Firewall is important security component of every operating system. Linux kernel has great packet filtering and port filtering framework which is called Netfilter. To have a complete firewall, the userspace command line frontends have been created. Most well known framework for managing Netfilter framework is iptables. However, some users find it too hard to master which prompted developers to write alternatives. Red Hat wrote firewalld while canonical wrote Uncomplicated Firewall, or ufw. The ufw is regular component of every Ubuntu install since 8.04 release. In this article we will show how to setup and use ufw on Ubuntu 16.10
Checking status of ufw and enabling it
To see whether ufw is running, we issue the following command:
sudo ufw status
First lets setup default rules:
sudo ufw default allow outgoing
sudo ufw default deny incoming
This will allow all outgoing traffic and deny incoming traffic.
Before we enable ufw, we normally want to allow ssh access. There are two ways of doing this. You can add ssh port 22 to list of open incoming ports, or you can add ssh service to list of allowed services. In later case, it will only work if you didn't change ssh port. If you moved the ssh from 22 to any other port, you shouldn't allow ssh by name, you should open that port instead.
So to allow ssh by port we will use following command
miki@miki-kvm:~$ sudo ufw allow 22/tcp
Rule added (v6)
We see it added both ipv4 and ipv6 rule. To remove the rule you type the following command:
miki@miki-kvm:~$ sudo ufw delete allow 22/tcp
[sudo] password for miki:
Rule deleted (v6)
This deletes the rule, but does not necessarily blocks the port. If default rule have that port open, then delete rule will load default rule. As mentioned, ssh access can also be allowed by service name, so lets do that now:
miki@miki-kvm:~$ sudo ufw allow ssh
Rule added (v6)
To see all service that can be allowed or denied by name, use this command
Starting ufw firewall
To activate the firewall use following command:
sudo ufw enable
You might get following warning
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Firewall is now active and it will start on every boot. We can look at firewall rules again:
sudo ufw status
How allow connections in ufw
You can easily allow incoming connection on port/range, application name, ip address/ subnet in ufw.
a) Allow application by name or port number/ range
sudo ufw allow ssh or sudo ufw allow 22/tcp
sudo ufw allow ftp or sudo ufw allow 21/tcp
sudo ufw allow https or sudo ufw allow 443
sudo ufw allow 1500:2000/tcp
b) Allow IP Address / Subnets
Below commands allows to allow connection from specific ip or subnets and also we can use specific port numbers
sudo ufw allow from 192.168.1.15
sudo ufw allow from 192.168.1.15 to any port 22
sudo ufw allow from 192.168.1.15/24
c) Allow by interface name
If we need to allow connections via interface name its possible
sudo ufw allow in on eth0 to any port 80
How to deny connections in ufw
By default ufw configured to deny all incoming connections.
a) IP Address / subnet
If we want to block some specific ip address from accessing, we can do that by following command:
sudo ufw deny from 192.168.1.15
This will block all incoming connections from host with ip address 192.168.1.15
Next lets block entire subnet:
sudo ufw deny from 184.108.40.206/24
This will block all connections coming from this subnet.
b) Deny port and application
sudo ufw deny 80/tcp
sudo ufw deny http
sudo ufw deny 1500:2000/tcp *This will deny port ranges*
How to delete / get track of rules
When you add many rules, you can better get track of them by viewing their numbers. You can get numbers by following command:
sudo ufw status numbered
Lets say we want to delete rules number 2. We do that by following command:
sudo ufw delete 2
If you want to delete rule number 3 as well, don't use number 3, as deletion of number two have shifted numbers. Instead, you do status numbered command again and check new numbers. Instead you can delete just using rule itself as below
sudo ufw delete allow ftp
Logging and reloading
To enable logging use following command:
sudo ufw logging on
If you want to disable logging for some reason (not recommended), you can use this command:
sudo ufw logging off
Logs are by default in /var/log/ufw.log. To see them in real time, use tail -f like this:
sudo tail -f /var/log/ufw.log
You will see all actions of firewall in that file. If you need to reload firewall for some reason, because you changed some config files manually, use following command.
sudo ufw reload
If you want to see rules that are added recently
sudo ufw show added
UFW config files
For most scenarios, you can use terminal commands, but in some cases you would want to edit config files directly. The ufw have multiple config files, namely:
Those two files hold rules that are evaluated before all rules that you added by ufw commands. So if you want some rule to be applied first, you want it there. First file is for ipv4 and second one is for v6
These are evaluated after ufw command rules. They are good to use if you want to override some rule and have it applied no matter what. Again, two files, for two versions of IP protocol that are currently used.
Here we have kernel modules that ufw uses, as well as other general settings. You can edit any of this config files only as root, and you can use any text editor you like.
Avoid adding duplicate rules
Next lets observe mechanism against duplicate rules. We will first open port 101
miki@miki-kvm:~$ sudo ufw allow 100
Note that command without protocol like above, opens both udp and tcp port. So lets run the same command again to see what happens
miki@miki-kvm:~$ sudo ufw allow 100
Skipping adding existing rule
Skipping adding existing rule (v6)
It doesn't allow us to add duplicate rule. That is good, but there is still chance we can add duplicate rule, by this series of commands:
sudo ufw allow 101/udp
sudo ufw allow 101/tcp
After allowing both tcp and udp on port 101 we can still add open port 101 for all protocols and this is duplicate rule as port 101 is opened twice, once for each protocol and once for all of them.
sudo ufw allow 101
This leaves room for error and it generally it is not a good practice. We need to undo all three commands with ufw delete command if we want to return for default for port 101.
For closing some port, you run same commands, just instead allow, type deny.
Those are most important command for understanding how Uncomplicated Firewall works and how you can use it to secure your system. Even though it is uncomplicated, the ufw is still a firewall, which means it is very powerful piece of software and we could not possibly cover all the aspects of it in one article. For more info, you might want to check ubuntu community page on ufw. This is all for this article, thank you for reading and have a nice day.