Configure UFW on Ubuntu
UFW (aka Uncomplicated Fire Wall) is a software firewall shipped with Ubuntu. It is really simple to configure yet equally powerful in terms of blocking attacks directed to various ports on your server. It usually comes disabled by default. In this article, we will understand how to configure some basic rules to enable/disable access to various ports or services.
The available config options are as follows:
duke@tekduke:~# sudo ufw --help
Usage: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
The above is an example of commands and their corresponding action in UFW. first thing first, we set some defaults to make sure that we allow our server to be able to communicate with the other systems to perform updates etc. We will set default policies to allow outgoing connections but to block any incoming connections:
duke@tekduke:~# sudo ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
duke@tekduke:~# sudo ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)As we can see here, we get a warning to update our rules. This is because once UFW is enabled with these settings, it will block ALL connections to the server (including SSH) so we need to enable ssh connections to the server first. For this, there is an application profile available in UFW. Given that you haven't setup ssh to run on a custom port, this alone should be enough to enable ssh access.
duke@tekduke:~# sudo ufw allow OpenSSH
Rule added
Rule added (v6)Apart from this, another application that listens to incoming connections is Your webserver (Nginx in our case).
duke@tekduke:~# sudo ufw allow 'Nginx Full'
Rule added
Rule added (v6)We use Nginx Full because we want to allow nginx to listen to both Port 80 & 443. If you conditionally want to only allow connections over Port 80 or Port 443, You can also use the options: 'Nginx HTTP' or 'Nginx HTTPS' instead of 'Nginx Full'.
Additionally, If You have any special ports that you want to allow connections to e.g. if You want to expose MySQL port 3306, You can do that as follows:
duke@tekduke:~# sudo ufw allow from 10.10.0.5 to any port 3306
Rule added
Rule added (v6)In the above example, we've limited MySQL incoming connections to one IP address i.e. 10.10.0.5 (which is on our local network) This way, the application server can connect to MySQL but anyone else can not.
There is a lot that can be done with UFW and it is really simple to use too. Now that we have configured all of our rule sets, we can finally enable UFW.
duke@tekduke:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? Y
Firewall is active and enabled on system startupAs you can see above, upon entering the command, it gives us the warning that SSH connections may be interrupted (due to our default deny incoming policy) but since we have enabled OpenSSH rule, we can safely proceed by responding Y
I hope this quick tutorial about UFW was helpful for you. You can learn more about UFW in a fantastic community article at DigitalOcean Here.
