In 2022, the world will be a very different place. With new technologies and advancements, the way we live our lives will be completely different. One of the most important changes that will take place is the way we use technology. In this article, we are going to talk about how to install and use UFW (Uncomplicated Firewall), which is a great tool for protecting your computer from unwanted access. UFW is a powerful firewall that can protect your computer from unwanted access. It can help protect your computer against viruses, malware, and other threats. UFW is easy to use and can be installed in just a few minutes. Once it is installed, you can start using it to protect your computer from unwanted access. To install UFW on your computer, first download the installer from the website www.ufw.org/. Once you have downloaded the installer, double-click on it to start it up. When the installer has finished loading, click on the Next button to continue with the installation process. Next, you will need to choose which type of installation you want to do: Local or Remote Installation . If you want to install UFW locally on your computer, then click on Local Installation . If you want to install UFW remotely on another computer in your network , then click on Remote Installation . Once you have chosen which installation type you want to do, next you will need to choose which computers in your network will have access to UFW . To do this, click on Add Computers . You can add as many computers as you want into this list. Once you have added all of the computers that you want access to Ufw , click on OK button in order for Ufw installation process to continue.. After clicking OK button in step 7 , next step of installation process will start automatically and it will take few minutes for installation process finish.. After installation process finish successfully , next thing that ufw needs is ..
In this post are commands containing options/arguments that contain two words and look like this: comment ssh. These extra parts add a comment to the firewall rules generated. If you are using a version of UFW priot to 0.35 you may have to remove these two extra pieces to avoid errors. Please bear this in mind when you come to using these types of commands later on should you receive errors.
1 – Install UFW
Using your systems package manager is a straight forward and easy way of obtaining UFW. Here are two examples for Arch Linux and Debian/Ubuntu.
1 – Install UFW2 – Enable Default Rules3 – Adding Rules4 – Commonly Applied Rules5 – Enabling and Disabling UFW6 – Deleting Rules7 – Enabling and Disabling Logging8 – Miscellaneous
Arch Linux
On Arch with Pacman it’s simply:
[alert-announce]
$ sudo pacman -S ufw
[/alert-announce]
Then enable it on boot through systemd using:
[alert-announce]
$ sudo systemctl enable ufw $ sudo systemctl start ufw
[/alert-announce]
Check out Arch Wiki – Uncomplicated Firewall
Debian / Ubuntu
UFW comes as part of most Ubuntu based distributions so you might already have it on your system, but to download the package on either Debian or Ubuntu use:
[alert-announce]
$ sudo apt-get install ufw
[/alert-announce]
To check the status of the program and confirm installation.
[alert-announce]
$ sudo ufw status verbose
[/alert-announce]
The output returned if installed successfully should be:
[alert-announce]
Output
Status: inactive
[/alert-announce]
2 – Enable Default Rules
As with several other firewall solutions, the standard practice is to block every possible incoming connection and allow any possible outgoing connections. Then open/block individual services and ports where necessary afterwards.
So deny all incoming connections.
[alert-announce]
$ sudo ufw default deny incoming
[/alert-announce]
And allow all outgoing connections.
[alert-announce]
$ sudo ufw default allow outgoing
[/alert-announce]
Remember that the firewall itself is still not active yet. All we have done so far is add these two overall base rules.
3 – Adding Rules
There are two primary styles available for adding rules – standard rule inputs and alias style inputs.
Here’s how to enable SSH connections to the server, using one of the built-in alias style inputs UFW provides.
[alert-announce]
$ sudo ufw allow ssh comment ssh
[/alert-announce]
This opens the default SSH TCP port – port number 22. Without this port open, SSH connections to your server would be blocked. Potentially making it inaccessible remotely.
Here’s the same rule again that opens the default SSH port, but using the standard rule input syntax.
[alert-announce]
$ sudo ufw allow 22/tcp comment ssh
[/alert-announce]
Anyone who does not use the default port number 22 for SSH and has altered it manually on their server, must use this standard rule syntax, and change the number in the command 22 to their chosen custom SSH port number.
