As the name implies, a UFW firewall is uncomplicated. With UFW’s user-friendly interface, we can implement our rules and processes using IPTables.
Firewall on Linux
The IPTables firewall is one of the most popular firewalls in Linux distributions, but due to the complexity of writing traffic rules, certain details and parameters are usually required when creating rules.
Therefore, the IPTables firewall cannot accept that Rule. Due to this problem and the complexity of IPTables, a user-friendly, more straightforward firewall based on IPTables is provided by UFW (Uncomplicated Firewall).
Install the UFW firewall.
You can install this firewall on all Linux distributions using the ufw package name. (In this article, we will only install it on Debian, but the process is the same on all distributions.)
With the following command, we can install this firewall in our system.
sudo apt install ufw -y
Check the UFW status.
After installing it, to ensure the successful installation, we enter the following command:
- Sudo ufw status verbose
Output:
- Status: inactive
In the output above, we see that the firewall is inactive (Inactive, which means that UFW is disabled by default.
Default rules in the UFW firewall
By default, UFW, like all firewalls, has rules that it uses when it is first activated. These default rules reject incoming and outgoing connections entirely and accept outgoing connections.
This means that if someone wants to access the system or server, they can not do so unless you manually open a specific port.
In addition, if you have a specific service running on your system or server, it can be accessed from the outside.
The UFW configuration firewall is located in the following path
etc / default / ufw /
You can also change these default rules with the following syntax:
sudo ufw Default <Policy> <Chain>
The concept of Application Profile in UFW
When we install software with the apt command, an Application Profile is created in the following path:
/etc/ufw/applications.d
These Application Profiles contain information about that software’s service and its UFW settings. With the following command, we can list all Application Profiles:
sudo ufw app list
The output of the above command depends on the packages installed on your system and may differ from production:
Available applications:
Dovecot IMAP
Dovecot POP3
Dovecot Secure IMAP
Dovecot Secure POP3
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
Postfix
Postfix SMTPS
Postfix Submission
To be able to get a more complete production of the desired service and software, we can use the following command
sudo ufw app info ‘Nginx Full.’
Output:
Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443 / tcp
As you can see above, we quickly got more complete information from Nginx Full, which opens two ports, HTTP (80) and HTTPS (443).
Write a UFW rule to open access.
Before leaving your server, remember that if you enable UFW by default, you will no longer be able to access the server from outside. This problem makes your remote access, including SSH, inaccessible.
Initially, you need to set up a Rule to allow SSH access from the outside. The Rule we want to allow access to SSH in the input direction is as follows:
- Sudo ufw allow ssh
Output:
Rules updated
Rules updated v6
Due to the above Rule, only the default SSH port opens, and if SSH is enabled on another port and you want to open it based on the port, you can do the following:
Sudo ufw allow 4422 / tcp
In addition, for other services, you can do the above; for example, if you want to open HTTP, you can do the following:
Sudo ufw allow http
Output the above command.
Rules updated
Rules updated v6
Create access based on Application Profile
We can also grant access based on the Application Profile, like the following Rule:
Sudo ufw allow ‘Nginx HTTP.’
Create access for a specific Port Range.
If we want to open the input access for a specific set of ports, we can do the following: sudo ufw allow 7100: 7200 / udp; sudo ufw allow 7100: 7200 / tcp
In the two rules above, we said to allow access from Port 7100 to Port 7200 on the UDP and TCP platforms for input.
Provide access to a specific IP address.
To try to control access, nd for example, on specific traffic can enter the server, we can do the following:
sudo ufw allow from 100.100.100.1
We said in the above command to open access for the address 100.100.100.1.
Open a specific port for a particular IP address.
To impose restrictions and not allow every address to access SSH or any other service, we can do the following:
Sudo ufw allow from 100.100.100.1
Create access for a Subnet.
If we want to open special access for a set of IPs in a subnet, we can do the following:
sudo ufw allow from 192.168.1.0/24 to any port 3306
In the above Rule, our desired subnet is 192.168.1.0/24. From this subnet, any IP address can access the MySQL server port.
Gain access through a unique network card.
If we want to open special access based on one of the system network cards, we can use the ” allow in:
Sudo ufw allow in on eth2 to any port 3306
Close UFW access. We could use Deny instead of Allow to cut a connection via UFw.
For example, suppose we have a web server running on port 80 on our server, and we want to block a specific IP address, for example, 50.50.50.1. In such circumstances, our Rule is as follows:
Sudo ufw deny from 50.50.50.1
Also, if we want to block this access only to HTTP (80) and HTTPS (443) web ports, we do the following:
Sudo ufw deny from 50.50.50.1 to any port 443 sudo ufw deny from 50.50.50.1 to any port 80
Clear Rules in UFW
To delete these Rules, you must first obtain their Rule Number. You can see the Rule Number of all Rules by the following command:
Sudo ufw status numbered
Output:
status: active To Action From – —— —- [1] 22 / tcp ALLOW IN Anywhere [2] 80 / tcp ALLOW IN Anywhere [3] 8080 / tcp ALLOW IN Anywhere
For example, if you want to delete the third Rule, you can do the following based on its Rule Number, which is 3:
sudo ufw delete 3
You can also do this through the port. For example, if you have written a Rule that provides access to port 8888 and you want to delete it, your command for this is as follows:
Sudo ufw delete allow 8888
Enable the UFW firewall
Now, after going through the process of opening access and closing them from the outside to the inside of the SSH and HTTP ports, we need to enable UFW, which can be done with the following command:
Sudo ufw enable
Output the above command
Command may disrupt existing SSH connections. Proceed with the operation (y | n)? y
The firewall is active and enabled on system startup
Turn off the UFW firewall on Linux
If you want to disable UFW, you can use the following command:
- Sudo ufw disable
- You can also re-enter this command to re-enable it:
- sudo ufw enable
- Be victorious.
FAQ
What is UFW?
UFW is a user-friendly front-end for the Linux firewall system (iptables), designed to make firewall configuration much simpler.
How do I install and enable UFW on a Debian/Ubuntu-based system?
Open a terminal and run: sudo apt update sudo apt install ufw sudo ufw enable Before enabling, allow SSH (or other needed ports) to avoid locking yourself out.
How can I allow or block specific traffic with UFW?
You can allow or deny ports or services, for example: sudo ufw allow ssh (or sudo ufw allow 22/tcp) to allow SSH sudo ufw allow 80/tcp to allow web (HTTP) traffic sudo ufw deny from 203.0.113.5 to block a specific IP address.