Install And Learn How To Use ufw Firewall In Linux

December 14, 2013 | By
| 3 Replies More

Ubuntu does not have many open ports by default, but there are times when you want to restrict access to a port(ports) or a specific ip adress. Maybe you run a ssh server in your ubuntu machine and want to block everyone from connecting to it, except yourself. Have you ever thought how to accomplish such things or tried to do it? You need a firewall to do that. In this article I will explain what is a firewall and teach you how to use the ufw ubuntu firewall by giving real world examples of it.

linux ufw firewall

Firewalls

What Is A Firewall?

A firewall creates a barrier between your computer and the internet to make sure no malicious software can access your services or to stop your machine from sending harmful data to others. There are two types of firewalls, software firewalls and physical firewalls. One can use a firewall to stop people in a company from accessing facebook, or protect a home network. Since traffic into or out of a computer is filtered through ports, we can use tools such as firewall to open or close these ports.

How Does A Firewall Work In Linux?

All modern linux firewalls use the netfilter subsystem which is included in the linux kernel. This subsystem decides the fate of your network packets, it manipulates, accepts or rejects them. The linux kernel netfilter is managed through iptables, you can add rules to create your own firewall for your linux machine. To be honest, managing the netfilter with iptables is very hard for a beginner or an intermediate linux user, so there are many front-end user system that allow a user to interact with iptables. One of them is ufw.

What Is UFW?

ufw is a firewall designed for the Ubuntu Linux distribution, but it is also available in other distros. It is known as the uncomplicated firewall, because it is a front-end for iptables and very easy to use when compared with iptables, even for a beginner. There is also a graphical version of the ufw firewall, but I will not cover it in this article. If you like, you can read more about this graphical version in the ubuntu documentation webpage.

Install, Configure And Learn To Use The UFW

The ufw ubuntu firewall is available through apt-get, so run the following command to install it in your ubuntu machine.

sudo apt-get ufw

oltjano@oltjano-X55CR:~/test$ sudo apt-get install ufw
Reading package lists... Done
Building dependency tree

Reading state information... Done
The following packages were automatically installed and are no longer required:
language-pack-kde-en apt-show-versions python-socksipy language-pack-kde-en-base kde-l10n-engb libauthen-pam-perl libssh2-1 libiso9660-8
libio-pty-perl libvcdinfo0
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
ufw
0 upgraded, 1 newly installed, 0 to remove and 65 not upgraded.
Need to get 153 kB of archives.
After this operation, 694 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
ufw
Install these packages without verification [y/N]? y
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/main ufw all 0.31.1-1 [153 kB]
Fetched 153 kB in 1s (117 kB/s)
Preconfiguring packages ...
Selecting previously unselected package ufw.
(Reading database ... 280809 files and directories currently installed.)
Unpacking ufw (from .../archives/ufw_0.31.1-1_all.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up ufw (0.31.1-1) ...

Once the firewall is installed, we need to check its status with the following command. Is our ufw fireall enabled or disabled?

sudo ufw status

oltjano@oltjano-X55CR:~/test$ sudo ufw status
Status: inactive

As you can see from the above output, our firewall is in disable mode, so in order to protect our machine we should first enable it. Enable the ufw firewall with the following command.

sudo ufw enable

To see if the firewall is in active mode, you need to run the ‘sudo ufw status’ command again.

oltjano@oltjano-X55CR:~/test$ sudo ufw status
Status: active
oltjano@oltjano-X55CR:~/test$

What are the default rules of the ufw firewall?

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

The ufw’s default rules allow us to reach the outside world(outgoing connections), but does not allow incoming connections, which mean that if someone tries to connect to our machine, they will not be able to reach us. Can i ssh to my server? No, you can’t! The reason for this is that we are blocking all the incoming connections to our machine.

