blog posts

UFW Firewall: How To Install And Configure A UFW Firewall On Linux

As the name implies, a UFW firewall is uncomplicated. With UFW’s user-friendly environment, we can perform our rules and processes via IPTables.

Firewall on LinuxUFW Firewall

The IPTables firewall is one of the most popular firewalls in Linux distributions, but due to the complexity of writing traffic rules, certain details and parameters are usually required when creating rules.

Therefore, the IPTables firewall cannot accept that Rule. Due to this problem and the complexity of IPTables, a user-friendly and more straightforward firewall based on IPTables is presented under the UFW firewall, which stands for Uncomplicated Firewall.

Install the UFW firewall.

You can install this firewall on all Linux distributions using the ufw package name. (In this article, we will only install it on Debian, but the process is the same on all distributions.)

With the following command, we can install this firewall in our system.

sudo apt install ufw -y

Check the UFW status.

After installing it, to ensure the successful installation, we enter the following command:

sudo ufw status verbose

Output:

Status: inactive

In the output abo,, ve we see that the firewall is inactive (Inacti, which meansthat UFW is disabled by default.

Default rules in UFW firewallUFW Firewall

By default, UFW, like all firewalls, has rules that it uses when it is first activated. These default rules are such that they reject entirely incoming and outgoing connections and accept outgoing connections.

This means that if someone wants to access the system or server, they can not do so unless you manually open a specific port.

In addition, if you have a particular service on your system or server, that service can be accessed from the outside.

The UFW configuration firewall is located in the following path

etc / default / ufw /

You can also change these default rules with the following syntax:

sudo ufw Default <Policy> <Chain>

The concept of Application Profile in UFW

When we install software with the apt command, an Application Profile is created in the following path:

/etc/ufw/applications.d

These Application Profiles contain information about that software’s service and its UFW settings. With the following command, we can list all Application Profiles:

sudo ufw app list

The output of the above command depends on the packages installed on your system and may differ from production:

Available applications:
  Dovecot IMAP
  Dovecot POP3
  Dovecot Secure IMAP
  Dovecot Secure POP3
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH
  Postfix
  Postfix SMTPS
  Postfix Submission

To be able to get a more complete production of the desired service and software, we can use the following command

sudo ufw app info ‘Nginx Full’

Output:

Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443 / tcp

As you can see above, we quickly got more complete information from Nginx Full, which opens two ports, HTTP (80) and HTTPS (443).

Write a Rule in UFW to open access.

Before leaving your server, you should remember that if you enable UFW by default, you can no longer access the server from outside. This problem makes your remote accesses, including SSH, inaccessible.

Initially, you need to set a Rule to access SSH from the outside. The Rule we want to allow access to SSH in the input direction is as follows:

Sudo ufw allow ssh

Output:

Rules updated
(Rules updated (v6

Due to the above Rule, only the default SSH port opens, and if SSH is enabled on another port and you want to open it based on the port, you can do the following:

Sudo ufw allow 4422 / tcp

In addition, for other services, you can do the above; for example, if you want to open HTTP, you can do the following:

Sudo ufw allow http

Output the above command.

Rules updated
(Rules updated (v6

Create access based on Application Profile

We can also grant access based on the Application Profile, like the following Rule:

Sudo ufw allow ‘Nginx HTTP’

Create access for a specific Port Range..

If we want to open the input access for a specific set of ports, we can do the following: sudo ufw allow 7100: 7200 / udp;  sudo ufw allow 7100: 7200 / tcp

In the two rules above, we said to allow Port 7100 to Port 7200 access on the UDP and TCP platforms for input.

Provide access to a specific IP address.

To try to control access, nd for example, on specific traffic can enter the server, we can do the following:

sudo ufw allow from 100.100.100.1

We said in the above command to open access for the address 100.100.100.1.

Open a specific port for a particular IP address.

To impose restrictions and not every address can access SSH or any other service, we can do the following:

Sudo ufw allow from 100.100.100.1

Create access for a Subnet.

If we want to open special access for a set of IPs in a subnet, we can do the following:

sudo ufw allow from 192.168.1.0/24 to any port 3306

In the above Rule, our desired subnet is 192.168.1.0/24. From this subnet, any IP address can access the MySQL server port.

Gain access through a unique network card.

If we want to open special access based on one of the system network cards, we can use allow in:

Sudo ufw allow in on eth2 to any port 3306

Close UFW access. We could use Deny instead of Allow to cut a connection via UFw.

For example, suppose we have a web server running on port 80 on our server, and we want to block a specific IP address, for example, 50.50.50.1. In such circumstances, our Rule is as follows:

Sudo ufw deny from 50.50.50.1

Also, if we want to block this access only to HTTP (80) and HTTPS (443) web ports, we do the following:

Sudo ufw deny from 50.50.50.1 to any port 443 sudo ufw deny from 50.50.50.1 to any port 80

If you want to do the opposite of the above rules and allow access, just change the deny to allow.

Clear Rules in UFW

To delete these Rules, you must first obtain their Rule Number. You can see the Rule Number of all Rules by the following command:

Sudo ufw status numbered

Output:

status: active To Action From – —— —- [1] 22 / tcp ALLOW IN Anywhere [2] 80 / tcp ALLOW IN Anywhere [3] 8080 / tcp ALLOW IN Anywhere

For example, if you want to delete the third Rule, you can do the following based on its Rule Number, which is 3:

sudo ufw delete 3

You can also do this through the port. For example, if  you have written a Rule that provides access to port 8888 and you want to delete it, your command for this is as follows:

Sudo ufw delete allow 8888

Enable the UFW firewall

Now, after going through the process of opening access and closing them from the outside to the inside of the SSH and HTTP ports, we need to enable UFW, which can be done with the following command:

Sudo ufw enable

Output the above command

Command may disrupt existing SSH connections. Proceed with the operation (y | n)? y
The firewall is active and enabled on system startup

At the top, you will be asked to enter y and Enter.

Turn off the UFW firewall on Linux

If you want to disable UFW, you can use the following command:

Sudo ufw disable

You can also re-enter this command to reEnable it:

sudo ufw enable

be successful and victorious