How to Setup UFW Firewall on Ubuntu 18.04

In this article, I'll show you how to setup UFW firewall on Ubuntu 18.04. In Ubuntu, the default firewall is UFW, short for Uncomplicated FireWall. It has been around since Ubuntu 18.04 release and was built to simplify iptables configuration which was quite complex.

When using any operating, a firewall is one of the most important features one must consider as far as security of your system is concerned. A firewall is a shield or barrier that exists between your PC and the internet and blocks unauthorized traffic like remote access to your system and helps to protect against malicious code that constantly transverses through the internet. A firewall can either be hardware or software. A hardware firewall is a standalone firewall system that's placed in the network to add a protective layer by controlling the flow of traffic to and from the network as well as block unwanted sites from being accessed by users. A software firewall is built into operating systems like Linux and Windows and helps to keep your system safe from external attacks.

Read also :

Installation of UFW

By default, Ubuntu 18.04 comes with ufw installed. However, for earlier systems, you'd have to run the command below

apt-get install ufw

To check whether ufw is running run

systemctl status ufw

If it is running, you should get the output below

● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enab
   Active: active (exited) since Tue 2018-04-10 22:03:30 UTC; 4min 1s ago
  Process: 376 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SU
 Main PID: 376 (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/ufw.service

Apr 10 22:03:30 ip-172-31-41-251 systemd[1]: Started Uncomplicated firewall.
Warning: Journal has been rotated since unit was started. Log output is incomple

To check whether it's active or inactive run

ufw status

If it is inactive, you'll get the output below

Status: inactive

To turn UFW on with the default set of rules run

ufw enable

To disable the firewall run

ufw disable

Setting up default ufw rules

To set up default rules that allow all outgoing protocols, log in as root and run

ufw default allow outgoing

Output

Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

To deny all incoming connections, run

ufw default deny incoming

Output

Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)

The above commands will allow all outgoing connections and deny or block all incoming connections.
At this point, you may want to enable the firewall, however before you don that, allow ssh first. This prevents disconnection to the server since we specified the denial of all incoming connections earlier on.

To allow ssh, run

ufw allow 22/tcp

Outgoing

Skipping adding existing rule
Skipping adding existing rule (v6)

ssh access can also be allowed by service name,

ufw allow ssh

If you want to remove the rule run

ufw delete allow 22/ssh

To deny a service by name run

ufw deny service-name

For instance

ufw deny ssh

To see all services that can be allowed or denied in the system check out the /etc/services file.

cat /etc/services | less

Sample output

ftp-data        20/tcp
ftp             21/tcp
fsp             21/udp          fspd
ssh             22/tcp                          # SSH Remote Login Protocol
ssh             22/udp
telnet          23/tcp
smtp            25/tcp          mail
time            37/tcp          timserver
time            37/udp          timserver
rlp             39/udp          resource        # resource location
nameserver      42/tcp          name            # IEN 116
whois           43/tcp          nicname
tacacs          49/tcp                          # Login Host Protocol (TACACS)
tacacs          49/udp
re-mail-ck      50/tcp                          # Remote Mail Checking Protocol
re-mail-ck      50/udp
domain          53/tcp                          # Domain Name Server
domain          53/udp

Starting ufw firewall

To activate the firewall log in as root and run following command:

 ufw enable

You may be prompted with the following warning

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

If you select yes, you'll get the output below

Firewall is active and enabled on system startup

Firewall is now active and it will start on every boot. We can look at firewall rules again:

ufw status

The output now will display the status of the firewall plus the services/ports allowed

Output

ufw status active
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)

Allowing connections in ufw

You can easily allow incoming connection on port/range, application name, ip address/ subnet in ufw.
Check out the examples below.

a) Allowing applications by name or port number/ range

ufw allow service-name

OR

ufw allow port/tcp

For example

 ufw allow ssh or  ufw allow 22/tcp
 ufw allow ftp or ufw allow 21/tcp

sudo ufw allow 1500:2000/tcp

b) Allows IP Address / Subnets

Below commands allows connections from specific IP or subnets and also we can use specific port numbers.
To allow connections from a specific IP address

ufw allow from 10.200.20.45

To specify an IP which is allowed to connect to a specific port run

ufw allow from 10.200.20.45 to any port 22

The above allows IP address 10.200.20.45 only to connect via ssh

To allow a certain subnet of IPs to connect to the system use the CIDR notation for specifying a netmask

ufw allow from 192.168.1.0/24

The above allows IPs from 192.168.1 to 192.168.1.254 to connect to the system
You can also specify the destination port of the subnet

ufw allow from 192.168.1.0/24 to any port 22

This implies IPs from 192.168.1 to 192.168.1.254 can connect to the system via port 22 which is ssh.

