Then restart your firewall with the following commands:
$ sudo ufw disable $ sudo ufw enableNow UFW will configure the firewall for both IPv4 and IPv6, when appropriate.
UFW Default Policies
By default, UFW will block all of the incoming connections and allow all outbound connections. This means that anyone trying to access your server will not be able to connect unless you specifically open the port, while all applications and services running on your server will be able to access the outside world. The default polices are defined in the/etc/default/ufw
file and can be changed using the sudo ufw default <policy> <chain> command. $ sudo ufw default deny outgoingFirewall policies are the foundation for building more detailed and user-defined rules. In most cases the initial UFW Default Policies are a good starting point.
Application Profiles
When installing a package with the apt command it will add an application profile to/etc/ufw/applications.d
directory. The profile describes the service and contains UFW settings. You can list all application profiles available on your server using the command: $ sudo ufw app listDepending on the packages installed on your system the output will look similar to the following:
ubuntu1804@linux:~$ sudo ufw app list [sudo] password for ubuntu1804: Available applications: CUPS OpenSSH ubuntu1804@linux:~$
$ sudo ufw app info ‘<app_name>’
ubuntu1804@linux:~$ sudo ufw app info 'OpenSSH' Profile: OpenSSH Title: Secure shell server, an rshd replacement Description: OpenSSH is a free implementation of the Secure Shell protocol. Port: 22/tcpAs you can see from the output above the OpenSSH profile opens port 22 over TCP.
Allow and Deny Connections
If we turned on the firewall , it would by default deny all incoming connections. Hence you need to allow/enable the connections depending your needs. The connection can be open by defining the port, service name or application profile.$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow 80/tcp
$ sudo ufw allow 'HTTP'Instead of allowing access to single ports UFW also allows us to access to port ranges.
$ sudo ufw allow 1000:2000/tcp
$ sudo ufw allow 3000:4000/udpTo allow access on all ports from a machine with IP address or allow access on a specific port you can following commands:
$ sudo ufw allow from 192.168.1.104
$ sudo ufw allow from 192.168.1.104 to any port 22The command for allowing connection to a subnet of IP addresses:
$ sudo ufw allow from 192.168.1.0/24 to any port 3306To allow access on a specific port and only to specific network interface you need to use following command:
$ sudo ufw allow in on eth1 to any port 9992The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you specifically open the connection. To deny all connections from a subnet and with a port:
$ sudo ufw deny from 192.168.1.0/24
$ sudo ufw deny from 192.168.1.0/24 to any port 80
Firewall Log
Subscribe to RSS and NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.
$ sudo ufw logging onThe log will also in
/var/log/messages
, /var/log/syslog
, and /var/log/kern.log
Deleting UFW Rules
Tere are two different ways to delete UFW rules, by rule number and by specifying the actual rule. Deleting UFW rules by rule number is easier especially if you are new to UFW. To delete a rule by a rule number first you need to find the number of the rule you want to delete, you can do that with the following command:$ sudo ufw status numbered
ubuntu1804@linux:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] Anywhere ALLOW IN 192.168.1.104 [ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)To delete rule number 2, the rule that allows connections to any port from the IP address 192.168.1.104, use the following command:
$ sudo ufw delete 2
ubuntu1804@linux:~$ sudo ufw delete 2 Deleting: allow from 192.168.1.104 Proceed with operation (y|n)? y Rule deleted ubuntu1804@linux:~$The second method is to delete a rule by specifying the actual rule.
$ sudo ufw delete allow 22/tcp
Disable and Reset UFW
$ sudo ufw disable
ubuntu1804@linux:~$ sudo ufw disable Firewall stopped and disabled on system startup ubuntu1804@linux:~$Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh. To reset UFW use the following command:
$ sudo ufw reset
ubuntu1804@linux:~$ sudo ufw reset Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20181213_084801' Backing up 'before.rules' to '/etc/ufw/before.rules.20181213_084801' Backing up 'after.rules' to '/etc/ufw/after.rules.20181213_084801' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20181213_084801' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20181213_084801' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20181213_084801' ubuntu1804@linux:~$