Setting up UFW – Uncomplicated Firewall

Introduction

Another line of defense to complete on Linux servers is a functioning firewall. Now if you’ve ever used IP tables, you’ll know they are unnecessarily complicated. This is where ufw comes in to its own as it is a simple front end to the aforementioned IP tables.

Installation

Install is a breeze.

sudo apt-get install ufw

Checking Status

Also very easy.

sudo ufw status or sudo ufw status numbered

I prefer numbered, as it then makes it easier to remove entries you don’t want or need.

Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 22 (v6) ALLOW IN Anywhere (v6)
[ 4] 80/tcp (v6) ALLOW IN Anywhere (v6)

Using UFW with IPv6

UFW works out of the box with IPv6. If you don’t use IPv6 yet on your network, it is easy to turn off by default.

sudo nano /etc/default/ufw

Then make sure “IPV6” is set to “no”, as follows:

IPV6=no

Save and quit. Restart the firewall with the following commands:

sudo ufw disable
sudo ufw enable

Default Setup

I always start a setup with the following:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Pretty obvious this one, allow all outbound communication, deny all incoming!

Allowing Connections

Depending on what your server is doing will obviously impact on what rules you need to allow inbound but for a web server this is how I would play it.

If you need to manage the server over the web because it’s hosted, then the simple command:

sudo ufw allow ssh

If it is local and SSH administration will be completed from your LAN range only. This is for management so would mean you could only manage your server from your internal range. Now the IP range you define here is dependent on what range you actually  have configured.

sudo ufw allow from 192.168.1.0/24 to any port 22

To allow web traffic is also very easy:

sudo ufw allow www

Possible Requirements

You may need to open up other ports for example:

sudo ufw allow ftp

This i suggest should all be tested and checked you can access all required ports as you run through the configuration.

Deleting Rules

I like this way to delete rules. First get the numbered list as before:

sudo ufw status numbered

Then delete rules by issuing the following command:

sudo ufw delete [number]

Where “[number]” is the number of the rule you need to delete. Check the status numbered list as you go as they change as you delete rules.

Easy!

Turning the Firewall On

This one’s simple.

sudo ufw enable

To get your full verbose status of the running firewall

sudo ufw status verbose

To turn it off:

sudo ufw disable

Reset Everything

If, somehow you manage to get it all wrong and you want to start fresh. Then type the following:

sudo ufw reset

Conclusion

You will have a secured server configured to only the access required. As Alan Partridge would say, “Lovely Stuff”.