The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
UFW – Uncomplicated Firewall
The default firewall configuration tool for Ubuntu is UFW. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall.
UFW by default is initially disabled. From the UFW man page:
“UFW is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls.”
How to install UFW in Ubuntu \ Debian ?
UFW is part of the standard Ubuntu 20.04 installation and should be present on your system. If for some reason it is not installed, you can install the package by typing:
# Install UFW sudo apt update sudo apt install ufwCode language: PHP (php)
How to enable or disable UFW
Whit this command we can enable or disable the UFW agent in our operating system, also we have a third option reset which we have listed bellow in this article.
# Enable uncomplicated firewall sudo ufw enable # Disable uncomplicated firewall sudo ufw disableCode language: PHP (php)
Setting up default polices
The default behavior of the UFW Firewall is to block all incoming and forwarding traffic and allow all outbound traffic. This means that anyone trying to access your server will not be able to connect unless you specifically open the port. Applications and services running on your server will be able to access the outside world.
# Setting Up Default Policies sudo ufw default deny incoming sudo ufw default allow outgoingCode language: PHP (php)
How to add or deny a specific port
Allowing a port is going to permit connections to that specific port. In this case we are going to allow ssh connections to port 22 or if we want we are going to deny them.
# Add port sudo ufw allow 22 # Deny port sudo ufw deny 22Code language: PHP (php)
How to remove a specific rule
Sometimes we don’t need some of the rules we have created so we can delete them with this simple command.
# Remove rule sudo ufw delete deny 22Code language: PHP (php)
Allow port only from a specific IP
In this case we are going to allow access to our server only from the IP address 192.168.0.2 , other IP addresses are going to be declined.
# Allow 192.168.0.2 to access our server sudo ufw allow proto tcp from 192.168.0.2 to any port 22Code language: CSS (css)
Check firewall status
UFW is disabled by default. You can check the status of the UFW service with the following command:
# Check status sudo ufw statusCode language: PHP (php)
Working with applications
An application profile is a text file in INI format that describes the service and contains firewall rules for the service. Application profiles are created in the
/etc/ufw/applications.d directory during the installation of the package.
# View which applications have installed a profile sudo ufw app list # Allow application sudo ufw allow samba # Allow only specific IP or IP-range to enter application ufw allow from 192.168.0.0/24 to any app samba ufw allow from 192.168.0.2 to any app samba # Details about which ports, protocols, etc., are defined for an application sudo ufw app info sambaCode language: PHP (php)
Enable logs for UFW
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).
# Enable logs sudo ufw logging on # Disable logs sudo ufw loggin offCode language: PHP (php)
Connections to a Specific Network Interface
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying “allow in on” followed by the name of the network interface.
# Check what is your card name ip addr # Example 1: <strong>eth0</strong>: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state # Allow card to port name sudo ufw allow in on eth0 to any port 80Code language: PHP (php)
This will disable UFW and delete any rules that were previously defined. Keep in mind that the default policies won’t change to their original settings, if you modified them at any point. This should give you a fresh start with UFW.
# Reset UFW sudo ufw resetCode language: PHP (php)