Usually there is no need to restart UFW for newly added/removed rules to take effect. The effect of an action is applied immediately.
Further Methods
Specific IP addresses may be utilised in rules too. The next example (as suggested by the syntax) allows all traffic incoming access from the provided address.
[alert-announce]
$ sudo ufw allow from 192. 168. 255. 255
[/alert-announce]
Port ranges are opened using a colon : and the number ranges you wish to use. The port type is given as /tcp or /udp appearing in the same manner as before.
[alert-announce]
$ sudo ufw allow 3452:3478/tcp $ sudo ufw allow 3452:3478/udp
[/alert-announce]
Although the default rules we applied in step two automatically block every network connection, you can still block individual items with the firewall if you wish. Such as with a different blanket rule setup.
The deny command is what blocks specific port numbers, IP addresses, or port ranges when passed.
This would block the default SSH port if in some scenarios it was required.
[alert-announce]
$ sudo ufw deny ssh comment ssh
[/alert-announce]
To deny FTP traffic using the standard rule input syntax you can use:
[alert-announce]
$ sudo ufw deny 21/tcp comment ssh
[/alert-announce]
Blocking a target IP address(s) is the same as allowing but again uses the deny option instead.
[alert-announce]
$ sudo ufw deny from 192. 168. 254. 254
[/alert-announce]
Lastly blocking entire ranges with deny is just as possible:
[alert-announce]
$ sudo ufw deny 3278:3282/tcp $ sudo ufw deny 3278:3282/udp
[/alert-announce]
Blocking/denying entire subnets is also possible by using the IP address and mask (CIDR notation).
[alert-announce]
$ sudo ufw deny 15. 15. 15. 0/26
[/alert-announce]
Lastly here, blocking via the host machines network interface/hardware is possible e.g. eth0 or whatever it is registered as. No examples for this will be shown here however. Simply note that it is possible.
4 – Commonly Applied Rules
Continuing on with the primary styles available for adding rules, the standard rule inputs and alias style inputs. Here are some common rules you might want to add to the firewall either now, or at some point in the future.
These two allow traffic on port 80 – the standard web server port.
[alert-announce]
$ sudo ufw allow http comment http $ sudo ufw allow 80/tcp comment http
[/alert-announce]
The same goes for the port assigned to encrypted traffic on web servers, port 443.
[alert-announce]
$ sudo ufw allow https comment https $ sudo ufw allow 443/tcp comment https
[/alert-announce]
Always use sftp instead of ftp when transferring files on the command line. The choice of commands to allow traffic on the default sftp port is:
[alert-announce]
$ sudo ufw allow sftp comment sftp $ sudo ufw allow 115/tcp comment sftp
[/alert-announce]
When working with LDAP (Lightweight Directory Access Protocol) the alias command is best suited as it saves you having to open up both the TCP and UDP ports with two commands, so open up port 389 on both using:
[alert-announce]
$ sudo ufw allow ldap comment ldap
[/alert-announce]
For SMTP traffic there’s:
[alert-announce]
$ sudo ufw allow smtp comment smtp $ sudo ufw allow 25 comment smtp
[/alert-announce]
And for IMAP you’d enter:
[alert-announce]
$ sudo ufw allow imap comment imap $ sudo ufw allow 143 comment imap
[/alert-announce]
Since UFW reads from the /etc/services file you can add any of the service names listed in there.
[alert-announce]
$ sudo less /etc/services
[/alert-announce]
Check this Digital Ocean article for even more specific rules to add to your servers UFW config.
5 – Enabling and Disabling UFW
Once the rules are all added and ready for use, the final step is to activate the firewall.
This is easily done by issuing the command:
[alert-announce]
$ sudo ufw enable
[/alert-announce]
After entering the sudo password and confirming any prompts, you receive the message:
[alert-announce]
Firewall is active and enabled on system startup
[/alert-announce]
From here onward the rules are applied and working as entered.
