A firewall can help you in monitoring and filtering incoming and outgoing network traffic, most firewalls work by defining a set of security rules that determine whether to allow or block specific traffic.
UFW, or Uncomplicated Firewall, comes preinstalled with Ubuntu and most of the other Debian-based distros, providing a simplified firewall management for low-level filtering technologies like iptables.
This tutorial on setting up UFW firewall will cover pretty much everything you need to know about configuring and managing your UFW firewall on Ubuntu and Debian.
Step 1: Installing UFW on Ubuntu
UFW should come with your Ubuntu installation, if it doesn’t, you can install it using:
# Update packages
sudo apt update && apt upgrade
# Install UFW
sudo apt install ufwStep 2: Checking UFW Status & Rules
# Check UFW status
sudo ufw status verboseYou should see UFW is disabled, shown as Status: inactive.
Step 3: Enable IPv6 with UFW
This guide is written with IPv4 in mind, but, can work just fine with IPv6, just configure UFW to support IPv6 by editing /etc/default/ufw, and verifying if it has IPV6=yes:
# Configure UFW to support IPv6
sudo nano /etc/default/ufw
IPV6=yesSave and close the file, now, when you enable UFW, it will be configured to write both IPv4 and IPv6 firewall rules.
Step 4: Setting Up Default Policies for UFW
Let’s start with defining the rules for default policies, these rules control how to handle traffic that does not explicitly match any other rules.
By default, UFW is set to deny all incoming connections and allow all outgoing connections.
This means anyone trying to access your server will not be able to connect unless you specifically open the port, while, applications and services running on your server will be able to access the outside world.
The default polices are defined in the /etc/default/ufw file and can be changed either by manually modifying the file or with the sudo ufw default <policy> <chain> command.
You can set your UFW rules back to the defaults, to follow along with this tutorial:
# Set up default policy for UFW Firewal
sudo ufw default deny incoming
sudo ufw default allow outgoingThis denies all incoming connections, and allows all outgoing connections, the defaults alone might suffice for a personal computer, but you’ll need your servers to respond to incoming requests from outside users.
Step 5: Allowing SSH Connections via UFW
If we enabled our UFW firewall now, it would deny all incoming connections, including legitimate SSH or HTTP connections, allow incoming SSH connections, so you can connect to and manage your server:
# Allow SSH connections
sudo ufw allow sshThis will create firewall rules that will allow all connections on port 22, the port that the SSH daemon listens on by default, you could also use the following command instead:
# Allow SSH connections
sudo ufw allow 22Replace 22 with a different port number if you’ve configured SSH daemon to use a different port.
Alright, with that done, let’s enable our UFW firewall.
Step 6: Enabling UFW
You can enable UFW using the following command:
# Enabling UFW
sudo ufw enableYou will receive a warning that says the command may disrupt existing SSH connections, as we’ve already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with y and hit ENTER.
The firewall is now up and running, run sudo ufw status verbose command to see the rules that are set.
It should show something like this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)Step 7: Allowing Other Connections via UFW
Depending on the applications and services running on your server, you’ll need to open other ports on UFW. The general syntax to open a port is as follows:
sudo ufw allow port_number/protocolYou already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22. Here are a few more examples:
# Allow HTTP on port 80
sudo ufw allow 80
# Allow HTTPS on port 443
sudo ufw allow 443Allowing Applications & Services via UFW
You can also allow specific installed applications and services via UFW, run the following command to see profiles that UFW knows about and can use:
# View UFW profiles
sudo ufw app listJust because you see an app or service in that list, it doesn’t mean that UFW has active rules for all of them. You can also create your own custom profiles, and they should be stored in /etc/ufw/applications.d, but I wouldn’t recommend deleting any of them.
You can enable a particular UFW application profile, using the familiar command:
sudo ufw allow application_profileFor example, if you have Nginx installed, you might see these application profiles:
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSHTo enable Nginx Full which will opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL, encrypted traffic):
# Enabling Nginx Full
sudo ufw allow 'Nginx Full'You should get an output like this:
# Output
Rules updated
Rules updated (v6)Allowing Specific IP addresses via UFW
You can also allow specific IP addresses via UFW by adding from, for example, if you want to allow connections from, say, 123.45.67.89, use this command:
sudo ufw allow from 123.45.67.89You can also specify a specific port for a particular IP address by adding to any port followed by the port number.
For example, If you want to allow 123.45.67.89 to connect to port 22 (SSH), use this command:
sudo ufw allow from 123.45.67.89 to any port 22Allowing Specific Subnets via UFW
You can also allow a specific subnet of IP addresses, using CIDR notation to specify a netmask.
For example, if you want to allow all the IP addresses ranging from 123.45.67.1 to 123.45.67.254, use this command:
sudo ufw allow from 123.45.67.0/24Likewise, you can specify the destination port, say 22, that a particular subnet is allowed to connect to using the following command:
sudo ufw allow from 123.45.67.0/24 to any port 22Step 8: Denying Connections via UFW
By default, UFW is configured to deny all incoming connections, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses through.
If you changed your default incoming policy to allow (which is not recommended), you might want to create deny rules for any services or IP addresses that you don’t want to allow connections for.
To write deny rules, just use the commands described above, replacing allow with deny.
For example, to deny HTTP connections, use this:
sudo ufw deny httpYou can also block all connections from a particular IP address, say, 123.45.67.89, using:
sudo ufw deny from 123.45.67.89Similarly, a particular subnet can be blocked using:
sudo ufw deny from 123.45.67.0/24Output
Status: active
To Action From
-- ------ ----
Anywhere DENY 123.45.67.89
Anywhere DENY 123.45.67.0/24This can help block specific connections based on the source IP address or subnet, in case your server is being attacked.
Just follow the same commands you used to allow something, and replace allow with deny, to create blocking rules.
Step 9: Deleting UFW Firewall Rules
There are basically two ways to specifying which UFW rules to delete; by rule number or by the actual rule.
Deleting UFW Rules by Rule Number
To delete a firewall rule using a rule number, we’ll need to first get a list of all firewall rules, you can do just that using the following command:
sudo ufw status numbered# Numbered Output of UFW Rules
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80 (v6) ALLOW IN Anywhere (v6)
[ 6] 443 (v6) ALLOW IN Anywhere (v6)Note “(v6)” signifying an IPv6 rule, the ones not marked are IPv4 rules.
To delete a rule, say, rule number 3, just use the following command:
sudo ufw delete 3You’ll be prompted if you want to proceed with deletion, just type “y” and hit enter.
# Output
Deleting:
allow 443
Proceed with operation (y|n)? y
Rule deletedDeleting UFW Rules by Actual Rule
Another way of deleting a UFW rule is to just straight up specify the actual rule to delete.
For example, if you want to remove the allow https rule, you could write it like this:
sudo ufw delete allow httpsYou can also specify the rule using the port number, allow 443 instead:
sudo ufw delete allow 443Step 10: Disabling & Resetting UFW
You can disable UFW using the following command:
sudo ufw disableThis will disable any rules that you created with UFW, you can always run sudo ufw enable if you need it later.
If you want to start over, you can use the reset command:
sudo ufw resetThis will disable UFW and delete any rules that were previously defined, giving you a fresh start with UFW.
That’s all folks!
You now know how to have a fully configured firewall on your Ubuntu server, be sure to allow any incoming connections that your servers need, while blocking any unnecessary connections, keeping your server secure and running.
