Using Firewall With UFW in Ubuntu Linux [Beginner’s Guide]


UFW (Uncomplicated Firewall) is an easy-to-use firewall tool with lots of options for all types of users.

It’s actually an interface for iptables, the classic low-level (and hard to get comfortable with) tool for setting up rules for your network.

Why should you use a firewall?

A firewall is a way to regulate incoming and outgoing traffic on your network. This is critical for servers, but it also makes the average user’s system more secure, giving you control. If you are one of those people who like to keep things under control at an advanced level even on the desktop, you might consider setting up a firewall.

In short, a firewall is a must for servers. On desktops, it’s up to you if you want to set it up.

Setting up a firewall with UFW

It is important to set up firewalls correctly. Incorrect setup may cause the server to be inaccessible if you are doing it for a remote Linux system, such as the cloud or a VPS server. For example, you block all incoming traffic on the server that you access via SSH. Now you will not be able to access the server via SSH.

In this tutorial, I’ll go over configuring a firewall that suits your needs, giving you an overview of what can be done with this simple tool. This should be suitable for both desktop and Ubuntu server users.

Please note that I will be using the command line method here. There is a GUI interface called Gufw for desktop users, but I won’t cover it in this tutorial. There is a guide dedicated to Gufw if you want to use that.

Install UFW

If you are using Ubuntu, UFW should already be installed. If not, you can install it using the following command:

sudo apt install ufw

For other distributions, please use your package manager to install UFW.

To verify that UFW is installed correctly, enter:

ufw --version

If it is installed, you should see the version details:

[email protected]:~$ ufw --version
ufw 0.36.1
Copyright 2008-2021 Canonical Ltd.

amazing! So you have UFW on your system. Let’s see how to use it now.

Note: You need to use sudo or be root to run (almost) all ufw commands.

Check the status and rules of ufw

UFW works by setting rules for incoming and outgoing traffic. These rules consist of Allow And the denial Specific sources and destinations.

You can check the firewall rules with the following command:

sudo ufw status

This should give you the following output at this point:

Status: inactive

The above command would have shown you the firewall rules if the firewall is enabled. By default, UFW is not enabled and does not affect your network. We will take care of that in the next section.

Check the status of ufw
UFW Status Check

But here’s the thing, you can see and modify the firewall rules even ufw is not enabled.

sudo ufw show added

And in my case, it showed this result:

[email protected]:~$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
[email protected]:~$

Now, I don’t remember if I added this rule manually or not. It is not a new system.

default policies

By default, UFW rejects all incoming messages and allows all outbound traffic. This behavior makes perfect sense for the average desktop user, since you want to be able to connect to different services (like http/https to access web pages) and you don’t want anyone to connect to your device.

but, If you are using a remote server, you must allow the traffic on the SSH port So you can connect to the system remotely.

You can either allow the traffic on the default SSH port 22:

sudo ufw allow 22

In case you are using SSH on another port, allow it at the service level:

sudo ufw allow ssh

Do note that the firewall is not active yet. This is good. You can modify the rules before enabling ufw so that core services are not affected.

If you will be using a UFW production server, please make sure to allow ports via UFW for running services.

For example, web servers usually use port 80, so use sudo ufw allow 80. You can also do this at the service level “sudo ufw allow apache”.

This burden is on your side and it is your responsibility to ensure that your server is running properly.

for Desktop usersyou can proceed with the default policies.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Enable and disable UFW

For UFW to work, you must enable it:

sudo ufw enable

Doing so will start the firewall and schedule it to start every time you boot. You receive the following message:

Firewall is active and enabled on system startup.

second: If you are connected to a machine via ssh, make sure ssh is allowed before enabling ufw with an input sudo ufw allow ssh.

If you want to turn off UFW, type:

sudo ufw disable

will return:

Firewall stopped and disabled on system startup

Reload the firewall for new rules

If UFW is already enabled and you have modified the firewall rules, you need to reload it before the changes take effect.

You can restart UFW by disabling it and enabling it again:

sudo ufw disable && sudo ufw enable

or Reloading the rules:

sudo ufw reload

Reset to default firewall rules

If at any point you go wrong in any of your rules and want to go back to the default rules (ie, there are no exceptions to allow incoming or outgoing traffic), you can start over with:

sudo ufw reset

Keep in mind that this will delete all firewall configurations.

Configure the firewall with UFW (more detailed view)

Fine! You have learned most of the basic ufw commands. At this point, I’d prefer to go into more detail about configuring the firewall rule.

Allow and deny by protocol and ports

This is how you add new exceptions to your firewall; Allow Enable your device to receive data from the selected service, while Denies does the opposite

By default, these commands will add rules for both IP And the IPv6. If you want to modify this behavior, you will have to modify /etc/default/ufw. they change

IPV6=yes

to me

IPV6=no

However, the basic commands are:

sudo ufw allow <port>/<optional: protocol>
sudo ufw deny <port>/<optional: protocol>

If the rule is added successfully, it will restore:

Rules updated
Rules updated (v6)

For example:

sudo ufw allow 80/tcp
sudo ufw deny 22
sudo ufw deny 443/udp

NB: If you do not include a specific protocol, the rule will apply to both TCP And the udp.

If you enable (or, if it is already running, reload) UFW and check its status, you can see that the new rules have been applied successfully.

UFW ports

You can also allow/deny Port ranges. For this type of rule, you must define a protocol. For example:

sudo ufw allow 90:100/tcp

It will allow all services on ports 90 to 100 using TCP. You can reload and check the status:

UFW Port Ranges

Allow and Deny by Services

To make things easier, you can also add rules using the service name:

sudo ufw allow <service name>
sudo ufw deny <service name>

For example, to allow ssh services and block and incoming HTTP services:

sudo ufw allow ssh
sudo ufw deny http

While doing so, UFW will read services from /etc/services. You can check the list yourself:

less /etc/services
List / etc / services

Add rules for apps

Some applications provide specific named services for ease of use and may even use different ports. One such example is ssh. You can see a list of these apps on your device with the following:

sudo ufw app list
UFW App List

In my case, the available apps cups (Network Printing System) and OpenSSH.

To add a rule to an app, type:

sudo ufw allow <application>
sudo ufw deny <application>

For example:

sudo ufw allow OpenSSH

When you reload and check the state, you should see that the rule has been added:

UFW Apps

conclusion

This was just the tip of Ice mountain Firewall. There is so much to Linux firewalls that a book can be written on them. In fact, there is already an excellent book on Linux Firewalls by Steve Suehring.

If you think setting up a firewall with UFW, you should try using iptables or nftables. Then you will realize how UFW removes the firewall configuration.

I hope you liked this beginner’s guide to UFW. Let me know if you have questions or suggestions.