September 23, 2020

How to set up a UFW firewall on Ubuntu

4 min read

Properly configuring the firewall is one of the most important aspects of the overall system security. By default, Ubuntu 18.04 LTS comes with a firewall configuration tool called UFW. UFW is a user-friendly front end that can be used to manage iptables firewall rules. Its main purpose is to make management iptables even more easy and easy.

Install UFW

The UFW tool is included with the Ubuntu 18.04 LTS system by default. If it is not installed on your system, you can install it in the Terminal by executing the following command:

sudo apt install ufw

Check UFW status
After the installation is complete, you can check the status of the UFW with the following command:

sudo ufw status verbose

Whether you are using the Ubuntu 18.04 system or just manually installed UFW, the default is disabled, so the output is “inactive”:
If UFW is activated, the output will look similar to the following:
UFW default policy
The firewall policy is the basis for building user-defined rules. In most cases, the initial UFW default policy is a good starting point. By default, UFW blocks all incoming connections and allows all outgoing connections. That is, unless you specifically open a specific port, anyone trying to access your server will not be able to connect, but the applications and services running on the server will be accessible. The UFW default policy is defined in the /etc/default/ufw file, which can be changed using the sudo ufw default command.
How to add a new rule
When you use apt to install a package, the application configuration file is added to the /etc/ufw/applications.d directory, which is primarily used to describe the service and store UFW settings. We can list all application configuration policies using the following command:

sudo ufw app list

Based on the packages installed on the current system, the output looks like this:
If you want to find out more about configuration files and include rules, you can use something like the following:

sudo ufw app info ‘Apache’

From the above output, you can see that the “Apache” configuration file opens ports 80.
Allow SSH connections
Before you officially enable the UFW firewall on the server, you need to add an incoming rule that allows SSH connections. Otherwise, after UFW is enabled, SSH can’t connect, don’t run around… To configure the UFW firewall to allow incoming SSH connections, type the following command:

sudo ufw allow ssh

If your SSH port is custom and you are not using the default 22 port, you can listen and allow connections on that port by the following command, for example, port 2222:

sudo ufw allow 2222/tcp

Enable UFW

If your UFW firewall is configured to allow incoming SSH connections, you can enable UFW by executing the following command:

sudo ufw enable

Allow listening for incoming port connections

Depending on the application running on your Ubuntu and your specific needs, you may need to allow incoming connections to other ports. Below the system geeks will demonstrate examples of how to allow common services.
Open port 80 – HTTP
You can use the following command to allow HTTP connections

sudo ufw allow http

You can also specify port number 80 directly:

sudo ufw allow 80/tcp

Or you can use an application configuration file, in this case, “Nginx HTTP”:

sudo ufw allow ‘Nginx HTTP’

Open port 443 – HTTPS

You can use the following command to allow HTTPS connections:

sudo ufw allow https

You can also specify the port number 443 directly:

sudo ufw allow 443/tcp

Or you can use an application configuration file, in this case, “Nginx HTTPS”:

sudo ufw allow ‘Nginx HTTPS’

Allowed port range
In addition to allowing a single port connection, UFW also allows you to direct the configuration of port ranges. When using UFW’s port range, you must specify the tcp or udp protocol. For example, to turn on the tcp and udp ports on the server from 8100 to 8200, you can run the following command:
  1. sudo ufw allow 8100:8200/tcp
  2. sudo ufw allow 8100:8200/udp

Allow specific IP address

If you want to allow access to all ports of an IP address, you can use the following command:

sudo ufw allow from 192.168.1.44 

Allow subnet
If you want to allow a specific subnet-wide computer to access a port on the server, for example, to allow access from the 192.168.1.1 to 192.168.1.254 network segment to the server 3306 (MySQL) port, you can execute the following command:

sudo ufw allow from 192.168.1.0/24 to any port 3306

Refuse to connect

As mentioned earlier, the default policy for incoming connections is set to reject. Assuming you have ports 80 and 443 open and the server is attacked by 129.12.1.0/24, you can reject all connections to the network with the following command:

sudo ufw deny from 129.12.1.0/24

If you only want to deny access to ports 80 and 443, you can use the following command:
  1. sudo ufw deny from 23.34.45.0/24 to any port 80
  2. sudo ufw deny from 23.34.45.0/24 to any port 443
Delete UFW policy

We can remove UFW rules based on the rule number and the actual rules. For novice users, it is better to delete a specific rule by rule number, but before that, you need to use the command to list the number of the rule number:

sudo ufw status numbered

For example, to delete the rule for open 80 port [1], you can use the following command:

sudo ufw delete 1

The second method is to delete the operation by specifying the actual rules. For example, to delete the rule for opening port 2222, you can use the following command:

sudo ufw delete allow 2222

Disable UFW
If you want to stop using UFW and deactivate all rules, you can choose to disable UFW directly:

sudo ufw disable

Reset UFW

When you reset UFW, UFW is disabled and all active rules are removed.

sudo ufw reset