Do you want to allow outside user to connect to your ssh server? Then add the following rule to your ufw.

sudo ufw allow ssh

root@oltjano-X55CR:~# sudo ufw allow ssh
Rule added
Rule added (v6)

Check the status of your firewall to verify that you have updated your rules.

oltjano@oltjano-X55CR:~/test$ sudo ufw status
Status: active

To Action From
-- ------ ----
22 ALLOW Anywhere
22 ALLOW Anywhere (v6)

Lets try to deny outgoing connections. What do you think is going to happen?

root@oltjano-X55CR:~# sudo ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)

Upps, i can not google anymore. Run the following command to allow outgoing connections again.

oltjano@oltjano-X55CR:~/test$ sudo ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

Deny incoming connections to your ssh server. You can use any service you like, but I am using ssh since i have an openssh server running on my Ubuntu 12.04 LTS machine.

oltjano@oltjano-X55CR:~/test$ sudo ufw deny ssh
Rule updated
Rule updated (v6)
To make sure everything is as you want it to be, check your firewall status.

oltjano@oltjano-X55CR:~/test$ sudo ufw status
Status: active

To Action From
-- ------ ----
22 DENY Anywhere
80 DENY Anywhere
22 DENY Anywhere (v6)
80 DENY Anywhere (v6)

Suppose you have a friend and have created an ssh account for him in your server, but you don’t want to allow incoming connections from anywhere. You can use the following command to limit incoming connections to a specific ip address.

sudo ufw allow from

oltjano@oltjano-X55CR:~/test$ sudo ufw allow from 192.168.0.13
Rule added

Never forget to check your ufw firewall status. It is the best way to get information about our rules, is my firwall allowing incoming connections from 192.168.0.13 or not?

To Action From
-- ------ ----
22 DENY Anywhere
80 DENY Anywhere
Anywhere ALLOW 192.168.0.13
22 DENY Anywhere (v6)
80 DENY Anywhere (v6)

As you can see, the machine with the 192.168.0.13 ip address is allowed to reach my machine in any port. There are many times when you change your mind and want reset your firewall. The reset command helps you to reset all rules to installed defaults.

oltjano@oltjano-X55CR:~/test$ sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/lib/ufw/user.rules.20131112_124424'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20131112_124424'
Backing up 'user6.rules' to '/lib/ufw/user6.rules.20131112_124424'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20131112_124424'
Backing up 'after.rules' to '/etc/ufw/after.rules.20131112_124424'
Backing up 'before.rules' to '/etc/ufw/before.rules.20131112_124424'

Your friendship has ended and you want to deny access to your friend, but still want to keep your ssh server running. It is very simple, just type the following command and everything should be ok.

oltjano@oltjano-X55CR:~/test$ sudo ufw deny from 192.168.0.13
Rules updated

Check if the rule was added or not.

oltjano@oltjano-X55CR:~/test$ sudo ufw status
Status: active

To Action From
-- ------ ----
Anywhere DENY 192.168.0.13

Do you like to disable your firewall?

oltjano@oltjano-X55CR:~/test$ sudo ufw disable
Firewall stopped and disabled on system startup

Delete a rule with the delete command.

root@oltjano-X55CR:/home/oltjano/test# ufw allow 53
Rule added
Rule added (v6)

root@oltjano-X55CR:/home/oltjano/test# ufw status
Status: active

To Action From
-- ------ ----
Anywhere DENY 192.168.0.13
53 ALLOW Anywhere
53 ALLOW Anywhere (v6)

root@oltjano-X55CR:/home/oltjano/test# ufw delete allow 53
Rule deleted
Rule deleted (v6)

Deny all traffic to tcp port 80 on your host.

root@oltjano-X55CR:/home/oltjano/test# ufw deny proto tcp from any to any port 80
Rule added
Rule added (v6)

The uncomplicated firewall can also be used with multiple ports,jut make sure the port list is numeric and ports can not contain spaces between them.

root@oltjano-X55CR:/home/oltjano/test# ufw allow proto tcp from any to any port 80,8080
Rule added
Rule added (v6)

