In this article, I'll show you how to setup UFW firewall on Ubuntu 18.04. In Ubuntu, the default firewall is UFW, short for Uncomplicated FireWall. It has been around since Ubuntu 18.04 release and was built to simplify iptables configuration which was quite complex.
When using any operating, a firewall is one of the most important features one must consider as far as security of your system is concerned. A firewall is a shield or barrier that exists between your PC and the internet and blocks unauthorized traffic like remote access to your system and helps to protect against malicious code that constantly transverses through the internet. A firewall can either be hardware or software. A hardware firewall is a standalone firewall system that's placed in the network to add a protective layer by controlling the flow of traffic to and from the network as well as block unwanted sites from being accessed by users. A software firewall is built into operating systems like Linux and Windows and helps to keep your system safe from external attacks.
Read also :
Installation of UFW
By default, Ubuntu 18.04 comes with ufw installed. However, for earlier systems, you'd have to run the command below
apt-get install ufw
To check whether ufw is running run
systemctl status ufw
If it is running, you should get the output below
● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enab Active: active (exited) since Tue 2018-04-10 22:03:30 UTC; 4min 1s ago Process: 376 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SU Main PID: 376 (code=exited, status=0/SUCCESS) Tasks: 0 Memory: 0B CPU: 0 CGroup: /system.slice/ufw.service Apr 10 22:03:30 ip-172-31-41-251 systemd[1]: Started Uncomplicated firewall. Warning: Journal has been rotated since unit was started. Log output is incomple
To check whether it's active or inactive run
ufw status
If it is inactive, you'll get the output below
Status: inactive
To turn UFW on with the default set of rules run
ufw enable
To disable the firewall run
ufw disable
Setting up default ufw rules
To set up default rules that allow all outgoing protocols, log in as root and run
ufw default allow outgoing
Output
Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)
To deny all incoming connections, run
ufw default deny incoming
Output
Default outgoing policy changed to 'deny' (be sure to update your rules accordingly)
The above commands will allow all outgoing connections and deny or block all incoming connections.
At this point, you may want to enable the firewall, however before you don that, allow ssh first. This prevents disconnection to the server since we specified the denial of all incoming connections earlier on.
To allow ssh, run
ufw allow 22/tcp
Outgoing
Skipping adding existing rule Skipping adding existing rule (v6)
ssh access can also be allowed by service name,
ufw allow ssh
If you want to remove the rule run
ufw delete allow 22/ssh
To deny a service by name run
ufw deny service-name
For instance
ufw deny ssh
To see all services that can be allowed or denied in the system check out the /etc/services
file.
cat /etc/services | less
Sample output
ftp-data 20/tcp ftp 21/tcp fsp 21/udp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver rlp 39/udp resource # resource location nameserver 42/tcp name # IEN 116 whois 43/tcp nicname tacacs 49/tcp # Login Host Protocol (TACACS) tacacs 49/udp re-mail-ck 50/tcp # Remote Mail Checking Protocol re-mail-ck 50/udp domain 53/tcp # Domain Name Server domain 53/udp
Starting ufw firewall
To activate the firewall log in as root and run following command:
ufw enable
You may be prompted with the following warning
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
If you select yes, you'll get the output below
Firewall is active and enabled on system startup
Firewall is now active and it will start on every boot. We can look at firewall rules again:
ufw status
The output now will display the status of the firewall plus the services/ports allowed
Output
ufw status active Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6)
Allowing connections in ufw
You can easily allow incoming connection on port/range, application name, ip address/ subnet in ufw.
Check out the examples below.
a) Allowing applications by name or port number/ range
ufw allow service-name
OR
ufw allow port/tcp
For example
ufw allow ssh or ufw allow 22/tcp
ufw allow ftp or ufw allow 21/tcp
sudo ufw allow 1500:2000/tcp
b) Allows IP Address / Subnets
Below commands allows connections from specific IP or subnets and also we can use specific port numbers.