To see the entire rules and status of the firewall now it’s running enter the command from the start again.
[alert-announce]
$ sudo ufw status verbose
[/alert-announce]
Should you ever need to reload the firewall, use the reload option. Although this will probably be a rare occasion as remember rules are applied instantly upon entering.
[alert-announce]
$ sudo ufw reload
[/alert-announce]
More commonly the entire firewall can be disabled with one command.
[alert-announce]
$ sudo ufw disable
[/alert-announce]
Your rules and configuration is not list when the firewall is disabled, only inactive until you enable them again. To delete and remove rules see the next section.
6 – Deleting Rules
Removing rules using the syntax you’re now likely familiar with. All you need to do is use the delete option as part of your command structure.
For example:
[alert-announce]
$ sudo ufw delete allow ssh $ sudo ufw delete allow 22/tcp
[/alert-announce]
A smart way to remove rules uses the numbered output command.
[alert-announce]
$ sudo ufw status numbered
[/alert-announce]
Here’s some example output:
[alert-announce]
Output
Status: active To Action From — —— —- [ 1] 22 ALLOW IN Anywhere [ 2] 21/tcp ALLOW IN Anywhere [ 3] 80 ALLOW IN Anywhere [ 4] 443 ALLOW IN Anywhere [ 5] 22 (v6) ALLOW IN Anywhere (v6) [ 6] 21/tcp (v6) ALLOW IN Anywhere (v6) [ 7] 80 (v6) ALLOW IN Anywhere (v6) [ 8] 443 (v6) ALLOW IN Anywhere (v6)
[/alert-announce]
The number featured in the resultant output (on the left column) can be referenced to delete rules.
As in this next example, which deletes rule 4 from the firewall.
[alert-announce]
Output
$ sudo ufw delete 4
[/alert-announce]
Be aware that if you have IPv6 enabled – which is the case on many distributions now by default after installation – there is always an equivalent rule added for IPv6; whenever you add a rule. So you need to delete that corresponding rule also when using this method.
In my example it would have been rule 8 which you can see in the output(s).
[alert-announce]
Output
[ 8] 443 (v6) ALLOW IN Anywhere (v6)
[/alert-announce]
If for some reason you want to redo the entire rule-set of the firewall. You can reset the whole of your current configuration with one command.
[alert-announce]
$ sudo ufw reset
[/alert-announce]
Be careful using this of course.
7 – Enabling and Disabling Logging
If you want to use logging for the firewall you must enable it to do so.
To enable logging use:
[alert-announce]
$ sudo ufw logging on
[/alert-announce]
The location of the log file may differ but in general, here’s the place to start looking.
[alert-announce]
$ sudo ls /var/log/ufw
[/alert-announce]
For information on how to interpret log entries in UFW, read through this section here.
To disable logging if needed you can use:
[alert-announce]
$ sudo ufw logging off
[/alert-announce]
8 – Miscellaneous
Rule comments were introduced as of February 2016 but you will require at least version 0.35 of UFW to be able to use them.
To use IPv6 with UFW you need to ensure you have it enabled in the configuration file:
[alert-announce]
$ sudo vim /etc/default/ufw
[/alert-announce]
Change the the value of IPV6 to equal yes in this file if it is set to “no”.
[alert-announce]
/etc/default/ufw excerpt
IPV6=yes
[/alert-announce]
Save and leave the file.
Reloading the firewall here might be a wise step if you already had it running before doing this (the command for reloading is given in an earlier step). After this the IPv6 rules alongside the regular IPv4 rules should be active and added to the firewall.
Lastly here’s several aliases you might want to incorporate into your .bashrc or .alias file to make things slightly quicker.
[alert-announce]
~/.alias
ufw alias ufw=’sudo ufw’ alias ufwstatver=’sudo ufw status verbose’ alias ufwstatnum=’sudo ufw status numbered’
[/alert-announce]
This post in its entirety covers most of the information required when it comes to getting to know UFW. Some of the external links also provide a vast amount of information should it be needed.