Introduction
Security is very important thing to consider when you run your own server. The UFW (uncomplicated firewall) is a frontend for managing firewall rules and it is easy to use for host-based firewalls. UFW is used through the command line interface and aims to make firewall configuration easy.
Iptables is one of the most popular firewall tool used by system administrators. It is used to manage and secure incoming and outgoing connections in the server, but iptables runs in console mode and it is very complex to manage and configure. The ufw is an application firewall used to manage an iptables based firewall on Ubuntu that gives a framework for managing netfilter rules, as well as providing a command-line interface for controlling the firewall rules.
You can allow and block various services by port, network interface and source IP address using the UFW firewall. If you are beginner and are looking to get started securing your network, then the UFW is right choice for you.
In this tutorial, we will learn the UFW commands with different options to secure various services on Ubuntu 16.04.
- Ubuntu-16.04 installed on your system
- A non-root user account with sudo privilege set up on your system
Installing UFW
In Ubuntu 16.04, UFW is installed by default. If not, you can easily install it by running the following command:
sudo apt-get install ufw
You can also check the status of UFW by running the following command:
sudo ufw status
You should see the following output:
Status: inactive
If you see above output, it means it’s not active. You can enable it by just running the following command:
sudo ufw enable
You should see the following output:
Firewall is active and enabled on system startup
To disable it, run the following command:
sudo ufw disable
List Out the Current UFW Rules
You can list the default firewall rules by using the following command:
sudo ufw status verbose
You should see the following output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
You should see that by default every incoming connection is denied.
Allow Incoming Connections
If you want to access your system from remote machine then you will need to allow SSH connections.
You can allow SSH by running the following command:
sudo ufw allow ssh
or
sudo ufw allow 22/tcp
Output:
Rule added
Rule added (v6)
Now, check the status of ufw:
sudo ufw status
You should see the output like this:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
Deny Incoming Connections
If you want to deny access to a certain port then you can use the following format:
sudo ufw deny "Port/Protocol"
For example, you can deny access to port 80 by running the following command:
sudo ufw deny 80/tcp
Allow Port Range
You can also add port ranges into the rules. For example, if you want to allow ports from 2100 to 2200 with tcp protocol then run the following command:
sudo ufw allow 2100:2200/tcp
Now, check the status for the ufw:
sudo ufw status
You should see the following output:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp DENY Anywhere
2200:2300/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) DENY Anywhere (v6)
2100:2200/tcp (v6) ALLOW Anywhere (v6)
Application Profiles
You can list out application profiles available on your local system. To do so, run the following command:
sudo ufw app list
Output:
Available applications:
Apache
Apache Full
Apache Secure
CUPS
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
Samba
To list out information about a profile and its included rules, run the following command:
sudo ufw app info "App Name"
For example, if you want to know information of Apache profile, run the following command:
sudo ufw app info Apache
Output:
Profile: Apache
Title: Web Server
Description: Apache v2 is the next generation of the omnipresent Apache web
server.
Port:
80/tcp
Allow Access from Specific IP Addresses
You can also allow access to specific port from specific IP address. For example, if you want to allow IP 192.168.0.10 to access only port 22 then run the following command:
sudo ufw allow from 192.168.0.10 to any port 22
Deleting UFW Rules
You can also delete specific ufw rules. First, you will need to list ufw rules then you can remove it.
Run the following command to list out ufw rules:
sudo ufw status numbered
Output:
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 80/tcp DENY IN Anywhere
[ 4] 2200:2300/tcp ALLOW IN Anywhere
[ 5] 22 ALLOW IN 192.168.0.15
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 80/tcp (v6) DENY IN Anywhere (v6)
[ 9] 2200:2300/tcp (v6) ALLOW IN Anywhere (v6)
Now, to remove any of these rules, you will need to use these numbers.
sudo ufw delete [number]
For example, if you want to remove third number rule then run the following command:
sudo ufw delete [3]
If you need to go back to default settings, simply type in the following command. This will revert any of your changes.
sudo ufw reset
Logging UFW Firewall Events
Firewall logs are necessary for troubleshooting your firewall rules, and notifying unusual activity on your network. So you must add logging rules in your firewall.
The ufw log file will be located at /var/log/ufw.log
You can turn on logging by running the following command:
sudo ufw logging on
You can turn off logging by running the following command:
sudo ufw logging off
UFW supports multiple logging levels low, medium and high. The default ufw loglevel is low.
You can set different loglevels by running the following command:
sudo ufw logging low|medium|high
- Low log blocked all packets not matching the default policy as well as packets matching logged rules.
- Medium log blocked low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections.
- High log blocked medium plus all packets with rate limiting.
UFW Graphical Interface
GUFW is a graphical interface for ufw. By default, Ubuntu-16.04 does not come with GUFW. You can install GUFW from Ubuntu repository.
You can install it by simply running the following command:
sudo apt-get install gufw
Advanced UFW Rules
You can do everything with ufw that iptables can do. You can add only simple rules using the command line. If you want to add more advance rules, then you can accomplish this by editing several ufw config files.
- /etc/default/ufw : This is main ufw config file for default policy and kernel modules.
- /etc/ufw/before.rules : Rules in these files are calculate before any rules added via the ufw command.
- /etc/ufw/after.rules : Rules in these files are calculate after any rules added via the ufw command.
By default UFW allows DHCP, ping and loopback. You can disallow this by editing the before.rules file.
sudo nano /etc/ufw/before.rules
Comment out the following lines:
#-A ufw-before-input -i lo -j ACCEPT
#-A ufw-before-output -o lo -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
#-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
Save the file, disable and re-enable ufw to apply the changes:
sudo ufw disable && sudo ufw enable
UFW Help
To list out all available switches of ufw, run the following command:
sudo ufw -h
Output:
Usage: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
Conclusion
Now you have enough knowledge to install and configure UFW firewall on your server. UFW is a very flexible tool so you can use it in production environment with different options to match your specific needs if they aren’t covered here.
Share this Article!
