Today I learned a different way to configure the firewall on my Ubuntu / Debian Server: the
ufw command. UFW stands for “Uncomplicated FireWall” and it’s just that. It provides a simpler interface to add or remove firewall rules to iptables, the default Linux firewall. It’s installed on Ubuntu Server by default. To set up UFW is a lot easier than setting up iptables manually!
A new Ubuntu Server install contains a firewall (iptables) that is not enabled. Ubuntu.com has a great tutorial that explains that ufw is the default configuration tool for iptables. After I set up my server, I used ufw to close all ports by default, then open up ports for the services I use. I don’t have complex security needs or run a proxy server, so my rules are simple.
Before adding rules, it’s best to explicitly set the default behavior. By default, I like to block everything: both incoming and outgoing traffic. After that is done, I selectively open ports to support the services I wish to run. In contrast, UFW, by default, denies all incoming traffic but allows all outgoing traffic. That setup is accomplished manually with the following commands.
ufw default deny incoming
ufw default allow outgoing
The following commands open ports for named services that I use: namely, SSH (port 22), a web server (port 80), and Webmin (port 10000). Any services named in /etc/services may be identified by name instead of port number.
ufw allow ssh
ufw allow www
ufw allow webmin
UFW also has a list of application presets, for common servers such as Apache, OpenSSH, Lighttpd, and Samba. You can view the list by issuing the command:
ufw app list
You can implement firewall rules for Samba and Lighttpd by using the commands below, which specify the application name, not the service name. Note that you must enclose in quotation marks any application names that include spaces.
ufw allow Samba
It’s better to limit Samba access to hosts on your LAN. Using ufw’s more complex syntax, you can do just that. Note that you have to add “app” before the application name in this case.
ufw allow from 10.0.0.0/8 to 127.0.0.1 app Samba
ufw allow to 10.0.0.0/8 from 127.0.0.1 app Samba
The following commands open the ports required by my Transmission-Daemon server. Here I must specify port numbers explicitly. Note that you use a colon instead of a dash to specify port ranges. Plus, when creating rules for port ranges, you must specify whether they apply to TCP or UDP.
ufw allow 9091
ufw allow 6881:6891/tcp
ufw allow 6881:6891/udp
The following command opens up ports needed for MySQL, but only to hosts within the local network.
If you wish to open up MySQL to the world, you could use a simpler syntax.
ufw allow from 10.0.0.0/8 to any port 3306/tcp
ufw allow mysql
If you like to use NFS, follow the installation and configuration in Securing NFS. To see if correct ports for NFS and RPC are open, use
ufw allow from 192.168.122.0/28 to any port 111
ufw allow from 192.168.122.0/28 to any port 2049
ufw allow from 192.168.122.0/28 proto udp to any port 32764:32769
ufw allow from 192.168.122.0/28 proto tcp to any port 32764:32769
Allow a specific ip address and port
ufw allow from <ipaddress> to any port <port number>
Allowing access from an ip address range 10.120.0.1 – 10.120.0.255 to port 22
ufw allow from 10.0.0.0/24 to any port 22
Deleting rules is pretty simple. Just use the following syntax, and replace <…> with the entire rule that you wish to delete.
ufw delete <...>
ufw delete allow ssh
ufw delete allow 10000
You can also delete all the rules with a single command.
Enabling the Firewall
The following command enables the firewall rules immediately, and upon subsequent system restarts. This command will also refresh the rules. Run this command each time you update your firewall configuration.
Disabling the Firewall
To disable the firewall, simply issue the following command.
Checking the Configuration
You can check your configuration by issuing one of the following commands. The “verbose” version shows more information.
ufw status verbose
Open ports for Lighttpd
ufw allow "Lighttpd Full"
Open port for network time protocol (ntpd)
ufw allow ntp
It is also possible to allow access from specific hosts or networks to a port. The following example allows SSH access from host 192.168.0.2 to any ip address on this host:
ufw allow proto tcp from 192.168.0.2 to any port 22
Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.