If you’re new to Linux, you might have heard of UFW or Uncomplicated Firewall. As the name suggests, UFW is a simple and user-friendly tool that allows you to manage your Linux firewall.
In this article, we’ll go over some UFW essentials and explanations to help you get started.
What is a Firewall?
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between your computer or network and the internet or other networks.
Why Use UFW?
UFW is a front-end to the iptables
firewall that comes pre-installed on most Linux distributions. It simplifies the process of managing the firewall by providing a user-friendly command-line interface.
UFW Essentials
Installation
UFW is pre-installed on most Linux distributions. However, if it’s not installed on your system, you can install it using the following command:
$ sudo apt-get install ufw
Basic Syntax
The basic syntax of UFW is as follows:
$ sudo ufw [option] [allow/deny] [port/protocol]
Here’s a breakdown of the syntax:
sudo
– allows you to run the command with root privilegesufw
– the UFW command[option]
– additional options such as enable, disable, status, reset, reload[allow/deny]
– whether to allow or deny the traffic[port/protocol]
– the port number and/or protocol to be allowed or denied
Checking the Status
To check the status of UFW, run the following command:
$ sudo ufw status
This will show you the current status of UFW and the rules that are currently in effect.
Enabling and Disabling UFW
To enable UFW, run the following command:
$ sudo ufw enable
To disable UFW, run the following command:
$ sudo ufw disable
Default Policies
When you enable UFW, the default policies are set to deny all incoming traffic and allow all outgoing traffic. You can change the default policies using the following commands:
$ sudo ufw default allow [incoming/outgoing]
$ sudo ufw default deny [incoming/outgoing]
Allowing and Denying Traffic
To allow traffic to a specific port, run the following command:
$ sudo ufw allow [port/protocol]
To deny traffic to a specific port, run the following command:
$ sudo ufw deny [port/protocol]
Block an IP Address
To block all network connections that originate from a specific IP address, run the following command, replacing the highlighted IP address with the IP address that you want to block:
$ sudo ufw deny from 192.168.10.224
OutputRule added
In this example, from 192.168.10.224
specifies a source IP address of “192.168.10.224”.
If you run sudo ufw status
now, you’ll see the specified IP address listed as denied:
OutputStatus: active
To Action From
-- ------ ----
Anywhere DENY 192.168.10.224
All connections, coming in or going out, are blocked for the specified IP address.
You can also Block connections from a whole subnet by providing the corresponding subnet mask for a host, such as 192.168.10.0/24
.
Allow an IP Address
To allow all network connections that originate from a specific IP address, run the following command, replacing the highlighted IP address with the IP address that you want to allow access:
$ sudo ufw allow from 192.168.10.224
OutputRule added
If you run sudo ufw status
now, you’ll see output similar to this, showing the word ALLOW
next to the IP address you just added.
OutputStatus: active
To Action From
-- ------ ----
...
Anywhere ALLOW 192.168.10.224
You can also allow connections from a whole subnet by providing the corresponding subnet mask for a host, such as 192.168.10.0/24
.
Delete UFW Rule
To delete a rule that you previously set up within UFW, use ufw delete
followed by the rule (allow
or deny
) and the target specification. The following example would delete a rule previously set to allow all connections from an IP address of 192.168.10.224
:
$ sudo ufw delete allow from 192.168.10.224
OutputRule deleted
Another way to specify which rule you want to delete is by providing the rule ID. This information can be obtained with the following command:
$ sudo ufw status numbered
OutputStatus: active
To Action From
-- ------ ----
[1] Anywhere DENY IN 192.168.10.220
[2] Anywhere on eth0 ALLOW IN 192.168.10.222
From the output, you can see that there are two active rules. The first rule, with highlighted values, denies all connections coming from the IP address 192.168.10.220
. The second rule allows connections on the eth0
interface coming in from the IP address 192.168.10.222
.
Because by default UFW already blocks all external access unless explicitly allowed, the first rule is redundant, so you can remove it. To delete a rule by its ID, run:
$ sudo ufw delete 1
You will be prompted to confirm the operation and to make sure the ID you’re providing refers to the correct rule you want to delete.
OutputDeleting:
deny from 192.168.10.220
Proceed with operation (y|n)? y
Rule deleted
If you list your rules again with sudo ufw status
, you’ll see that the rule was removed.
List Available Application Profiles
Upon installation, applications that rely on network communications will typically set up a UFW profile that you can use to allow connection from external addresses. This is often the same as running ufw allow from
, with the advantage of providing a shortcut that abstracts the specific port numbers a service uses and provides a user-friendly nomenclature to referenced services.
To list which profiles are currently available, run the following:
$ sudo ufw app list
If you installed a service such as a web server or other network-dependent software and a profile was not made available within UFW, first make sure the service is enabled. For remote servers, you’ll typically have OpenSSH readily available:
OutputAvailable applications:
OpenSSH
Allow All Incoming HTTP/HTTPS (port 443
/ 80
)
Web servers, such as Apache and Nginx, typically listen for HTTP requests on port 80
.
HTTPS typically runs on port 443
. If your default policy for incoming traffic is set to drop or deny, you’ll need to create a UFW rule to allow external access on port 443
. You can use either the port number or the service name (https
) as a parameter to this command.
To allow all incoming HTTPS and HTTP (port 443
/ 80
) connections, run:
$ sudo ufw allow https,http
OutputRule added
Rule added (v6)
An alternative syntax is to specify the port number of the HTTPS service:
$ sudo ufw allow 443,80
Conclusion
UFW is a powerful and easy-to-use tool that allows you to manage your Linux firewall. With the UFW essentials and explanations provided in this article, you should now have a good understanding of how to get started with UFW.
Remember to always be cautious when configuring your firewall, and only allow traffic that is necessary for your system to function properly.
One Reply to “Firewall UFW : A beginner’s Guide”
Thanks for sharing, this information has prompted some questions, that I am looking to refine, then prepare a question or two.