A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls have been a first line of defense in network security. In this tutorial, you will learn how to configure Firewall with UFW on Ubuntu 20.04 LTS.
UFW is an abbreviated to an Uncomplicated FireWall. UFW is easy to implement and highly recommended to secure a network. The default firewall configuration tool for Ubuntu is ufw. It provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
- Ubuntu 20.04/18.04 (Any debian based system)
- User with sudo privileges
- Fast Internet Connection
- Command Line Terminal
Step:1. Default UFW Policies
You can get the status of ufw whether firewall running on not using following commmands.
$ sudo ufw status
Sample output must be look like below as we told earlier that by default UFW is disabled.
It is always a better policy that closes all ports on the server and open only required ports. Let’s block all incoming connection and only allow outgoing connections from our Ubuntu 20.04 LTS box with following commands.
$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming
Step:2. Enabling UFW
As told earlier ufw is disabled by default. UFW can be enabled by using below command,
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Once ufw enabled, it runs across system restarts. We can verify that easily as follows,
$ sudo systemctl status ufw.service
- Disabling UFW
If you need to stop the firewall and disable on system startup, then use below commands,
$ sudo ufw disable
Firewall stopped and disabled on system startup
Step:3. Open Specific Incoming Connections/Ports
- Open SSH TCP Port 22 Connections
Our next step is to allow incoming SSH ports. We can open SSH TCP port 22 using UFW as follows:
$ sudo ufw allow ssh Rule added Rule added (v6)
However, we can write the equivalent rule by specifying the port number instead of service name. We can allow ports using below command,
$ sudo ufw allow 22
If you are running ssh on other TCP port than default port. for instance, port 2222 then use below command,
$ sudo ufw allow 2222/tcp
Few admins have a static IP address at home or office location. In that case, only allow ssh access from that static IP address such as 18.104.22.168 to Ubuntu server IP address such as 172.22.12.40,
$ sudo ufw allow proto tcp from 22.214.171.124 to 172.22.12.40 port 22
To check whether the port is open in ufw firewall, then use follows command,
$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 2222/tcp ALLOW Anywhere 172.22.12.40 22/tcp ALLOW 126.96.36.199 22/tcp (v6) ALLOW Anywhere (v6) 2222/tcp (v6) ALLOW Anywhere (v6)
Step:4. Allowing Other Connections
Here, you should allow other connections that your server needs to respond to. The connections that you should allow totally depends on your specific needs. Let’s add more rules. Say you want to open ports and allow IP address with ufw.
The syntax is as follows to open TCP port 80 and 443 with ufw:
$ sudo ufw allow 80/tcp comment 'accepting Apache2'
$ sudo ufw allow 443/tcp comment 'accepting secure HTTPS connections'
Next try to open UDP/1194 (OpenVPN) server:
$ sudo ufw allow 1194/udp comment 'Accepting OpenVPN server'
- Allow Port Ranges with UFW
We can allow port ranges too, for instance, tcp and udp 2000 to 3000:
$ sudo ufw allow 2000:3000/tcp
$ sudo ufw allow 2000:3000/udp
- Allowing Specific IP Addresses
Suppose, you need to allow ALL connections from an specific IP address called 188.8.131.52, please use below commands,
$ sudo ufw allow from 184.108.40.206
Let’s allow connections from an IP address called 220.127.116.11 to port 25, then use below commands,
$ sudo ufw allow from 18.104.22.168 to any port 25 proto tcp
You can set destination IP Addr 22.214.171.124 for port 25 too using as follows,
$ sudo ufw allow from 126.96.36.199 to 188.8.131.52 port 25 proto tcp
- Connections to Specific Network Interface
You should look up your network interfaces before continuing. To do so, use below command,
$ ip addr 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 … 3: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 …
If your server has a public network interface called ens33, you could allow HTTP traffic (port 80) to it with follows command,
$ sudo ufw allow in on ens33 to any port 80
If you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1, for instance, you could use below command,
$ sudo ufw allow in on enp1s0 to any port 3306
Step:5. Block or Deny Incoming Connections/Ports
If you want to close ports and block certain IP addresses. The syntax is to deny access as below.
$ sudo ufw deny 25/tcp
Let’s suppose, you want to deny all connections from an IP address called 184.108.40.206, then use below commands,
$ sudo ufw deny from 220.127.116.11
Denying all connections from an IP/subnet called 18.104.22.168/29, use follows command,
$ sudo ufw deny from 22.214.171.124/29
Generally, it happens someone trying to intrude your infra. Then you can block that particular IP Addr (let’s say Hacker’s IP 126.96.36.199 on port 22) then go with below commands,
$ sudo ufw deny from 188.8.131.52 to any port 22 proto tcp
Step:6. Verifying the Status of UFW
You can see the status of UFW using below command,
$ sudo ufw status
- UFW Delete Rules
As you already learned how to add, deny, and list the firewall rules. It is time to delete unwanted rules.
The syntax is to list all of the current rules in a numbered format using follows command,
$ sudo ufw status numbered
To delete 5th rule type the command,
$ sudo ufw delete 5 Deleting: allow 443/tcp comment 'accepting secure HTTPS connections' Proceed with operation (y|n)? y Rule deleted
Deleting By Actual Rule using below command,
$ sudo ufw delete allow http
$ sudo ufw delete allow 80
$ sudo ufw status numbered
Step:7. More Commands related to UFW
Let’s learn more commands related to UFW.
- Reload the ufw
$ sudo ufw reload
- Reset the ufw
$ sudo ufw reset
- View the Firewall Logs
By default all UFW entries are logged into /var/log/ufw.log file. Use the NA command/more command/tail command and other commands to view the ufw logs:
$ sudo more /var/log/ufw.log or
$ sudo tail -f /var/log/ufw.log
- Show the list of rules
$ sudo ufw show added
$ sudo ufw show listening
Hence, you learned how To configure Firewall with UFW on Ubuntu. I hope you learned all aspects of UFW.
Read Also : How to Install Zabbix Server 5.0 on Ubuntu 20.04