In this tutorial we will explain in a simple and straightforward way how to configure the "ufw" Firewall for your Linux server. This way you will be able to easily configure the incoming connections you want to enable, being able to drastically improve the security of your server.
The acronym "UFW" stands for "Uncomplicated Firewall" and refers to an application that aims to set rules in "iptables", the native firewall tables in Linux. Since iptables has a relatively complex syntax, using UFW to configure it is a useful alternative without skimping on security.
Installing the "ufw" package is very simple and, in fact, it is installed by default in many distributions. In this case we will give you the instructions for a Debian-based distribution, such as Ubuntu. For other distributions, the commands to follow may be different.
To update the list of packages.
apt install ufw
To install the "ufw" package.
Remember that you will need superuser privileges to perform this operation.
Once the firewall is installed and configured, we will explain the basic syntax to start setting up rules.
1. Defining the default behavior
First, we will need to determine whether we want UFW, by default, to allow or deny incoming and outgoing traffic.
This can be done in the following way:
ufw default deny incoming //Denies incoming connections that do not match any rule.
ufw default allow incoming //Allow incoming connections that do not match any rule.
For outgoing connections:
ufw default deny outgoing //Denies outgoing connections that do not match any rule.
ufw default allow outgoing //Allow outgoing connections that do not match any rule.
Our recommendation is to deny incoming connections and allow outgoing connections for a basic configuration. After that, you will have to create rules to allow access to those connections, protocols or equipment that you consider appropriate.
2. View the current firewall configuration
Now that you have created your first rule, you can view the current configuration with the following command:
3. Allow SSH connections (IMPORTANT!).
To avoid being excluded from your own server once you enable the firewall, it is important that you create a rule that allows you to connect through port 22 (or whatever you have designated for the SSH service).
You can create your first rule to allow incoming traffic as follows:
ufw allow 22
Of course, you must specify the port that the service uses.
4. Allow other incoming connections according to protocol, source IP and other parameters.
Here are some examples that will demonstrate the UFW syntax, and you can adapt each of them according to your needs.
ufw allow 80 // Allow incoming connections through port 80.
ufw allow http // Allow incoming connections through port 80, using the alias "http" instead of the numeric port.
ufw allow 80/tcp // Allow only incoming connections with the TCP protocol through port 80.
ufw allow 1000-2000 // Allow incoming connections in a range of ports.
ufw allow from 10.0.0.30 // Allow incoming connections to any port and protocol to IP 10.0.0.30.
ufw allow from 10.0.0.0/24 // Allow incoming connections to any port and protocol from a range of IPs using the CIDR notation (from 10.0.0.0 to 10.0.0.255 in this case).
ufw allow from 10.0.0.30 to any port 22 // Allow incoming connections to port 22 to IP 10.0.0.30.
ufw allow from 10.0.0.30 to any port 22 proto tcp // Allow incoming connections to port 22, with TCP protocol to IP 10.0.0.30.
This is just a sample of the countless combinations that UFW allows. Of course, remember that you can also use deny to achieve the opposite effect.
5. Deleting rules
To delete a rule, it is convenient to first display them in numbered form. You can achieve this with the following command:
ufw status numbered
Once the rules are displayed preceded by a number that identifies them, you can delete them as follows:
ufw delete 3 // Delete rule number "3".
6. Insert rules with a specific number
You can use the following syntax to specify rules in a specific place, making that rule take precedence over the rules that follow it.
ufw insert 3 allow 22 // Insert a rule to allow incoming connections in position 3.
7. Enable or disable logging
UFW has the option to log all actions it takes and all access attempts. You can enable or disable UFW logging as follows:
ufw logging on // Enables logs.
ufw logging off // Disables logs.
8. Activate / Deactivate the firewall.
Finally, we will show you how to activate the firewall once you have set up the necessary configuration for your server:
ufw enable // Activates the firewall and puts into operation all the established rules.
ufw disable // Disable (pause) the firewall.
ufw reset // Remove all rules and allow you to start from scratch with the exception of the default behavior that you defined in step 1.
If you have followed the steps correctly, you will now be able to successfully configure UFW and use it on your server.