By default Ubuntu has a built-in firewall known as UFW(uncomplicated firewall). For inexperienced users, It it difficult to use iptables in order to properly configure a firewall. UFW makes the configuration of a firewall very easy since it is a simple interface for the standard iptables in Ubuntu. Although it does not offer the powerful features of iptables, UFW allows to carry out basic firewalls tasks via its simple-to-use graphical interface.
In this article, we will take you through the steps to install and setup a firewall on Ubuntu using UFW. You need to be logged in with a user having sudo privileges or with the root user.
By default, UFW should be installed in Ubuntu. If this is not the case, you can install it via the following command.
sudo apt install ufw
Once the installation is finished, you can now check the status of UFW by issuing the following command:
sudo ufw status verbose
By default UFW is disabled. In order to activate it (or enable it) , you should run the following command :
sudo ufw enable
In order however to disable UFW from loading and starting on system boot up, you should use the following command:
sudo ufw disable
In case you want to undo all of the changes that you have made on the rules, you will want to Reset UFW. This will disable it and delete all currently active rules .
In order to perform a reset issue the following command:
sudo ufw reset
Default policies are the first rules to define when starting out with the UFW firewall. These are destined for the average home user.In short, all incoming connections are denied whereas UFW allows all outgoing ones. This defines the basic task of a firewall: if for example someone tries to get to your files behind the firewall, they will not be able to access, whereas the services running on your server will be able to reach out to the outside world .
Now we will alter the default rules used by UFW which are defined in /etc/default/ufw file. We will set the defaults so that all incoming connections are denied whereas all outgoing connections will be allowed. In order to do so, issue these commands:
sudo ufw default deny incoming
sudo ufw default allow outgoing
When APT package manager installs a new package which need open ports, it will insert an application profile in the directory /etc/ufw/applications.d which details the ports required by the installed application to function correctly.
To check which applications have created a profile , issue the following command:
sudo ufw app list
Your output might look different than ours above since this depends on the installed packages.
In case you would like to find out more about one specific profile and its corresponding rules, you can run the command below :
sudo ufw app info ‘Postfix’
We have used ‘Postfix’ ( profile opens port 25 ) but you should use an entry which belongs to the list you have obtained earlier.
You may be interested to read : How to install OpenSSH server on Ubuntu ?
Since we denied all incoming connections when we enabled UFW above, we will not be able to connect to the server from a remote location. This means that we would need some rules that will allow incoming connections via SSH or HTTP in order for our server to respond in kind (and allow us to remotely manage it for instance).
To configure UFW firewall in order to allow incoming SSH connections, type in the command below to update the rules:
sudo ufw allow ssh
You can actually allow or deny a service by name since ufw reads from /etc/services. In order to list the available services, issue the command below :
As you can see from the output above, the last entry which represents the SSH daemon, listens on port 22 . In other words, the command you run above, i.e. which enables the SSH, will create rules that will enable all connections on port 22.
Interestingly, instead of specifying the connection or service name, i.e. ssh, we could mention the port number. This is achieved via the command sudo ufw allow 22.
In case you configured your SSH to use another port, you will have to specify the corresponding port. if your SSH server is listening for instance on port 29, you can use the command below in order to allow connections on that port:
sudo ufw allow 29
Remark: If you want to deny a rule, you can issue the command :
sudo ufw deny 80/tcp
And if you want to delete it , add the delete argument as follows:
sudo ufw delete deny 80/tcp
You may be interested to read : Network configuration in Ubuntu
If IPv6 is enabled on your Ubuntu server, make sure UFW is configured to support IPv6 in order to manage firewall rules for IPv6 along with IPv4. To do this, edit the UFW configuration file as follows (we use nano):
sudo nano /etc/default/ufw
As shown in the output above, the value of “IPV6” should be set to “yes”.
In case you made a change. save and quit: press Ctrl-X to exit then Y to save.
Now disable and restart UFW as shown previously using:
sudo ufw disable
sudo ufw enable
Once enabled, UFW will be able to write both IPv4 and IPv6 firewall rules.
Now you should be able to write rules that enable service based or port based connections . According to your specific server requirements, you should allow certain connections on certain ports so that your server responds appropriately.
