A Guide to the Uncomplicated Firewall (UFW) for Linux

View this thread on: d.buzz | hive.blog | peakd.com | ecency.com
linux·@mr-rigden·7 years ago
0.000 HBD
A Guide to the Uncomplicated Firewall (UFW) for Linux
<html>
<p>Firewalls are too import to be convoluted. UFW allows mere mortals to create firewall rules. In this post, I will walk you though all you need to know about using this awesome Linux security tool.<em><strong>Warning:</strong></em> <em>If you are using a remote system be careful. It is very easy to lock yourself out of remote system. If are using SSH and the firewall blocks the SSH port, you are gonna have a bad time.</em></p>
<h3>Install</h3>
<p>UFW was made for Ubuntu, but now is available for most distributions. Check your distro’s package management system. For Ubuntu just run:</p>
<pre><code>sudo apt-get install ufw</code></pre>
<h3>Reset</h3>
<p>Before we do anything, we should know how to reset the firewall.</p>
<pre><code>sudo ufw reset</code></pre>
<p>This command will return UFW to its defaults. Removing any mistakes we might make.</p>
<h3>Defaults</h3>
<p>The default settings for UFW is to allow all outgoing connections and block all incoming connections. It should also bedisabled by default.</p>
<h3>Status</h3>
<p>We can check status of our newly installed firewall.</p>
<pre><code>sudo ufw status</code></pre>
<p>A brand new install will probably return:</p>
<pre><code>Status: inactive</code></pre>
<p>An enabled system will return something much more interesting. A nice table of rules.</p>
<pre><code>Status: active</code></pre>
<pre><code>To &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From<br>
-- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----<br>
OpenSSH &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
8080 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
2020 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
22 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</code></pre>
<h4>Verbous</h4>
<p>We can make the <code>status</code> option show some extra information with:</p>
<pre><code>sudo ufw status verbose</code></pre>
<p>This view is a bit more detailed.</p>
<pre><code>Status: active<br>
Logging: on (low)<br>
Default: deny (incoming), allow (outgoing), disabled (routed)<br>
New profiles: skip</code></pre>
<pre><code>To &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From<br>
-- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----<br>
22/tcp (OpenSSH) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
8080 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
2020 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
22 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</code></pre>
<h4>Numbered</h4>
<p>We can also see the rules numbered for convience:</p>
<pre><code>sudo ufw status numbered</code></pre>
<p>This view will be very useful later, when we are deleting rules.</p>
<pre><code>Status: active</code></pre>
<pre><code>To &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From<br>
 &nbsp;&nbsp;&nbsp;&nbsp;-- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----<br>
[ 1] OpenSSH &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere<br>
[ 2] 8080 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere<br>
[ 3] 2020 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere<br>
[ 4] 22 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere</code></pre>
<h3>Reload</h3>
<p>As we add and remove rules we will need to reload the firewall.</p>
<pre><code>sudo ufw reload</code></pre>
<h3>Enable</h3>
<p>Enable reloads the firewall and starts it when the machine boots.</p>
<pre><code>sudo ufw enable</code></pre>
<h3>Disable</h3>
<p>Unloads the firewall and it will not start automatically when the machine boots.</p>
<pre><code>sudo ufw disable</code></pre>
<h3>Allow/Deny</h3>
<p>A firewall is really just a set of rules for networking. These are rules about who can connect with a machine and who the machine can connect with. Rules about how ports, protocols, and hardware be used. UFW makes it pretty easy to write these rules. The rules we create with UFW are all about what we allow and what we deny.</p>
<h4>Ports</h4>
<p>Let us say we want to allow connection is our SSH server. It is listening on a non-standard port of 2020.</p>
<pre><code>sudo ufw allow 2020</code></pre>
<p>This allows TCP and UDP connections to port 2020. And if we want to block TCP and UDP connections on port 22.</p>
<pre><code>sudo ufw deny 22</code></pre>
<h4>Services</h4>
<p>You can also create rules by name for some installed services. We can list the available services with:</p>
<pre><code>sudo ufw app list</code></pre>
<p>On my system at home, I get back:</p>
<pre><code>Available applications:<br>
 &nbsp;CUPS<br>
 &nbsp;OpenSSH</code></pre>
<p>If we want to allow OpenSSH. I run:</p>
<pre><code>sudo ufw allow OpenSSH</code></pre>
<p>And of course we could also block OpenSSH with:</p>
<pre><code>sudo ufw deny OpenSSH</code></pre>
<p>Although this would be a very bad idea on a remote machine.</p>
<h4>Address</h4>
<p>We can allow connections for specific IP addresses too.</p>
<pre><code>sudo ufw allow from 192.168.1.2</code></pre>
<p>Or we can block specific IP addresses.</p>
<pre><code>sudo ufw deny from 192.168.1.2</code></pre>
<h4>Protocols</h4>
<p>Earlier I mentioned UDP and TCP. We can create rules for these protocols specifically.</p>
<pre><code>sudo ufw allow 80/tcp</code></pre>
<p>This will only allow TCP connections on port 80. And if we want, we can explicitly block UDP connections also.</p>
<pre><code>sudo ufw deny 80/udp</code></pre>
<h4>Interface</h4>
<p>If you have multiple network interfaces, than you will probably want different rules for them. We want want <code>eth0</code> to have port 80 open.</p>
<pre><code>sudo ufw allow in on eth0 to any port 80</code></pre>
<h4>In and&nbsp;Out</h4>
<p>We can allow or deny certain connections based on whether or not they are incoming or outgoing. The following will allow incoming connections on port 80.</p>
<pre><code>sudo ufw allow in 80</code></pre>
<p>And we could also block outgoing connections on port 3389.</p>
<pre><code>sudo ufw deny out 3389</code></pre>
<h4>Combinations</h4>
<p>We can compose complex rules by combining some elements here. Let us say that I want to only allow a specific IP to access port 22.</p>
<pre><code>sudo ufw allow from 192.168.0.1 to any port 22</code></pre>
<h3>Limit</h3>
<p>We can rate limit connection. This will limit connection attempts to 6 within 30 seconds for the rule.</p>
<pre><code>sudo ufw limit ssh</code></pre>
<h3>Reject</h3>
<p>Some times we want to explicitly reject a connection. This will let the sender know they are being rejected.</p>
<pre><code>sudo ufw reject 666</code></pre>
<h3>Delete Rule</h3>
<p>Eventually, we will want delete a rule we created. That can be pretty simple.</p>
<pre><code>sudo ufw delete allow 80</code></pre>
<p>Or we can delete a rule by number. Remember:</p>
<pre><code>sudo ufw status numbered</code></pre>
<p>We got this nice table with all the rules numbered.</p>
<pre><code>Status: active</code></pre>
<pre><code>To &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From<br>
 &nbsp;&nbsp;&nbsp;&nbsp;-- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----<br>
[ 1] OpenSSH &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
[ 2] 8080 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
[ 3] 2020 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW IN &nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
[ 4] 22 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY IN &nbsp;&nbsp;&nbsp;&nbsp;Anywhere</code></pre>
<p>We can delete a rule using its number.</p>
<pre><code>sudo ufw delete 8</code></pre>
<h3>Comment</h3>
<p>Commenting your code is always a good idea. After the command add <code>comment</code> and then a string in quotes.</p>
<pre><code>sudo ufw allow 22 comment 'for my SSH'</code></pre>
<p>Now when we run:</p>
<pre><code>sudo ufw status</code></pre>
<p>We get our little comment helper.</p>
<pre><code>Status: active</code></pre>
<pre><code>To &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From<br>
-- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;----<br>
OpenSSH &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DENY &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
8080 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
2020 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
22 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ALLOW &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# for my SSH<br>
80 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;REJECT &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Anywhere</code></pre>
<h3>Logs</h3>
<p>We can also instruct our firewall to maintain logs.</p>
<pre><code>sudo ufw logging on</code></pre>
<h3>Conclusion</h3>
<p>Firewall rules can get complex pretty fast. I hope this little tutorial can make it a little easier.</p>
</html>
👍 axel1973, psilocybit,
properties (23)vote details (2)