An UFW Firewall Guide to Enable, Deny, Allow, Delete Rules on Ubuntu

October 27, 2016 | By in UBUNTU HOWTO
| Reply More

Firewall is important security component of every operating system.  Linux kernel has great packet filtering and port filtering framework which is called Netfilter. To have a complete firewall, the userspace command line frontends have been created. Most well known framework for managing Netfilter framework is iptables. However, some users find it too hard to master which prompted developers to write alternatives. Red Hat wrote firewalld while canonical wrote Uncomplicated Firewall, or ufw. The ufw is regular component of every Ubuntu install since 8.04 release. In this article we will show how to setup and use ufw on Ubuntu 16.10

Checking status of ufw and enabling it

To see whether ufw is running, we issue the following command:

sudo ufw status

ufw status command
First lets setup default rules:

sudo ufw default allow outgoing

sudo ufw default deny incoming

This will allow all outgoing traffic and deny incoming traffic.

Before we enable ufw, we normally want to allow ssh access. There are two ways of doing this. You can add ssh port 22 to list of open incoming ports, or you can add ssh service to list of allowed services. In later case, it will only work if you didn't change ssh port. If you moved the ssh from 22 to any other port, you shouldn't allow ssh by name, you should open that port instead.

So to allow ssh by port we will use following command

miki@miki-kvm:~$ sudo ufw allow 22/tcp
Rule added
Rule added (v6)

We see it added both ipv4 and ipv6 rule. To remove the rule you type the following command:

miki@miki-kvm:~$ sudo ufw delete allow 22/tcp
[sudo] password for miki:
Rule deleted
Rule deleted (v6)

This deletes the rule, but does not necessarily blocks the port. If default rule have that port open, then delete rule will load default rule. As mentioned, ssh access can also be allowed by service name, so lets do that now:

miki@miki-kvm:~$ sudo ufw allow ssh
Rule added
Rule added (v6)

To see all service that can be allowed or denied by name, use this command

less /etc/services

Starting ufw firewall

To activate the firewall use following command:

sudo ufw enable

You might get following warning

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Firewall is now active and it will start on every boot. We can look at firewall rules again:

sudo ufw status

ufw status active

How allow connections in ufw

You can easily allow incoming connection on port/range, application name, ip address/ subnet in ufw.

a) Allow application by name or port number/ range

sudo ufw allow ssh or sudo ufw allow 22/tcp
sudo ufw allow ftp or sudo ufw allow 21/tcp
sudo ufw allow https or sudo ufw allow 443
sudo ufw allow 1500:2000/tcp

b) Allow IP Address / Subnets

Below commands allows to allow connection from specific ip or subnets and also we can use specific port numbers

sudo ufw allow from 192.168.1.15
sudo ufw allow from 192.168.1.15 to any port 22
sudo ufw allow from 192.168.1.15/24

c) Allow by interface name

If we need to allow connections via interface name its possible

sudo ufw allow in on eth0 to any port 80

How to deny connections in ufw

By default ufw configured to deny all incoming connections.

a) IP Address / subnet

If we want to block some specific ip address from accessing, we can do that by following command:

sudo ufw deny from 192.168.1.15

This will block all incoming connections from host with ip address 192.168.1.15

Next lets block entire subnet:

sudo ufw deny from 150.165.125.0/24

This will block all connections coming from this subnet.

b) Deny port and application

sudo ufw deny 80/tcp

sudo ufw deny http

sudo ufw deny 1500:2000/tcp   *This will deny port ranges*

How to delete / get track of rules

When you add many rules, you can better get track of them by viewing their numbers. You can get numbers by following command:

sudo ufw status numbered

status numbered

Lets say we want to delete rules number 2. We do that by following command:

sudo ufw delete 2

If you want to delete rule number 3 as well, don't use number 3, as deletion of number two have shifted numbers. Instead, you do status numbered command again and check new numbers. Instead you can delete just using rule itself as below

sudo ufw delete allow ftp

Logging and reloading

To enable logging use following command:

sudo ufw logging on

If you want to disable logging for some reason (not recommended), you can use this command:

sudo ufw logging off

Logs are by default in /var/log/ufw.log. To see them in real time, use tail -f like this:

sudo tail -f /var/log/ufw.log

You will see all actions of firewall in that file. If you need to reload firewall for some reason, because you changed some config files manually, use following command.

sudo ufw reload

If you want to see rules that are added recently

sudo ufw show added

UFW config files

For most scenarios, you can use terminal commands, but in some cases you would want to edit config files directly. The ufw have multiple config files, namely:

/etc/ufw/before.rules

/etc/ufw/before6.rules

Those two files hold rules that are evaluated before all rules that you added by ufw commands. So if you want some rule to be applied first, you want it there. First file is for ipv4 and second one is for v6

/etc/ufw/after.rules

/etc/ufw/after6.rules

These are evaluated after ufw command rules. They are good to use if you want to override some rule and have it applied no matter what. Again, two files, for two versions of IP protocol that are currently used.

/etc/default/ufw

Here we have kernel modules that ufw uses, as well as other general settings. You can edit any of this config files only as root, and you can use any text editor you like.

Avoid adding duplicate rules

Next lets observe mechanism against duplicate rules. We will first open port 101

miki@miki-kvm:~$ sudo ufw allow 100

Note that command without protocol like above, opens both udp and tcp port. So lets run the same command again to see what happens

miki@miki-kvm:~$ sudo ufw allow 100
Skipping adding existing rule
Skipping adding existing rule (v6)

It doesn't allow us to add duplicate rule. That is good, but there is still chance we can add duplicate rule, by this series of commands:

sudo ufw allow 101/udp
sudo ufw allow 101/tcp

After allowing both tcp and udp on port 101 we can still add open port 101 for all protocols and this is duplicate rule as port 101 is opened twice, once for each protocol and once for all of them.

sudo ufw allow 101

This leaves room for error and it generally it is not a good practice. We need to undo all three commands with ufw delete command if we want to return for default for port 101.

For closing some port, you run same commands, just instead allow, type deny.

Conclusion

Those are most important command for understanding how Uncomplicated Firewall works and how you can use it to secure your system. Even though it is uncomplicated, the ufw is still a firewall, which means it is very powerful piece of software and we could not possibly cover all the aspects of it in one article. For more info, you might want to check ubuntu community page on ufw. This is all for this article, thank you for reading and have a nice day.

Filed Under : FIREWALL, UBUNTU HOWTO

Tagged With : , ,

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.