DEV Community

Cover image for Uncomplicated Firewall (UFW)
coder7475
coder7475

Posted on

Uncomplicated Firewall (UFW)

Linux Firewalls

  • All modern Linux firewall solution uses Netfilter subsystem.

  • Netfilter is a packet filtering system that is used to
    manipulate the fate of network traffic headed into or through the server.

  • System administrator use userspace interface utility siptables to set rules for how to manage the incoming traffic.

  • iptables is extremely effective and customizable, but it can be complex to configure.

  • Developers produced several frontend to help user control their firewall without writing lengthy iptables rules. Ex: ufw, firewalld etc

ufw - Uncomplicated Firewall

  • The default for debian based distros, ex: ubuntu, linux mint etc.

  • Provides a user-friendly way to create IPv4 or IPv6 host-based firewall.

  • ufw by default is initially disabled.

Enable or disable ufw

To enable ufw, run:

 sudo ufw enable 
Enter fullscreen mode Exit fullscreen mode

To disable ufw, run:

 sudo ufw disable 
Enter fullscreen mode Exit fullscreen mode

Check the status

To see the firewall status, enter:

 sudo ufw status 
Enter fullscreen mode Exit fullscreen mode

See numbered format:

 sudo ufw status numbered 
Enter fullscreen mode Exit fullscreen mode

Show all added rules:

ufw show added 
Enter fullscreen mode Exit fullscreen mode

UFW Defaults

It's very important to understand ufw defaults for your security.

Enter:

 sudo ufw status verbose 
Enter fullscreen mode Exit fullscreen mode

Above command will result:

# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 44 DENY IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 44 (v6) DENY IN Anywhere (v6) 
Enter fullscreen mode Exit fullscreen mode

Explanation of output below:

  1. deny (incoming): This will make sure that no outside systems can connect to your machine until you add an overriding rule for it.

  2. allow (outgoing): This means that all outgoing requests are enabled. This setting helps you run commands like apt-install, wget, and ping without issues. But, if you want to keep your server secure it is better to change the defaults to block outgoing and then allow specific IPs/domains that you need.

  3. disabled (routed). This means that all routing is disabled and forwarding is blocked. This is a good default provided you are not using your machine as a router.

  4. In Action column it is ALLOW IN & DENY IN. Which means there is also ALLOW OUT & DENY OUT.

Reload firewall for new rules

If UFW is already enabled and you modify the firewall rules, you need to reload it before the changes take into effect.

You can restart UFW by disabling it and enabling it again:

sudo ufw disable && sudo ufw enable 
Enter fullscreen mode Exit fullscreen mode

Or reload the rules:

sudo ufw reload 
Enter fullscreen mode Exit fullscreen mode

Reset all rules of ufw

 ufw reset 
Enter fullscreen mode Exit fullscreen mode

How to add ufw rules

Syntax to add rule:

sudo ufw allow <port>/<optional: protocol> sudo ufw deny <port>/<optional: protocol> 
Enter fullscreen mode Exit fullscreen mode

Examples

  1. To open a port (port no: 22):
 sudo ufw allow 22 
Enter fullscreen mode Exit fullscreen mode
  1. To close an opened port:
 sudo ufw deny 22 
Enter fullscreen mode Exit fullscreen mode
  1. To allow ssh connection
 ufw allow ssh 
Enter fullscreen mode Exit fullscreen mode
  1. To allow http and https
 sudo ufw allow http && sudo ufw allow https 
Enter fullscreen mode Exit fullscreen mode

Rules can also be added using a _numbered format._

  1. See numbered format:
 sudo ufw status numbered 
Enter fullscreen mode Exit fullscreen mode
  1. To add a rule using numbered format:
 sudo ufw insert 1 allow 80 
Enter fullscreen mode Exit fullscreen mode

This allowing 80 port as number 1 rule

  1. To remove a rule, use delete followed by the rule:
 sudo ufw delete deny 22 
Enter fullscreen mode Exit fullscreen mode

This delete the deny 22 rule

To check all open ports that are running

  1. Install net-tools if not already installed
 sudo apt install net-tools 
Enter fullscreen mode Exit fullscreen mode
  1. Show all open port that are currently running:
 netstat -tulpn 
Enter fullscreen mode Exit fullscreen mode
  1. To further check your network connection use:
 netstat -anp # Detailed info about all network connection lsof -i # List open network file ss # Display socket statistics and network connections ss -t # Display all TCP sockets ss -u # Display all UDP Sockets ss -l # All listening sockets ss -a # All Sockets ss -s # Summary statistics ss -p # Process using the socket ss -n # Show numerical addresses instead of hostman iptables -L -n # List all firewall rules with IP address & port number cat /etc/resolv.conf # List info about DNS config of system 
Enter fullscreen mode Exit fullscreen mode

Allow Access from specific hosts

  • It can allow access from specific hosts or networks to a port

  • Example: Allows SSH access from host 192.168.0.2 to any IP address on this host:

 sudo ufw allow proto tcp from 192.168.0.2 to any port 22 
Enter fullscreen mode Exit fullscreen mode
  • To allow SSH access from entire subnet enter:
 sudo ufw allow proto tcp from 192.168.0.2/24 to any port 22 
Enter fullscreen mode Exit fullscreen mode

Simulate Adding Rules

If you want to see what happens when you add a rule use --dry-run option to a ufw command.

 sudo ufw --dry-run allow http 
Enter fullscreen mode Exit fullscreen mode

Configure to support IPv6

  1. Open Config File: using nano(a text editor)
 sudo nano /etc/default/ufw 
Enter fullscreen mode Exit fullscreen mode
  1. Then Change The IPV6 value to yes:
 IPV6=yes 
Enter fullscreen mode Exit fullscreen mode

ufw application integration

  1. See all available apps:
 suo ufw app list 
Enter fullscreen mode Exit fullscreen mode
  1. Syntax to add or deny app:
sudo ufw allow <application> sudo ufw deny <application> 
Enter fullscreen mode Exit fullscreen mode
  1. To allow OpenSSH enter:
 sudo ufw allow "OpenSSH" 
Enter fullscreen mode Exit fullscreen mode

Special Tips For Newbies

  • After enabling firewall never exit from your remote server connection without enabling rule for ssh connection. Otherwise you won't be able to log into your own server.

UFW Logging

  1. To see if logging is enabled:
 sudo ufw status verbose 
Enter fullscreen mode Exit fullscreen mode
  1. To allow logging on:
 sudo ufw logging on 
Enter fullscreen mode Exit fullscreen mode

Different levels of UFW Firewall logging

There are 5 levels of UFW logging.

  1. off: Means logging is disabled.
  2. low: Will store logs related to blocked packets that do not match the current firewall rules and will show log entries related to logged rules.
  3. medium: In addition to all the logs offered by the low level, you get logs for invalid packets, new connections, and logging done through rate limiting.
  4. high: Will include logs for packets with rate limiting and without rate limiting.
  5. full: This level is similar to the high level but does not include the rate limiting.

To change logging level

  1. Syntax
 sudo ufw logging logging_level 
Enter fullscreen mode Exit fullscreen mode
  1. If you want to change it to medium level
 sudo ufw logging logging_level 
Enter fullscreen mode Exit fullscreen mode

Check logs

  1. See the Full logs:
 sudo less /var/log/ufw.log 
Enter fullscreen mode Exit fullscreen mode
  1. See only last 10 line of log
 sudo tail -f /var/log/ufw.log 
Enter fullscreen mode Exit fullscreen mode

References

Top comments (1)

Collapse
 
olsard profile image
olsard

Awesome! This is useful and easy to read, thanks!