UFW (aka Uncomplicated Fire Wall) is a software firewall shipped with Ubuntu. It is really simple to configure yet equally powerful in terms of blocking attacks directed to various ports on your server. It usually comes disabled by default. In this article, we will understand how to configure some basic rules to enable/disable access to various ports or services.
The available config options are as follows:
The above is an example of commands and their corresponding action in UFW. first thing first, we set some defaults to make sure that we allow our server to be able to communicate with the other systems to perform updates etc. We will set default policies to allow outgoing connections but to block any incoming connections:
As we can see here, we get a warning to update our rules. This is because once UFW is enabled with these settings, it will block ALL connections to the server (including SSH) so we need to enable ssh connections to the server first. For this, there is an application profile available in UFW. Given that you haven't setup ssh to run on a custom port, this alone should be enough to enable ssh access.
Apart from this, another application that listens to incoming connections is Your webserver (Nginx in our case).
We use Nginx Full because we want to allow nginx to listen to both Port 80 & 443. If you conditionally want to only allow connections over Port 80 or Port 443, You can also use the options: 'Nginx HTTP' or 'Nginx HTTPS' instead of 'Nginx Full'.
Additionally, If You have any special ports that you want to allow connections to e.g. if You want to expose MySQL port 3306, You can do that as follows:
In the above example, we've limited MySQL incoming connections to one IP address i.e. 10.10.0.5 (which is on our local network) This way, the application server can connect to MySQL but anyone else can not.
There is a lot that can be done with UFW and it is really simple to use too. Now that we have configured all of our rule sets, we can finally enable UFW.
As you can see above, upon entering the command, it gives us the warning that SSH connections may be interrupted (due to our default deny incoming policy) but since we have enabled OpenSSH rule, we can safely proceed by responding
I hope this quick tutorial about UFW was helpful for you. You can learn more about UFW in a fantastic community article at DigitalOcean Here.