How to Configure Firewall with UFW on Ubuntu

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls have been a first line of defense in network security. In this tutorial, you will learn how to configure Firewall with UFW on Ubuntu 20.04 LTS.

UFW is an abbreviated to an Uncomplicated FireWall. UFW is easy to implement and highly recommended to secure a network. The default firewall configuration tool for Ubuntu is ufw. It provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

Prerequisite

  • Ubuntu 20.04/18.04 (Any debian based system)
  • User with sudo privileges
  • Fast Internet Connection
  • Command Line Terminal

Step:1. Default UFW Policies

You can get the status of ufw whether firewall running on not using following commmands.

$ sudo ufw status

Sample output must be look like below as we told earlier that by default UFW is disabled.

Status: inactive

It is always a better policy that closes all ports on the server and open only required ports. Let’s block all incoming connection and only allow outgoing connections from our Ubuntu 20.04 LTS box with following commands.

$ sudo ufw default allow outgoing

$
sudo ufw default deny incoming

Step:2. Enabling UFW

As told earlier ufw is disabled by default. UFW can be enabled by using below command,

$ sudo ufw enable

Sample Output:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Once ufw enabled, it runs across system restarts. We can verify that easily as follows,

$ sudo systemctl status ufw.service
  • Disabling UFW

If you need to stop the firewall and disable on system startup, then use below commands,

$ sudo ufw disable

Sample outputs:

Firewall stopped and disabled on system startup

Step:3. Open Specific Incoming Connections/Ports

  • Open SSH TCP Port 22 Connections

Our next step is to allow incoming SSH ports. We can open SSH TCP port 22 using UFW as follows:

$ sudo ufw allow ssh
Rule added
Rule added (v6)

However, we can write the equivalent rule by specifying the port number instead of service name. We can allow ports using below command,

$ sudo ufw allow 22

If you are running ssh on other TCP port than default port. for instance, port 2222 then use below command,

$ sudo ufw allow 2222/tcp

Few admins have a static IP address at home or office location. In that case, only allow ssh access from that static IP address such as 202.50.7.10 to Ubuntu server IP address such as 172.22.12.40,

$ sudo ufw allow proto tcp from 202.50.7.10 to 172.22.12.40 port 22

To check whether the port is open in ufw firewall, then use follows command,

$ sudo ufw status

Status: active
To                                        Action        From
--                                          ------            ----
22/tcp                                ALLOW     Anywhere
2222/tcp                           ALLOW     Anywhere
172.22.12.40 22/tcp       ALLOW      202.50.7.10
22/tcp (v6)                       ALLOW     Anywhere (v6)
2222/tcp (v6)                  ALLOW     Anywhere (v6)

Step:4. Allowing Other Connections

Here, you should allow other connections that your server needs to respond to. The connections that you should allow totally depends on your specific needs. Let’s add more rules. Say you want to open ports and allow IP address with ufw.

The syntax is as follows to open TCP port 80 and 443 with ufw:

$ sudo ufw allow 80/tcp comment 'accepting Apache2'

$ sudo ufw allow 443/tcp comment 'accepting secure HTTPS connections'

Next try to open UDP/1194 (OpenVPN) server:

$ sudo ufw allow 1194/udp comment 'Accepting OpenVPN server'
  • Allow Port Ranges with UFW

We can allow port ranges too, for instance, tcp and udp 2000 to 3000:

$ sudo ufw allow 2000:3000/tcp

$ sudo ufw allow 2000:3000/udp
  • Allowing Specific IP Addresses

Suppose, you need to allow ALL connections from an specific IP address called 106.22.10.210, please use below commands,

$ sudo ufw allow from 106.22.10.210

Let’s allow connections from an IP address called 104.22.11.215 to port 25, then use below commands,

$ sudo ufw allow from 104.22.11.215 to any port 25 proto tcp

You can set destination IP Addr 224.224.224.224 for port 25 too using as follows,

$ sudo ufw allow from 104.22.11.215 to 224.224.224.224 port 25 proto tcp
  • Connections to Specific Network Interface

You should look up your network interfaces before continuing. To do so, use below command,

$ ip addr

2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000
…
3: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000
…

If your server has a public network interface called ens33, you could allow HTTP traffic (port 80) to it with follows command,

$ sudo ufw allow in on ens33 to any port 80

If you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1, for instance, you could use below command,

$ sudo ufw allow in on enp1s0 to any port 3306

Step:5. Block or Deny Incoming Connections/Ports

If you want to close ports and block certain IP addresses. The syntax is to deny access as below.

$ sudo ufw deny 25/tcp

Let’s suppose, you want to deny all connections from an IP address called 204.10.1.45, then use below commands,

$ sudo ufw deny from 204.10.1.45

Denying all connections from an IP/subnet called 104.13.40.15/29, use follows command,

$ sudo ufw deny from 104.13.40.15/29

Generally, it happens someone trying to intrude your infra. Then you can block that particular IP Addr (let’s say Hacker’s IP 4.1.1.2 on port 22) then go with below commands,

$ sudo ufw deny from 4.1.1.2 to any port 22 proto tcp

Step:6. Verifying the Status of UFW

You can see the status of UFW using below command,

$ sudo ufw status
sudo ufw status
  • UFW Delete Rules

As you already learned how to add, deny, and list the firewall rules. It is time to delete unwanted rules.

The syntax is to list all of the current rules in a numbered format using follows command,

$ sudo ufw status numbered
sudo ufw status numbered

To delete 5th rule type the command,

$ sudo ufw delete 5

Deleting:
allow 443/tcp comment 'accepting secure HTTPS connections'
Proceed with operation (y|n)? y
Rule deleted

Deleting By Actual Rule using below command,

$ sudo ufw delete allow http

$ sudo ufw delete allow 80

$ sudo ufw status numbered
sudo ufw status numbered

Step:7. More Commands related to UFW

Let’s learn more commands related to UFW.

  • Reload the ufw
$ sudo ufw reload
  • Reset the ufw
$ sudo ufw reset
  • View the Firewall Logs

By default all UFW entries are logged into /var/log/ufw.log file. Use the NA command/more command/tail command and other commands to view the ufw logs:

$ sudo more /var/log/ufw.log         or

$ sudo tail -f /var/log/ufw.log
  • Show the list of rules
$ sudo ufw show added

$ sudo ufw show listening

Conclusion

Hence, you learned how To configure Firewall with UFW on Ubuntu. I hope you learned all aspects of UFW.

Read Also : How to Install Zabbix Server 5.0 on Ubuntu 20.04

Share on:

Ravindra Kumar

Hi, This is Ravindra. I am founder of TheCodeCloud. I am AWS Certified Solutions Architect Associate & Certified in Oracle Cloud as well. I am DevOps and Data Science Enthusiast.

3 thoughts on “How to Configure Firewall with UFW on Ubuntu”

Leave a Comment