To allow connections from a specific IP address
ufw allow from 10.200.20.45
To specify an IP which is allowed to connect to a specific port run
ufw allow from 10.200.20.45 to any port 22
The above allows IP address 10.200.20.45 only to connect via ssh
To allow a certain subnet of IPs to connect to the system use the CIDR notation for specifying a netmask
ufw allow from 192.168.1.0/24
The above allows IPs from 192.168.1 to 192.168.1.254 to connect to the system
You can also specify the destination port of the subnet
ufw allow from 192.168.1.0/24 to any port 22
This implies IPs from 192.168.1 to 192.168.1.254 can connect to the system via port 22 which is ssh.
c) Allow by the interface name
If we need to allow connections via interface name its possible
ufw allow in on eth0 to any port 80
How to deny connections in ufw
By default ufw configured to deny all incoming connections.
a) IP Address / subnet
If we want to block some specific ip address from accessing, we can do that by following command:
ufw deny from 192.168.1.15
This will block all incoming connections from host with ip address 192.168.1.15
Next llet'sblock entire subnet:
ufw deny from 150.165.125.0/24
This will block all connections coming from this subnet.
b) Deny ports and application
To deny a port or a service
ufw deny 80/tcp
OR
ufw deny http
sudo ufw deny 1500:2000/tcp *This will deny port ranges*
Deleting and getting track of rules
When you add many rules, you can better get track of them by viewing their numbers. You can get numbers by the following command:
ufw status numbered
Output
ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 22 ALLOW IN Anywhere [ 3] 80/tcp ALLOW IN Anywhere [ 4] 53/tcp ALLOW IN Anywhere [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 6] 22 (v6) ALLOW IN Anywhere (v6) [ 7] 80/tcp (v6) ALLOW IN Anywhere (v6) [ 8] 53/tcp (v6) ALLOW IN Anywhere (v6)
Lets say we want to delete rules number 2. We do that by following command:
ufw delete 2
Note :
After deletion of the second rule in the firewall, rule 3 will now be the new rule 2. So if you want to delete the current rule 3, you'll delete using number 2.
ufw delete allow http
Resetting rules
If you are unhappy with the current rules and you want to start all over, you can do so by running
ufw reset
Logging and reloading
To enable logging use following command:
ufw logging on
If you want to disable logging for some reason (not recommended), you can use this command:
sudo ufw logging off
Logs are by default in /var/log/ufw.log
To see them in real time, use tail -f like this:
tail -f /var/log/ufw.log /pre> You will see all actions of firewall in that file. If you need to reload firewall for some reason, because you changed some config files manually, use following command.
ufw reload
If you want to see rules that are added recently
ufw show added
UFW config files
For most scenarios, you can use terminal commands, but in some cases, you would want to edit config files directly. The ufw have multiple config files, namely:
/etc/ufw/before.rules
/etc/ufw/before6.rules
Those two files hold rules that are evaluated before all rules that you added by ufw commands. So if you want some rule to be applied first, you want it there. The first file is for ipv4 and second one is for v6
/etc/ufw/after.rules
/etc/ufw/after6.rules
These are evaluated after ufw command rules. They are good to use if you want to override some rule and have it applied no matter what. Again, two files, for two versions of IP protocol that are currently used.
/etc/default/ufw
Here we have kernel modules that ufw uses, as well as other general settings. You can edit any of this config files only as root, and you can use any text editor you like.
Avoid adding duplicate rules
Next lets observe mechanism against duplicate rules. We will first open port 101
sudo ufw allow 100
Note that command without protocol like above opens both UDP and TCP port. So let's run the same command again to see what happens
ufw allow 100
Output
Skipping adding existing rule Skipping adding existing rule (v6)
It doesn't allow us to add a duplicate rule. That is good, but there is still a chance we can add a duplicate rule, by this series of commands:
ufw allow 101/udp
ufw allow 101/tcp
After allowing both TCP and UDP on port 101 we can still add open port 101 for all protocols and this is a duplicate rule as port 101 is opened twice, once for each protocol and once for all of them.
ufw allow 101
This leaves room for error and it generally it is not a good practice. We need to undo all three commands with ufw delete command if we want to return to default for port 101.
For closing some port, you run same commands, just instead allow, type deny.
In this article, we have covered the usage of UFW which is an uncomplicated firewall used for allowing or restricting traffic. It's a very powerful firewall for regulating traffic to your system. Feel free to try out the commands on your system.