Page tree
Skip to end of metadata
Go to start of metadata

Minimal UFW Setup

UFW (Uncomplicated Firewall) is a firewall software package that is a front-end to iptables that is easy to use initially and yet flexible enough for power users.

Install UFW if it not already installed,

sudo apt-get install ufw # install the firewall software

UFW once installed does not automatically start. First open up ports that are necessary for the administration of the system,

sudo ufw allow 22

Additionally open other ports that you require. For this tutorial it would be,

sudo ufw allow 80 # Web Server
sudo ufw allow 443 # SSL over Web Server

Before starting UFW make sure you have port 22 open you can check again by running the allow 22 command again and if the rule is added should output.

sudo ufw allow 22
"Skipping adding existing rule"

After you have confirmed 22 is open you can go ahead and enable UFW.

sudo ufw enable

From your desktop, use Telnet to confirm 22 port is open,

telnet Ubuntuservername 22 # if you server is not named, user the server's IP address

If telnet worked you should see something like this,

Connected to Ubuntuservername.
Escape character is '^]'.
^]

Finally check that all your rules are in place,

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
UFW status verbose will not work if UFW is not enabled.

There is much more to UFW but the above steps should get you going.

Removing Rules

You can disable or delete rules. The example shown here is two step,

sudo ufw deny 443 # Disables and leave the entry in the status. Useful for a port you leave on and off sometimes.
sudo ufw delete deny 443 # Delete the rule. Here you must have it disabled to delete it.

Not exactly intuitive is that the delete command needs to be literal. In the above example we had "delete deny port 443". If the port was enabled and we wanted to delete in one step, the command would look like this,

sudo ufw delete allow 443 # Deletes an enabled rule.

To put comment

You can put comment in the rules and have it show up in the ufw status

sudo ufw allow 22 comment 'enable TCP'

Article Improvements

This article can be improved in the following areas.

How I can put comments in the firewall rules and have it show up in the ufw status? Using applications.d. Will add details from here,http://manpages.ubuntu.com/manpages/jaunty/en/man8/ufw.8.html

References

https://help.ubuntu.com/9.10/serverguide/C/firewall.html - official docs from Ubuntu.

2 Comments

  1. May want to read up on fail2ban and ufw on the same system.  I read something about how they were tromp each other's entries in iptables and end up causing issues.  I'll try to find an article reference.

    1. There should not be conflicts if used out of the box per the Ubuntu forum. Fail2ban uses iptables and inserts rules first in the INPUT chain. This will not do any harm or conflict with ufw.