In this tutorial, we will explain in a simple and direct way, how to configure the "ufw" Firewall for your Linux server. This way you can easily configure which incoming connections you want to enable, and can drastically improve the security of your server.
The acronym "UFW" means "Uncomplicated Firewall" and refers to an application that aims to establish rules in "iptables", the native firewall tables in Linux. Since iptables has a relatively complex syntax, using UFW to perform its configuration is a useful alternative without skimping on security.
The installation of the "ufw" package is very simple and, in fact, it is installed by default in many distributions. In this case, we will indicate the instructions for a distribution based on Debian, such as Ubuntu. In other distributions, the commands to follow may be different.
To update the list of packages.
apt install ufw
To install the "ufw" package.
Remember that you will need superuser privileges to perform this operation.
Once the firewall is installed and configured, we will explain the basic syntax to start establishing rules.
1. Definition of default behavior
First, we must determine if we want UFW, by default, to allow or deny incoming traffic and outgoing traffic.
We can achieve this in the following way:
ufw default deny incoming //Denies incoming connections that do not match any rule.
ufw default allow incoming //Allow incoming connections that do not match any rule.
For outgoing connections:
ufw default deny outgoing //Denies outgoing connections that do not match any rule.
ufw default allow outgoing //Allow outgoing connections that do not match any rule.
Our recommendation is to deny incoming connections and allow outgoing connections for a basic configuration. Then, you must create rules to allow access to those connections, protocols or equipment that you consider appropriate.
2. See the current configuration of the firewall
Now that you have created your first rule, you can see the current configuration with the following command:
3. Allow SSH connections (IMPORTANT!)
To avoid being excluded from your own server once you enable the firewall, it is important that you create a rule that allows you to connect through port 22 (or whatever you have designated for the SSH service).
You can create your first rule to allow incoming traffic in the following way:
ufw allow 22
Of course, you must specify the port that the service uses.
4. Allow other incoming connections according to protocol, source IP and other parameters
Next, we show you several examples that will show you what the UFW syntax is, adapting each of them according to your needs.
ufw allow 80 // Allow incoming connections through port 80.
ufw allow http // Allow incoming connections through port 80, using the alias "http" instead of the numeric port.
ufw allow 80/tcp // Allow only incoming connections with the TCP protocol through port 80.
ufw allow 1000-2000 // Allow incoming connections in a range of ports.
ufw allow from 10.0.0.30 // Allow incoming connections to any port and protocol to IP 10.0.0.30.
ufw allow from 10.0.0.0/24 // Allow incoming connections to any port and protocol from a range of IPs using the CIDR notation (from 10.0.0.0 to 10.0.0.255 in this case).
ufw allow from 10.0.0.30 to any port 22 // Allow incoming connections to port 22 to IP 10.0.0.30.
ufw allow from 10.0.0.30 to any port 22 proto tcp // Allow incoming connections to port 22, with TCP protocol to IP 10.0.0.30.
This is just a sample of the countless combinations that UFW allows. Of course, remember that you can also use deny to achieve the opposite effect.
5. Delete rules
To eliminate a rule, it is better to show them in a numbered way first. You can achieve this with the following command:
ufw status numbered
Once the rules preceded by a number that identifies them are shown, you can eliminate them as follows:
ufw delete 3 // Delete rule number "3".
6. Insert rules with a specific number
You can use the following syntax to specify rules in a specific place, getting that rule to have priority over those that happen to it.
ufw insert 3 allow 22 // Insert a rule to allow incoming connections in position 3.
7. Activate or deactivate records
UFW has the option to record all the actions that it takes and all the access attempts. You can activate or deactivate the UFW registry in the following way:
ufw logging on // Enables logs.
ufw logging off // Disables logs.
8. Activate/Deactivate the firewall
Finally, we will show you how to activate the firewall once you have established the necessary configuration for your server:
ufw enable // Activates the firewall and puts into operation all the established rules.
ufw disable // Disable (pause) the firewall.
ufw reset // Remove all rules and allow you to start from scratch with the exception of the default behavior that you defined in step 1.
If you have followed the steps correctly, now you can successfully configure UFW and use it on your server.