Configuring UFW with Ubuntu

Firewalls are an important part of configuring basic security for your server.

Firewalls are network appliances that monitor and filter traffic to and from your instance and decides what traffic is allowed to reach your server, and what traffic should be dropped.

At its core, UFW or Uncomplicated Firewall acts as a front end for managing iptables/nftables, which actually do the heavy lifting of filtering packets.

In this article, we’re going to make it even less complicated to configure a firewall based on your specific needs using UFW!

Install UFW on Ubuntu

You can run the following command to install UFW on Ubuntu using the apt package management tool:

# apt-get install ufw

Follow the prompts as appropriate to ensure you have the latest version of UFW installed.

Adding Rules

UFW is very straight forward in that you build a list of rules. You can build this list using a specific IP address, a subnet, an interface, a service or a port number.

First lets allow traffic over port 22 (or whatever port you’re using for SSH)

# ufw allow 22

This will allow traffic in on port 22. Alternatively, you could issue the following command for the same effect

# ufw allow ssh

Now lets make the firewall active by issuing the following

# ufw enable

Now lets check to ensure its running

# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)    

Nice! We see that not only is UFW running, but our rule regarding port 22 was also honored.

We can issue the following command and see a full list of applications we have installed, elligble to be used with ufw:

# ufw app list
Available applications:
  Apache Full
  Apache Secure

In a brand new install, all that would appear here is OpenSSH, for the sake of the example, I installed Apache2.

so lets say we want to block and IP address. We can use the following method.

# ufw deny from

This will drop all incoming connections from the IP address . We can also block an entire subnet, on a specific interface:

# ufw deny in on eth0 from

Next, we can allow access to only a certain port, if we so choose, for a given subnet.

# ufw allow from to any port 21

Further we can open access to a port range, and even specify wether we want to allow TCP or UDP traffic.

# ufw allow 5000:5005/tcp

If we want to allow both types, not just TCP like we mentioned above, we’d simply omit the ‘/’ and everthing after.

We’ve got quite a few rules in place at this point, if you’ve been following along.

# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
Anywhere                   DENY
Anywhere on eth0           DENY
21                         ALLOW
5000:5005/tcp              ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
5000:5005/tcp (v6)         ALLOW       Anywhere (v6)

What if we want to remove a rule? Lets get a numbered list of them so that we can specify which rule we might want to modify or delete.

# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] Anywhere                   DENY IN
[ 3] Anywhere on eth0           DENY IN
[ 4] 21                         ALLOW IN
[ 5] 5000:5005/tcp              ALLOW IN    Anywhere
[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 7] 5000:5005/tcp (v6)         ALLOW IN    Anywhere (v6)

# ufw delete 2

This makes removing a rule straightforward and easy to understand. If we’ve completely mangled our setup and want reset, we can use just that command!

# ufw reset

You’ll get a prompt asking you to confirm, and if you issue a # ufw status again you’ll see your rules are gone and UFW will be listed as inactive.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *