How do you do my dear Linux Yogi’s,
in todays illustration I am walking you through the process of setting up an UFW (Uncomplicated FireWall) for your Ubuntu/Debian Desktop or Server. It is more and more important to protect your devices from rogue people or malicious software and a firewall is just one step in the right direction.
Ubuntu provides a nifty firewall the UFW which makes it fairly easy to set one up. The following command will install the UFW package for us.
sudo apt-get install ufw
The next step is only important if you use IPv6 so if you don’t just skip it.
sudo nano /etc/default/ufw
Now look for the IPV6 section and verify that the IPV6 variable is set for your environment. Possible values are “yes” or “no“.
So by default the UFW firewall is installed but not active until we actually enable it. Let’s have a quick look at the status so you can see for yourself. Run the following command to do so:
sudo ufw status verbose
it should return something like the following:
Before we going to do anything else we have to set the default policies which will deny every incoming connection and allows every outgoing connection.
sudo ufw default deny incoming
which returns the following
Default incoming policy changed to 'deny' (be sure to update your rules accordingly)
and now the other default policy
sudo ufw default allow outgoing
and it should return the following
Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)
So far so good. If we would activate it now our firewall would block every incoming traffic which means for example if a ssh or smtp service would be running on it it would not be available for anybody. So in order to make it possible for people to use installed services on this machine lets poke some holes in our firewall. Let’s focus on a few common services:
- Port: 20 Service Name: ftp-data
- Port: 21 Service Name: ftp
- Port: 22 Service Name: ssh
- Port: 25 Service Name: smtp
- Port: 53 Service Name: domain
- Port: 80 Service Name: http
- Port: 123 Service Name: ntp
- Port: 143 Service Name: imap2
- Port: 161 Service Name: snmp
- Port: 389 Service Name: ldap
- Port: 443 Service Name: https
- Port: 3306 Service Name: mysql
For a comprehensive list of ports and services have a look at you /etc/services file.
When setting up the rules we can use either the port number or the service name. So the very first rule we should set up is SSH so we have remote access to the machine.
sudo ufw allow ssh
which should return something like the following:
Rules updated Rules updated (v6)
Now you know how to open up all the ports you need. So what about port ranges? Now problem we can specify port ranges as well but before we do that we need to know if it is on tcp or udp.
sudo ufw allow 5000:5010/udp sudo ufw allow 5000:5010/tcp
How about only allowing certain IP address or subnets access to certain services for example: ssh. You don’t want to grant ssh access from everywhere. Let’s add a rule for a single IP first and then we add one for a entire subnet.
sudo ufw allow from 192.168.0.43
this would be to general because it allows 192.168.0.43 access to all open services. Let’s be more precise and add the service to it:
sudo ufw allow from 192.168.0.43 to any port 22
this actually allows 192.168.0.43 access only to port 22 (ssh) just what we need right? Now let’s do the same thing for an entire subnet.
sudo ufw allow from 192.168.0.0/24
This grants access for everybody in the subnet to access any available service. Now let’s be more precise:
sudo ufw allow from 192.168.0.0/24 to any port 22
This would be great if you have an entire subnet with people who needs ssh access to this server.
Now that you added all rules you need let’s activate our firewall:
sudo ufw enable
and to turn it off again run the following command:
sudo ufw disable
You can see the status of our firewall with the following commands.
sudo ufw status
which returns the following:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
then there is the more detailed version:
sudo ufw status verbose
which returns something like this:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 22 (v6) ALLOW IN Anywhere (v6)
the next one is very useful if you like to remove a rule.
sudo ufw status numbered
which return a list of rules with line numbers.
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 22 (v6) ALLOW IN Anywhere (v6)
Let’s go ahead and delete a rule with a line number:
sudo ufw delete 2
you can also delete a rule by rule:
sudo ufw delete allow ssh
So in most cases when you have a firewall configured you most likely like to log the activity on it. We can turn on/off logging with the following commands:
sudo ufw logging on
sudo ufw logging off
we can also specify of much to log with the following log levels
- off: –> disables ufw managed logging
- low (default): –> logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules
- medium: –> log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections. All logging is done with rate limiting.
- high: –> log level medium (without rate limiting), plus all packets with rate limiting
- full: –> log level high without rate limiting
The log file is located at /var/log/ufw.log
The last command I am mention here is the one that lets you reset everything.
sudo ufw reset
it returns this:
Resetting all rules to installed defaults. Proceed with operation (y|n)?
and then it returns the following when you continued:
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20170126_143205' Backing up 'before.rules' to '/etc/ufw/before.rules.20170126_143205' Backing up 'after.rules' to '/etc/ufw/after.rules.20170126_143205' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20170126_143205' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20170126_143205' Backing up 'user.rules' to '/etc/ufw/user.rules.20170126_143205'
All rules will be backed up just in case and the firewall is clean. Ready for you to configure or turn it off.
If you like to know more about UFW look at the man pages for ufw with the following command:
I hope you liked this article. Please leave a comment or register. If you have question you can either use the contact form to ask your question or add your question to our Forum.
Thank you my friends until next time Namaste! 😀