c) Allow by the interface name

If we need to allow connections via interface name its possible

ufw allow in on eth0 to any port 80

How to deny connections in ufw

By default ufw configured to deny all incoming connections.

a) IP Address / subnet

If we want to block some specific ip address from accessing, we can do that by following command:

ufw deny from 192.168.1.15

This will block all incoming connections from host with ip address 192.168.1.15

Next llet'sblock entire subnet:

ufw deny from 150.165.125.0/24

This will block all connections coming from this subnet.

b) Deny ports and application

To deny a port or a service

ufw deny 80/tcp

OR

ufw deny http

sudo ufw deny 1500:2000/tcp *This will deny port ranges*

Deleting and getting track of rules

When you add many rules, you can better get track of them by viewing their numbers. You can get numbers by the following command:

ufw status numbered

Output

ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 22                         ALLOW IN    Anywhere
[ 3] 80/tcp                     ALLOW IN    Anywhere
[ 4] 53/tcp                     ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 7] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 53/tcp (v6)                ALLOW IN    Anywhere (v6)

Lets say we want to delete rules number 2. We do that by following command:

 ufw delete 2

Note :

After deletion of the second rule in the firewall, rule 3 will now be the new rule 2. So if you want to delete the current rule 3, you'll delete using number 2.

 ufw delete allow http

Resetting rules

If you are unhappy with the current rules and you want to start all over, you can do so by running

ufw reset

Logging and reloading

To enable logging use following command:

 ufw logging on

If you want to disable logging for some reason (not recommended), you can use this command:

sudo ufw logging off

Logs are by default in /var/log/ufw.log To see them in real time, use tail -f like this:

tail -f /var/log/ufw.log /pre>

You will see all actions of firewall in that file. If you need to reload firewall for some reason, because you changed some config files manually, use following command.
 ufw reload

If you want to see rules that are added recently

 ufw show added

UFW config files

For most scenarios, you can use terminal commands, but in some cases, you would want to edit config files directly. The ufw have multiple config files, namely:

/etc/ufw/before.rules
/etc/ufw/before6.rules

Those two files hold rules that are evaluated before all rules that you added by ufw commands. So if you want some rule to be applied first, you want it there. The first file is for ipv4 and second one is for v6

/etc/ufw/after.rules
/etc/ufw/after6.rules

These are evaluated after ufw command rules. They are good to use if you want to override some rule and have it applied no matter what. Again, two files, for two versions of IP protocol that are currently used.

/etc/default/ufw

Here we have kernel modules that ufw uses, as well as other general settings. You can edit any of this config files only as root, and you can use any text editor you like.

Avoid adding duplicate rules
Next lets observe mechanism against duplicate rules. We will first open port 101

 sudo ufw allow 100

Note that command without protocol like above opens both UDP and TCP port. So let's run the same command again to see what happens

 ufw allow 100

Output

Skipping adding existing rule
Skipping adding existing rule (v6)

It doesn't allow us to add a duplicate rule. That is good, but there is still a chance we can add a duplicate rule, by this series of commands:

 ufw allow 101/udp
 ufw allow 101/tcp

After allowing both TCP and UDP on port 101 we can still add open port 101 for all protocols and this is a duplicate rule as port 101 is opened twice, once for each protocol and once for all of them.

ufw allow 101

This leaves room for error and it generally it is not a good practice. We need to undo all three commands with ufw delete command if we want to return to default for port 101.

For closing some port, you run same commands, just instead allow, type deny.

In this article, we have covered the usage of UFW which is an uncomplicated firewall used for allowing or restricting traffic. It's a very powerful firewall for regulating traffic to your system. Feel free to try out the commands on your system.

Jamie Arthur 8:43 am

About Jamie Arthur

Hey, I'm James, a passionate Linux Systems administrator, and a tech enthusiast. I derive immense gratification in conducting research on Linux systems and keeping myself up to date with the latest in the technology world.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.