ObjectiveUFW basics including UFW installation and setting up a basic firewall.
DistributionsDebian and Ubuntu
RequirementsA working Debian or Ubuntu install with root privileges
- # - requires given linux command to be executed with root privileges either directly as a root user or by use of
- $ - given linux command to be executed as a regular non-privileged user
IntroductionSetting up a firewall can be a huge pain. Iptables isn't exactly known for its friendly syntax, and management isn't much better. Fortunately, UFW makes the process a lot more bearable with simplified syntax and easy management tools.
UFW lets you write your firewall rules more like plain sentences or traditional commands. It lets you manage your firewall like any other service. It even saves you from remembering common port numbers.
Install UFWStart off by installing UFW. It's available in both Debian and Ubuntu's repositories.
$ sudo apt install ufw
Set Your DefaultsLike with iptables, it's best to start out by setting your default behavior. On desktops, you probably want to deny incoming traffic and allow connections coming from your computer.
$ sudo ufw default deny incomingThe syntax for allowing traffic is similar.
$ sudo ufw default allow outgoing
Basic UseNow, you're set up and ready to start setting up rules and managing your firewall. These commands should all feel easy to read.
Starting and StoppingYou can use systemd to control UFW, but it has its own controls that are easier. Start by enabling and starting up UFW.
$ sudo ufw enableNow stop it. This simultaneously disables it during startup.
$ sudo ufw disableWhen you want to check if UFW is running and which rules are active, you can.
$ sudo ufw status
CommandsStart off with a basic command. Allow inbound HTTP traffic. This is necessary if you want to view a website or download anything from the Internet.
$ sudo ufw allow httpTry it again with SSH. Again, this is super common.
$ sudo ufw allow sshYou can do the exact same thing using port numbers, if you know them. This command allows inbound HTTPS traffic.
$ sudo ufw allow 443You can also allow traffic from a specific IP address or range of addresses. Say you want to allow all local traffic, you'd use a command like the one below.
$ sudo ufw allow 192.168.1.0/24If you need to allow an entire range of ports, like for using Deluge, you can do that too. When you do, though, you'll need to specify either TCP or UDP.
$ sudo ufw allow 56881:56889/tcpOf course, this does go both ways. Use
allowfor the opposite effect.
$ sudo ufw deny 192.168.1.110You should also know that all the commands up until now only control inbound traffic. To specifically target outbound connections, include
$ sudo ufw allow out ssh
Setting Up A Desktop
Next, allow HTTP and HTTPS traffic.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
You're probably going to want SSH too, so allow that.
$ sudo ufw allow http $ sudo ufw allow https
$ sudo ufw allow sshMost desktops rely on NTP for the system time. Allow that too.
$ sudo ufw allow ntpUnless you're using a static IP, allow DHCP. It's ports 67 and 68.
$ sudo ufw allow 67:68/tcpYou're definitely also going to need DNS traffic to go through too. Otherwise, you won't be able to access anything with its URL. The port for DNS is 53.
$ sudo ufw allow 53If you plan on using a torrent client, like Deluge, enable that traffic.
$ sudo ufw allow 56881:56889/tcpSteam is a pain. It uses a load of ports. These are the ones you need to allow.
$ sudo ufw allow 27000:27036/udp $ sudo ufw allow 27036:26037/tcp $ sudo ufw allow 4380/udp
Setting Up A Web ServerWeb servers are another very common use case for a firewall. You need something to shut down all the garbage traffic and malicious actors before they become a real problem. At the same time, you need to ensure that all of your legitimate traffic goes through uninhibited.
For a server, you might want to tighten things up more by denying everything by default. Disable the firewall before doing this, or it will cut off your SSH connections.
Enable both inbound and outbound web traffic.
$ sudo ufw default deny incoming $ sudo ufw default deny outgoing $ sudo ufw default deny forward
Allow SSH. You definitely will need it.
$ sudo ufw allow http $ sudo ufw allow out http $ sudo ufw allow https $ sudo ufw allow out https
Your server probably uses NTP to keep the system clock. You should allow it as well.
$ sudo ufw allow ssh $ sudo ufw allow out ssh
You're going to need DNS for updates to your server too.
$ sudo ufw allow ntp $ sudo ufw allow out ntp
$ sudo ufw allow 53 $ sudo ufw allow out 53