How To Install And Configure A UFW Firewall On Linux
Firewall on Linux
The IPTables firewall is one of the most popular firewalls in Linux distributions, but due to the bit of complexity in writing traffic rules, you usually have to write down certain details and parameters when creating rules.
Therefore, the IPTables firewall cannot accept that Rule. Due to this problem and the complexity of IPTables, a user-friendly and simpler firewall based on IPTables is presented under the name of UFW firewall, which stands for Uncomplicated Firewall.
As the name implies, a UFW firewall means an uncomplicated firewall. With UFW, with a user-friendly environment, we can perform our rules and processes via IPTables.
Install UFW firewall
To install this firewall, you can install it on all Linux distributions with the ufw package name. (In this article, we will only install it on Debian, but the process is the same on all distributions)
With the following command, we can install this firewall in our system.
sudo apt install ufw -y
Check the UFW status
After installing it, to ensure the successful installation, we enter the following command:
sudo ufw status verbose
Output:
Status: inactive
In the output above we see that the firewall is inactive (Inactive) and this is such that UFW is disabled by default.
Default rules in UFW firewall
By default, UFW, like all firewalls, has rules that it uses when it is first activated. These default rules are such that they completely reject incoming and outgoing connections and accept outgoing connections.
This means that if someone wants to access the system or server, they can not do so unless you manually open a specific port.
In addition, if you have a particular service on your system or server, that service can easily access the outside.
The UFW configuration firewall is located in the following path
etc / default / ufw /
You can also change these default rules with the following syntax:
sudo ufw Default <Policy> <Chain>
The concept of Application Profile in UFW
When we install software with the apt command, an Application Profile is created in the following path:
/etc/ufw/applications.d
These Application Profiles actually contain information about the service of that software and its UFW settings. With the following command we have the ability to list all Application Profiles:
sudo ufw app list
The output of the above command depends on the packages installed on your system and may differ from our output:
Available applications: Dovecot IMAP Dovecot POP3 Dovecot Secure IMAP Dovecot Secure POP3 Nginx Full Nginx HTTP Nginx HTTPS OpenSSH Postfix Postfix SMTPS Postfix Submission
To be able to get a more complete output of the desired service and software, we can use the following command
sudo ufw app info 'Nginx Full'
Output:
Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443 / tcp
As you can see above, we easily got more complete information from Nginx Full, which opens two ports, HTTP (80) and HTTPS (443).
Write a Rule in UFW to open access
Before leaving your server, you should remember that if you enable UFW by default, you will no longer be able to access the server from outside. This problem makes your remote accesses, including SSH, inaccessible.
Initially, you need to set a Rule to access SSH from the outside in. The rule we want to allow access to SSH in the input direction is as follows:
sudo ufw allow ssh
Output:
Rules updated
(Rules updated (v6
Due to the above rule, only the default SSH port opens, and if SSH is enabled on another port and you want to open it based on the port, you can do the following:
sudo ufw allow 4422 / tcp
In addition, for other services, you can do the above, and for example, if you want to open HTTP, you can do the following:
sudo ufw allow http
Output the above command
Rules updated
(Rules updated (v6
Create access based on Application Profile
We can also grant access based on the Application Profile; Like the following Rule:
sudo ufw allow 'Nginx HTTP'
Create access for a specific Port Range
If we want to open the input access for a specific set of ports, we can do the following:
sudo ufw allow 7100: 7200 / udp sudo ufw allow 7100: 7200 / tcp
In the two rules above, we said to allow access of Port 7100 to Port 7200 on the UDP and TCP platform for input.
Provide access to a specific IP address
To try to control access and for example, only certain traffic can enter the server, we can do the following:
sudo ufw allow from 100.100.100.1
We said in the above command to open access for the address 100.100.100.1.
Open a specific port for a specific IP address
To impose restrictions and not every address can access SSH or any other service, we can do the following:
sudo ufw allow from 100.100.100.1
Create access for a Subnet
If we want to open special access for a set of IPs in a subnet, we can do the following:
sudo ufw allow from 192.168.1.0/24 to any port 3306
In the above rule, our desired subnet is 192.168.1.0/24, and from this subnet, any IP address can access the MySQL server port.
Gain access through a special network card
If we want to open special access based on one of the system network cards, we can use allow in:
sudo ufw allow in on eth2 to any port 3306
Close UFW access
If we wanted to cut a connection via UFW, we could use Deny instead of Allow.
For example, suppose we have a web server running on port 80 on our server and we want to block a specific IP address, for example, 50.50.50.1; In such circumstances, our rule is as follows:
sudo ufw deny from 50.50.50.1
Also, if we want to block this access only to HTTP (80) and HTTPS (443) web ports, we do the following:
sudo ufw deny from 50.50.50.1 to any port 443 sudo ufw deny from 50.50.50.1 to any port 80
Clear Rules in UFW
To delete these Rules, you must first obtain its Rule Number. You can see the Rule Number of all Rules by the following command:
sudo ufw status numbered
Output:
status: active To Action From - ------ ---- [1] 22 / tcp ALLOW IN Anywhere [2] 80 / tcp ALLOW IN Anywhere [3] 8080 / tcp ALLOW IN Anywhere
For example, if you want to delete the third Rule, you can do the following based on its Rule Number, which is 3:
sudo ufw delete 3
You can also do this through the port. For example, you have written a Rule that provides access to port 8888 and you want to delete it, your command for this is as follows:
sudo ufw delete allow 8888
Enable UFW firewall
Now after going through the process of opening access and closing them from the outside to the inside of the SSH and HTTP ports, we need to enable UFW, which can be done with the following command:
sudo ufw enable
Output the above command
Command may disrupt existing ssh connections. Proceed with the operation (y | n)? y
The firewall is active and enabled on system startup
Disable the UFW firewall on Linux
If you want to disable UFW, you can use the following command:
sudo ufw disable
You can also re-enter this command to reEnable it:
sudo ufw enable
be successful and victorious
