Posted on Aug 12, 2024

Uncomplicated Firewall (UFW)

#security #linux

Linux Firewalls

All modern Linux firewall solution uses Netfilter subsystem.
Netfilter is a packet filtering system that is used to
manipulate the fate of network traffic headed into or through the server.
System administrator use userspace interface utility siptables to set rules for how to manage the incoming traffic.
iptables is extremely effective and customizable, but it can be complex to configure.
Developers produced several frontend to help user control their firewall without writing lengthy iptables rules. Ex: ufw, firewalld etc

ufw - Uncomplicated Firewall

The default for debian based distros, ex: ubuntu, linux mint etc.
Provides a user-friendly way to create IPv4 or IPv6 host-based firewall.
ufw by default is initially disabled.

Enable or disable ufw

To enable ufw, run:

 sudo ufw enable

To disable ufw, run:

 sudo ufw disable

Check the status

To see the firewall status, enter:

 sudo ufw status

See numbered format:

 sudo ufw status numbered

Show all added rules:

ufw show added

UFW Defaults

It's very important to understand ufw defaults for your security.

Enter:

 sudo ufw status verbose

Above command will result:

# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 44 DENY IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 44 (v6) DENY IN Anywhere (v6)

Explanation of output below:

deny (incoming): This will make sure that no outside systems can connect to your machine until you add an overriding rule for it.
allow (outgoing): This means that all outgoing requests are enabled. This setting helps you run commands like apt-install, wget, and ping without issues. But, if you want to keep your server secure it is better to change the defaults to block outgoing and then allow specific IPs/domains that you need.
disabled (routed). This means that all routing is disabled and forwarding is blocked. This is a good default provided you are not using your machine as a router.
In Action column it is ALLOW IN & DENY IN. Which means there is also ALLOW OUT & DENY OUT.

Reload firewall for new rules

If UFW is already enabled and you modify the firewall rules, you need to reload it before the changes take into effect.

You can restart UFW by disabling it and enabling it again:

sudo ufw disable && sudo ufw enable

Or reload the rules:

sudo ufw reload

Reset all rules of ufw

 ufw reset

How to add ufw rules

Syntax to add rule:

sudo ufw allow <port>/<optional: protocol> sudo ufw deny <port>/<optional: protocol>

Examples

To open a port (port no: 22):

 sudo ufw allow 22

To close an opened port:

 sudo ufw deny 22

To allow ssh connection

 ufw allow ssh

To allow http and https

 sudo ufw allow http && sudo ufw allow https

Rules can also be added using a _numbered format._

See numbered format:

 sudo ufw status numbered

To add a rule using numbered format:

 sudo ufw insert 1 allow 80

This allowing 80 port as number 1 rule

To remove a rule, use delete followed by the rule:

 sudo ufw delete deny 22

This delete the deny 22 rule

To check all open ports that are running

Install net-tools if not already installed

 sudo apt install net-tools

Show all open port that are currently running:

 netstat -tulpn

To further check your network connection use:

 netstat -anp # Detailed info about all network connection lsof -i # List open network file ss # Display socket statistics and network connections ss -t # Display all TCP sockets ss -u # Display all UDP Sockets ss -l # All listening sockets ss -a # All Sockets ss -s # Summary statistics ss -p # Process using the socket ss -n # Show numerical addresses instead of hostman iptables -L -n # List all firewall rules with IP address & port number cat /etc/resolv.conf # List info about DNS config of system

Allow Access from specific hosts

It can allow access from specific hosts or networks to a port
Example: Allows SSH access from host 192.168.0.2 to any IP address on this host:

 sudo ufw allow proto tcp from 192.168.0.2 to any port 22

To allow SSH access from entire subnet enter:

 sudo ufw allow proto tcp from 192.168.0.2/24 to any port 22

Simulate Adding Rules

If you want to see what happens when you add a rule use --dry-run option to a ufw command.

 sudo ufw --dry-run allow http

Configure to support IPv6

Open Config File: using nano(a text editor)

 sudo nano /etc/default/ufw

Then Change The IPV6 value to yes:

 IPV6=yes

ufw application integration

See all available apps:

 suo ufw app list

Syntax to add or deny app:

sudo ufw allow <application> sudo ufw deny <application>

To allow OpenSSH enter:

 sudo ufw allow "OpenSSH"

Special Tips For Newbies

After enabling firewall never exit from your remote server connection without enabling rule for ssh connection. Otherwise you won't be able to log into your own server.

UFW Logging

To see if logging is enabled:

 sudo ufw status verbose

To allow logging on:

 sudo ufw logging on

Different levels of UFW Firewall logging

There are 5 levels of UFW logging.

off: Means logging is disabled.
low: Will store logs related to blocked packets that do not match the current firewall rules and will show log entries related to logged rules.
medium: In addition to all the logs offered by the low level, you get logs for invalid packets, new connections, and logging done through rate limiting.
high: Will include logs for packets with rate limiting and without rate limiting.
full: This level is similar to the high level but does not include the rate limiting.