For some services, you can do the following :
– HTTP connections on port 80 can be allowed using the following command:
using sudo ufw allow http
sudo ufw allow 80/tcp
– Encrypted HTTPS connections on port 443 can be allowed using :
sudo ufw allow https
sudo ufw allow 443
– File Transfer Protocol (FTP) on port 21, is allowed using
sudo ufw allow ftp
sudo ufw allow 21/tcp
UFW allows the access to port ranges instead of single ports. In this case however, the protocol (TCP or UDP) that the rules should apply to must be specified. For instance, if the range of ports you want to allow is from 6500 to 6510 , then you have to run the following commands for both TCP and UDP :
sudo ufw allow 6500:6510/tcp
sudo ufw allow 65000:6510/udp
It is also possible to specify IP addresses with UFW. If for instance you want to enable connections from one specific IP address .e.g.10.2.2.07, then you need to issue the command below ::
sudo ufw allow from 10.2.2.07
A specific port that an IP address is allowed to connect to, can also be enabled by mentioning the IP followed by the port number. In order for instance to allow 10.2.2.17 to connect to port 22 (SSH), issue the command:
sudo ufw allow from 10.2.2.17 to any port 22
It is also possible to allow a netmask ( subnet of IP addresses ). For instance, in order to allow all IP addresses from 10.2.2.0 to 10.2.2.255 you need to use the command (for subnet mask 255.255.255.0 in the CIDR notation):
- sudo ufw allow from 10.2.2.1/24
Similarly, you can specify the port the subnet 10.2.2.1/24 is allowed to connect to. For port 80 for instance , issue the command below:
sudo ufw allow from 10.2.2.1/24 to any port 80
In order to enable access to only a specific network interface eth1 for example on port 2222 say, then you would have to use ‘allow in on’ along with the name of the network interface as follows “
sudo ufw allow in on eth2 to any port 2222
In case you would like to find your network interfaces beforehand, you need to use the command:
If you had chosen port80 instead of 2222, then your server will receive public HTTP requests from the Internet.
If you want your Ubuntu mongodb server (port 27017) for example to listen to the private network interface eth1, you can use the command :
sudo ufw allow in on eth1 to any port 27017
By default, UFW blocks all incoming connections. This is intentional since it will make the firewall secure. You are the only person( assuming you are the root user or admin) who can create the rules in order to explicitly enable specific incoming connections. If for instance your server is being bombarded with multiple unwanted incoming requests from a specific source, you will want to deny the corresponding IP address or subnet.
In order for example to deny specific connections, you just need to replace allow with deny in the commands you have used above.
You can delete rules either by rule number or by the actual rule.
You first need to list your firewall rules since rules numbers are displayed next to each rule. Issue the following command :
sudo ufw status numbered
In order for instance to delete rule number 3 (that allows connections to port 22) shown above, run the command :
sudo ufw delete 3
To remove for example the allow ssh rule, you proceed as follows:
sudo ufw delete allow ssh
Or instead of the service name, you could specify the port :
sudo ufw delete allow 22
UFW has a graphical interface which is found in Ubuntu’s software repositories and can therefore be installed. This can be done via the following command:
sudo apt-get install gufw
You can GUFW by typing in the command gfuw or otherwise, it will pop out in the Dash as an application with the name Firewall Configuration. GUFW is a simple, intuitive and easy-to-use application.
Enabling or disabling connections ( i.e. either ports or IP addresses ) and controlling the default policy for incoming or outgoing traffic as well as adding rules can be achieved very easily in GUFW.
Logging for UFW is disabled by default. In order to enable logging so that you receive firewall messages to the system log, issue the command :
sudo ufw logging on
Here is an excerpt of a log entry by UFW :
Jan 1 13:33:37 hostname kernel: [ 3529.289825] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=444.333.222.111 DST=111.222.333.444 LEN=103 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=31417 LEN=73
Checking dates and times is helpful at times. If the blocks of time/date are not available then it might be that an external entity has messed with the logs.
The hostname of the server
The time since start up ( in seconds ) .
Logged event description.
Represents an incoming event (if set).
Represents an outbound event (if set).
A 14-byte concatenation of the Destination MAC, the Source MAC and other fields.
The entity or the source IP that sent the packet initially. Some IPs can be routed over the internet, others will only interact within a LAN while others will route back to the source machine only.
The destination IP that receives the packet.
This might be related to the TOS field of the IPv4 header. See TCP Processing of the IPv4 Precedence Field.
This might be related to the Precedence field of the IPv4 header.
“Time to live” for the packet. See Time to live for more.
Packet protocol – TCP or UDP. See TCP and UDP Ports Explained for more.
This might be the source port that sent the IP packet. See List of TCP and UDP port numbers for more.
The destination port that receives the packet .
The size of the packet that the sender is able to receive.
Indicates that a three-way handshake is required by the connection…
You are now able to configure your firewall in order to allow some specific connections (SSH for instance). Make sure to deny unnecessary connections so that your server is secure.
For more information, run the man ufw command to read ufw’s manual page.