Home » How To » How to Set Up a Firewall with UFW on Ubuntu

How to Set Up a Firewall with UFW on Ubuntu

Nowadays, a Firewall is an essential utility and property of any system for security; by default, the Ubuntu Operating system has a firewall configuration tool named UFW (Uncomplicated Firewall)UFW is a user-friendly front-end tool to manage iptables firewall rules. It provides you with more straightforward methods to manage iptables as the name of this tool start from Uncomplicated.
This post describes How to Monitor and Filter Incoming and Outgoing Network Traffic with Firewalls in Ubuntu 20.04 LTS.

1. Install UFW Firewall Utility

UFW is part of the standard Ubuntu 20.04 installation and should be present on your system. If for some reason it is not installed, you can install the package by typing:

sudo apt update
sudo apt install ufw

2. Check UFW Firewall Status

UFW is disabled by default. You can check the status of the UFW service with the following command:

sudo ufw status verbose

Example output:

Status: inactive

3. UFW Default Policies

By default, UFW allows all outbound connections and block all incoming connections to the system. It means your system can access any other system, but others can’t unless you allow access to your system by open the port.
The default policies are defined in the file /etc/default/ufw, and we can change these policies using the below command:

sudo  ufw  default

4. Application Profiles

An application profile is a text file in INI format that describes the service and contains firewall rules for the service. Application profiles are created in the /etc/ufw/applications.d directory during the installation of the package.
You can check all available application profiles in your system by using the following command:

sudo ufw app list

The output of the above command will list out all application profiles in your screen, similar to the below screen:

Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

If you want to check more information about a specific application profile and rules, use the following command:

sudo ufw app info 'Apache Full'

Output:

Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web
server.

Ports:
  80,443/tcp
osboxes@osbox

You can see in the above output, the ‘Apache Full’ profile will open 80 and 443 ports on your system.

Related:  How to Change Time Zone on Ubuntu Linux System

5. Enabling UFW

If you’re connecting to your Ubuntu from a remote location, before enabling the UFW firewall, you must explicitly allow incoming SSH connections. Otherwise, you will no longer be able to connect to the machine.
To configure your UFW firewall to allow incoming SSH connections, type the following command:

$ sudo ufw allow ssh

If SSH is running on a non-standard port, you need to open that port.
For example, if your ssh daemon listens on port 4488, enter the following command to allow connections on that port:

$ sudo ufw allow 4488/tcp

Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:

You will be warned that enabling the firewall may disrupt existing ssh connections, just type y and hit Enter.
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

6. Allow connections on other ports

Depending on the applications that run on the system, you may also need to open other ports. The general syntax to open a port is as follows:

ufw allow port_number/protocol

Open HTTP port – 80

You can allow HTTP connection by using the following commands:

sudo ufw allow http

You can also use port 80 to allow HTTP connection, as shown below:

sudo ufw allow 80/tcp

Or you can use the application profile also to open the HTTP connection, in this case, ‘Apache HTTP’.

sudo ufw allow 'Apche HTTP'

Open HTTPS port – 443

You can allow HTTPS connection by using the following commands:

sudo ufw allow https

You can also use port 443 to allow HTTPS connection, as shown below:

sudo ufw allow 443/tcp

Or you can use the application profile also to open the HTTPS connection, in this case, ‘Apache HTTPS’:

sudo ufw allow 'Apache HTTPS'

Allow Port Ranges

UFW also allows you to open port ranges. The start and the end ports are separated by a colon (:), and you must specify the protocol, either tcp or udp.
For example, if you want to allow ports from 4000 to 5000 on both tcp and udp, you would run the following command:

sudo ufw allow 4000:5000/tcp
sudo ufw allow 4000:5000/udp

Allow Specific IP address on UFW

You can allow a specific IP for all port to your server, like allowing our home machine to our server for any port. Here we whitelist our IP by allowing it for all port using the below command:

sudo ufw allow from 10.10.10.10

Where 10.10.10.10 is the IP that is allowed for all ports.

Related:  How to Change MySQL User Password

Allow Specific IP Address on Specific Port

If you want to allow the given IP address access only to a specific port, use the to any port keyword followed by the port number. For example, to allow access on port 22 from a machine with IP address of 10.10.10.10, enter:

sudo ufw allow from 10.10.10.10 to any port 22

Allow Subnets

You can allow a subnet of IP address instead of a specific IP using the IP address CDIR. For example, we are allowing all local IP to connect to our database server.
For example, here, we allowing IP range from 192.168.0.1 to 192.168.0.254 to port 3306 (MySQL) by using the following command:

sudo ufw allow from 192.168.0.1/24 to any port 3306

Allow connections to a Specific Network Interface

To allow connections on a particular network interface, use the in on keyword followed by the name of the network interface:

sudo ufw allow in on eth2 to any port 3306

Deny Connections

The default policy for all incoming connections is set to deny, and if you haven’t changed it, UFW will block all incoming connections unless you specifically open the connection.
Writing deny rules is the same as writing allow rules; you only need to use the deny keyword instead of allow.
You can deny services for a specific IP address to a specific port. For example, you want to block all access from IP 11.11.11.11, use the following command to do it:

sudo ufw deny from 10.10.10.10

If you want to block http and https service for IP address 10.10.10.10, use the below command:

sudo ufw deny from 10.10.10.10 to any port 80
sudo ufw deny from 10.10.10.10 to any port 443

Deleting UFW Rules

There are two different ways to delete UFW rules by rule number, and by specifying the actual rule.
Deleting rules by rule number is easier, especially when you are new to UFW. To delete a rule by a rule number first, you need to find the number of the rule you want to delete. To get a list of numbered rules, use the ufw status numbered command:

sudo ufw status numbered

Example output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                  
[ 3] 443/tcp                    ALLOW IN    Anywhere                  
[ 4] Anywhere                   ALLOW IN    10.10.10.10               
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 6] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 7] 443/tcp (v6)               ALLOW IN    Anywhere (v6)

To delete rule number 3, the one that allows connections to port 443, you would enter:

sudo ufw delete 3

The second method is to delete a rule by specifying the actual rule. For example, if you added a rule to open port 8069 you can delete it with:

sudo ufw delete allow 8069

7. Disabling UFW

If for any reason you want to stop UFW and deactivate all the rules, you can use:

sudo ufw disable

When you want again to implement all UFW set up rules, you can do it by enable the UFW, as shown below:

sudo ufw enable

8. Resetting UFW

Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh.
To reset UFW, type in the following command:

sudo ufw reset

Now, you have learned how to install the UFW firewall utility on your Ubuntu 20.04 server. You also learn to configure any types of incoming rules on your UFW firewall. If you have any doubt or feedback, feel free to comment below.

Leave a Comment