Be careful, because if you want to delete the port ‘8080’ from the above example you have to delete the all rule. You can not delete only ‘8080’. To make it easy to understand try the following command in your terminal after you have added the rule shown above.

ufw delete proto tcp from any to any port 8080

Does it work? It does’t for me. Now try another command.

root@oltjano-X55CR:/home/oltjano/test# ufw delete allow proto tcp from any to any port 80,8080
Rule deleted
Rule deleted (v6)

The command shown above works because we deleted the rule we added,the previous one did not work because there was not any ‘ufw delete proto tcp from any to any port 8080 ‘ rule in the firewall.

A very nice useful features i would like to share with computer geeks out there is connection rate limiting which is useful for protecting against brute-force login attacks.Is there anyone out there trying to bruteforce your ssh server and you are looking for a simple but powerful solution? The ufw can be used to deny connections from any IP address that has attempted to initiate 6 or more connections in the last 30 seconds.

root@oltjano-X55CR:/home/oltjano/test# ufw limit ssh/tcp
Rule added
Skipping unsupported IPv6 'limit' rule

Reject authentication.

root@oltjano-X55CR:/home/oltjano/test# sudo ufw reject auth
Rule added
Rule added (v6)

Now you know that to delete a rule you just prefix the original rule with delete. For example if we want to delete the rule we just added, we use the following command.

root@oltjano-X55CR:/home/oltjano/test# sudo ufw delete reject auth
Rule deleted
Rule deleted (v6)

A short and fast way to delete rules is by using numbers. For examples, if you want to delete rule number 13, use ‘ufw delete 13’ command. To find the number of a rule run the command shown below.

root@oltjano-X55CR:~# ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 80/tcp DENY IN Anywhere
[ 2] 22/tcp LIMIT IN Anywhere
[ 3] 80/tcp DENY IN Anywhere (v6)

So if i want to delete the 80/tcp DENY IN Anywhere i just type the following command.

ufw delete 1

root@oltjano-X55CR:~# ufw delete 1
Deleting:
deny 80/tcp
Proceed with operation (y|n)? y
Rule deleted

Conclusion

We went through different examples and saw ufw in action. This firewall is very good for linux users that take security seriously and want to improve their command line skills. There are many other things you can accomplish by using the ufw firewall, but it will take days to write about them. Since you are reading the conclusion, i believe you have liked the information this article provided to you. I also think that many new linux users out there will find this ufw article very helpful.

Filed Under : FIREWALL, LINUX HOWTO

Tagged With : ,

Free Linux Ebook to Download

Comments (3)

Trackback URL | Comments RSS Feed

  1. Richard says:

    Hello I am using Kali Linux, it don't come with a fire wall as I have just learned. Problem is that when I installed the Gufw fire wall the only way I can see it on my computer is via. to open a terminal and it pulls up with errors.And when I run test to make sure the Gufw is working it responds back (Active) but if I close the terminal the Gufw fire wall also closes. The fire Gufw fire wall when opened by view looks not active as it would be in Ubuntu or Kubuntu. I need help because there are only 2 fire walls that I know of and both are not working with Kali Linux.

    root@kali:~# gufw

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:80:18: Horizontal and vertical offsets are required

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:279:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:309:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:680:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:697:24: Horizontal and vertical offsets are required

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:714:29: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:731:23: Horizontal and vertical offsets are required

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:752:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:760:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:768:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: gtk-widgets.css:844:18: Horizontal and vertical offsets are required

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: lightdm-gtk-greeter.css:8:23: Horizontal and vertical offsets are required

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: lightdm-gtk-greeter.css:79:28: 'px' is not a valid color name

    (gufw.py:6560): Gtk-WARNING **: Theme parsing error: lightdm-gtk-greeter.css:104:23: Horizontal and vertical offsets are required

  2. nilesh says:

    While executing shell command "ufw status && ufw enable" - I am getting below error message.

    iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.