Uncomplicated Firewall or UFW is an interface to iptables that is designed to simplify the process of configuring a firewall. While iptables is a firm and flexible tool, it can be sometimes tricky for beginners to learn how to use it to properly configure a firewall. If a user is looking to get started securing his or her network, UFW may be the appropriate solution.
In this guide, we will learn how to configure firewall with UFW on Ubuntu 18.04.
Step 1: Set Up Default Policies
UFW is installed on Ubuntu by default. If it has been uninstalled for some reason, we can install it with the following command.
$ sudo apt install ufw
By default, UFW denies all incoming connections and allows all outgoing connections. It means that a client trying to reach our server would not be able to connect. When an application from our server tries to connect any other server outside, it will be allowed. The following commands serve the purpose.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Step 2: Allow SSH Connections
By default we have restricted all the incoming connections to our server as we can see in our previous step. To allow connections using secured SSH, we will use the following command.
$ sudo ufw allow ssh
The above command will create firewall rules that will allow all connections on port 22, which is the default port on which the SSH daemon listens. The UFW listens to port listed in the file file /etc/services.
If SSH daemon is configured on a port other than the default, we can specify that in our command to listen to that port. The following command listens to port 2222 in case if SSH is configured by us on it.
We can also specify protocol (tcp or udp) in our above command. It is optional. The above command is used for both protocols.
$ sudo ufw allow 2222
Step 3: Allow Specific Incoming Connections
To allow incoming connections on a specific port, we will use following commands to specify rule for UFW. For e.g., if we want our server to listen to HTTP on port 80, below is the command to execute.
$ sudo ufw allow http
It is equivalent to the following
$ sudo ufw allow 80
We can use any of the above for port 80. For HTTPS, any of the following commands will serve the purpose to allow to connect.
$ sudo ufw allow https
$ sudo ufw allow 443
We can specify a range of ports also, means more than one port. One thing to note is that we must specify protocol in the command (tcp or udp). The following command allows connections from ports 6000 to 6003 for both tcp and udp.
$ sudo ufw allow 6000:6003/tcp $ sudo ufw allow 6000:6003/udp
Step 4: Deny Incoming Connections
Sometimes we want to deny specific connections based on the source IP address. It is so because we sometimes know that our server is being attacked from there. So we will create a deny rule for the specific IP address. The following command denies connection from an IP address 184.108.40.206
$ sudo ufw deny from 220.127.116.11
Step 5: Enabling UFW
After all the UFW configurations, next step is to enable it. The following command serves the purpose.
$ sudo ufw enable
We will see a warning message after executing the above command. It will say that the command may disrupt existing SSH connections. But in this case, we have already set up a firewall rule that allows SSH connections, so it will not disrupt our configuration. We will enter y and hit ENTER key to apply. The firewall settings are applied now.
Step 6: Check Status of UFW
We can check the status with the following command.
$ sudo ufw status verbose
The following is the output when it is inactive.
In our case, it is active so the following will be output and results.
Status: active To Action From -- ------ ---- 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 2222 ALLOW IN Anywhere 6000:6003/tcp ALLOW IN Anywhere 6000:6003/udp ALLOW IN Anywhere Anywhere DENY 18.104.22.168
In this article, we have configured firewall with the help of powerful UFW tool. With it’s help, we have defined SSH, HTTP and HTTPS incoming connections to be allowed. We have also specified a rule to deny incoming connection from a specific IP address. We can also check the status of our rules which we have created.