Create a firewall for your Desktop or Server with UFW

How do you do my dear Linux Yogi’s,

in todays illustration I am walking you through the process of setting up an UFW (Uncomplicated FireWall) for your Ubuntu/Debian Desktop or Server. It is more and more important to protect your devices from rogue people or malicious software and a firewall is just one step in the right direction.

Ubuntu provides a nifty firewall the UFW which makes it fairly easy to set one up.  The following command will install the UFW package for us.

sudo apt-get install ufw

The next step is only important if you use IPv6 so if you don’t just skip it.

sudo nano /etc/default/ufw

Now look for the IPV6 section and verify that the IPV6 variable is set for your environment. Possible values are “yes” or “no“.

IPV6=yes

So by default the UFW firewall is installed but not active until we actually enable it. Let’s have a quick look at the status so you can see for yourself. Run the following command to do so:

sudo ufw status verbose

it should return something like the following:

Status: inactive

Before we going to do anything else we have to set the default policies which will deny every incoming connection and allows every outgoing connection.

sudo ufw default deny incoming

which returns the following

Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

and now the other default policy

sudo ufw default allow outgoing

and it should return the following

Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

So far so good. If we would activate it now our firewall would block every incoming traffic which means for example if a ssh or smtp service would be running on it it would not be available for anybody. So in order to make it possible for people to use installed services on this machine lets poke some holes in our firewall. Let’s focus on a few common services:

  • FTP
    • Port: 20 Service Name: ftp-data
    • Port: 21 Service Name: ftp
  • SSH
    • Port: 22 Service Name: ssh
  • SMTP
    • Port: 25 Service Name: smtp
  • DNS
    • Port: 53 Service Name: domain
  • HTTP
    • Port: 80 Service Name: http
  • NTP
    • Port: 123 Service Name: ntp
  • IMAPv2
    • Port: 143 Service Name: imap2
  • SNMP
    • Port: 161 Service Name: snmp
  • LDAP
    • Port: 389 Service Name: ldap
  • HTTPS
    • Port: 443 Service Name: https
  • MYSQL
    • Port: 3306 Service Name: mysql

For a comprehensive list of ports and services have a look at you /etc/services file.

When setting up the rules we can use either the port number or the service name. So the very first rule we should set up is SSH so we have remote access to the machine.

sudo ufw allow ssh

which should return something like the following:

Rules updated
Rules updated (v6)

Now you know how to open up all the ports you need. So what about port ranges? Now problem we can specify port ranges as well but before we do that we need to know if it is on tcp or udp.

sudo ufw allow 5000:5010/udp
sudo ufw allow 5000:5010/tcp

How about only allowing certain IP address or subnets access to certain services for example: ssh. You don’t want to grant ssh access from everywhere. Let’s add a rule for a single IP first and then we add one for a entire subnet.

sudo ufw allow from 192.168.0.43

this would be to general because it allows 192.168.0.43 access to all open services. Let’s be more precise and add the service to it:

sudo ufw allow from 192.168.0.43 to any port 22

this actually allows 192.168.0.43 access only to port 22 (ssh) just what we need right? Now let’s do the same thing for an entire subnet.

sudo ufw allow from 192.168.0.0/24

This grants access for everybody in the subnet to access any available service. Now let’s be more precise:

sudo ufw allow from 192.168.0.0/24 to any port 22

This would be great if you have an entire subnet with people who needs ssh access to this server.

Now that you added all rules you need let’s activate our firewall:

sudo ufw enable

and to turn it off again run the following command:

sudo ufw disable

You can see the status of our firewall with the following commands.

Simple Status:

sudo ufw status

which returns the following:

Status: active

To Action From
-- ------ ----
22 ALLOW Anywhere 
22 (v6) ALLOW Anywhere (v6)

then there is the more detailed version:

sudo ufw status verbose

which returns something like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)

the next one is very useful if you like to remove a rule.

sudo ufw status numbered

which return a list of rules with line numbers.

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere                  
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6)

Let’s go ahead and delete a rule with a line number:

sudo ufw delete 2

you can also delete a rule by rule:

sudo ufw delete allow ssh

So in most cases when you have a firewall configured you most likely like to log the activity on it. We can turn on/off logging with the following commands:

sudo ufw logging on

or

sudo ufw logging off

we can also specify of much to log with the following log levels

  • off: –> disables ufw managed logging
  • low (default): –> logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules
  • medium: –> log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections.  All logging is done with rate limiting.
  • high: –> log level medium (without rate limiting), plus all packets with rate limiting
  • full: –> log level high without rate limiting

The log file is located at /var/log/ufw.log

The last command I am mention here is the one that lets you reset everything.

sudo ufw reset

it returns this:

Resetting all rules to installed defaults. Proceed with operation (y|n)?

and then it returns the following when you continued:

Backing up 'before6.rules' to '/etc/ufw/before6.rules.20170126_143205'
Backing up 'before.rules' to '/etc/ufw/before.rules.20170126_143205'
Backing up 'after.rules' to '/etc/ufw/after.rules.20170126_143205'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20170126_143205'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20170126_143205'
Backing up 'user.rules' to '/etc/ufw/user.rules.20170126_143205'

All rules will be backed up just in case and the firewall is clean. Ready for you to configure or turn it off.

If you like to know more about UFW look at the man pages for ufw with the following command:

man ufw

I hope you liked this article.  Please leave a comment or register. If you have question you can either use the contact form to ask your question or add your question to our Forum.

Thank you my friends until next time Namaste! 😀