Introduction
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
UFW – Uncomplicated Firewall
The default firewall configuration tool for Ubuntu is UFW. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall.
UFW by default is initially disabled. From the UFW man page:
“UFW is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls.”
How to install UFW in Ubuntu \ Debian ?
UFW is part of the standard Ubuntu 20.04 installation and should be present on your system. If for some reason it is not installed, you can install the package by typing:
# Install UFW
sudo apt update
sudo apt install ufw
Code language: PHP (php)
How to enable or disable UFW
Whit this command we can enable or disable the UFW agent in our operating system, also we have a third option reset which we have listed bellow in this article.
# Enable uncomplicated firewall
sudo ufw enable
# Disable uncomplicated firewall
sudo ufw disable
Code language: PHP (php)
Setting up default polices
The default behavior of the UFW Firewall is to block all incoming and forwarding traffic and allow all outbound traffic. This means that anyone trying to access your server will not be able to connect unless you specifically open the port. Applications and services running on your server will be able to access the outside world.
# Setting Up Default Policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
Code language: PHP (php)
How to add or deny a specific port
Allowing a port is going to permit connections to that specific port. In this case we are going to allow ssh connections to port 22 or if we want we are going to deny them.
# Add port
sudo ufw allow 22
# Deny port
sudo ufw deny 22
Code language: PHP (php)
How to remove a specific rule
Sometimes we don’t need some of the rules we have created so we can delete them with this simple command.
# Remove rule
sudo ufw delete deny 22
Code language: PHP (php)
Allow port only from a specific IP
In this case we are going to allow access to our server only from the IP address 192.168.0.2 , other IP addresses are going to be declined.
# Allow 192.168.0.2 to access our server
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
Code language: CSS (css)
Check firewall status
UFW is disabled by default. You can check the status of the UFW service with the following command:
# Check status
sudo ufw status
Code language: PHP (php)
Working with applications
An application profile is a text file in INI format that describes the service and contains firewall rules for the service. Application profiles are created in the /etc/ufw/applications.d
directory during the installation of the package.
# View which applications have installed a profile
sudo ufw app list
# Allow application
sudo ufw allow samba
# Allow only specific IP or IP-range to enter application
ufw allow from 192.168.0.0/24 to any app samba
ufw allow from 192.168.0.2 to any app samba
# Details about which ports, protocols, etc., are defined for an application
sudo ufw app info samba
Code language: PHP (php)
Enable logs for UFW
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).
# Enable logs
sudo ufw logging on
# Disable logs
sudo ufw loggin off
Code language: PHP (php)
Connections to a Specific Network Interface
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying “allow in on” followed by the name of the network interface.
# Check what is your card name
ip addr
# Example
1: <strong>eth0</strong>: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
# Allow card to port name
sudo ufw allow in on eth0 to any port 80
Code language: PHP (php)
Resetting UFW
This will disable UFW and delete any rules that were previously defined. Keep in mind that the default policies won’t change to their original settings, if you modified them at any point. This should give you a fresh start with UFW.
# Reset UFW
sudo ufw reset
Code language: PHP (php)