How to Install and Configure UFW in Debian/Ubuntu
Steps to Install and Configure UFW - Uncomplicated FireWall in Debian/Ubuntu
The Uncomplicated Firewall is an user friendly and well comfortable for host based firewalls. It provides a framework for managing netfilter and also a command-line interface for controlling the firewall. Install and configure UFW Firewall will be discussed in Debian/Ubuntu.
To Install UFW Firewall
Reducing the complexity as how to set IPTables. If you are executing Ubuntu Linux, you can find UFW as a default firewall tool.
Uses of UFW
To check that, if UFW is installed in your system using below command.
user1@linuxhelp:~$ sudo dpkg --get-selections | grep ufw
[sudo] password for user1:
ufw install
If not, then install it by using the below command.
user1@linuxhelp:~$ sudo apt-get install ufw
How to Enable and Disable ufw
Run the following command to enable ufw.
Execute below command, to disable and check the UFW is running or not.
user1@linuxhelp:~$ sudo ufw disable user1@linuxhelp:~$ sudo ufw status Status: inactive
If the status is inactive, that means its not active or disable.
user1@linuxhelp:~$ sudo ufw enable Firewall is active and enabled on system startup user1@linuxhelp:~$ sudo ufw status Status: active
Listing the current ufw rules
To view the default rules, just type as like below.
user1@linuxhelp:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
Adding new rules in ufw
By default all incoming connections are denied. If you like to remote your system then you need to permit proper port. For Example, you need to allow ssh connection. Execute the below command.
Allow access:
user1@linuxhelp:~$ sudo ufw allow ssh
Rule added
Rule added (v6)
If you want to check the status again, you can view an output like this.
user1@linuxhelp:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
The first rule explains the incoming connection to the " port 22" from " Anywhere" , here both UDP and TCP packets will be allowed. Then include the parameter tcp after the port number.
user1@linuxhelp:~$ sudo ufw allow ssh/tcp Rule added Rule added (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6)
Deny Access
To deny ftp rule, just execute below command.
user1@linuxhelp:~$ sudo ufw deny ftp Rule added Rule added (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6)
To add Specific Port
To change the ssh port on our system from 22 into 2287. Then to permit port 2287, we will include it like below.
user1@linuxhelp:~$ sudo ufw allow 2287 Rule added Rule added (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6)
To add port range into the rule, you have to open port from 2286 - 2357 using TCP protocol, then the script will be like below.
user1@linuxhelp:~$ sudo ufw allow 2286:2357/tcp Rule added Rule added (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6)
If you like to use UDP, simply execute the below command.
user1@linuxhelp:~$ sudo ufw allow 2286:2357/udp Rule added Rule added (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 2286:2357/udp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6) 2286:2357/udp (v6) ALLOW Anywhere (v6)
Don' t forgot to put " TCP" or " UDP" explicitly or else you will receive an error message as like below.
ERROR:Must specify tcp or udp with multiple ports
To Add Specific IP
ufw also permits you to include rules based on IP.
user1@linuxhelp:~$ sudo ufw allow from 192.168.5.103 Rule added user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 2286:2357/udp ALLOW Anywhere Anywhere ALLOW 192.168.5.103 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6) 2286:2357/udp (v6) ALLOW Anywhere (v6)
To use a subnet mask to extent the ranges
user1@linuxhelp:~$ sudo ufw allow from 192.168.5.0/24 Rule added user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 2286:2357/udp ALLOW Anywhere Anywhere ALLOW 192.168.5.103 Anywhere ALLOW 192.168.5.0/24 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6) 2286:2357/udp (v6) ALLOW Anywhere (v6)
To Combine Parameters
For more rules, you will combine IP Address, protocol and port. We need to create rule that limit the connection only from IP 192.168.5.196, only protocol TCP and to port 22.
user1@linuxhelp:~$ sudo ufw allow from 192.168.5.196 proto tcp to any port 22 Rule added user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 21/tcp DENY Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 2286:2357/udp ALLOW Anywhere Anywhere ALLOW 192.168.5.103 Anywhere ALLOW 192.168.5.0/24 22/tcp ALLOW 192.168.5.196 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) DENY Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6) 2286:2357/udp (v6) ALLOW Anywhere (v6)
To Delete Rules
There are two methods for deleting rules.
Method 1:
To delete rules the match service ftp. So the 21/tcp mean ftp port will be deleted.
user1@linuxhelp:~$ sudo ufw delete deny ftp Rule deleted Rule deleted (v6) user1@linuxhelp:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 2290 ALLOW Anywhere 2287 ALLOW Anywhere 2286:2357/tcp ALLOW Anywhere 2286:2357/udp ALLOW Anywhere Anywhere ALLOW 192.168.5.103 Anywhere ALLOW 192.168.5.0/24 22/tcp ALLOW 192.168.5.196 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 2290 (v6) ALLOW Anywhere (v6) 2287 (v6) ALLOW Anywhere (v6) 2286:2357/tcp (v6) ALLOW Anywhere (v6) 2286:2357/udp (v6) ALLOW Anywhere (v6)
It will delete the rule that matches service ftp
Method 2:
Using below command, to delete the 1st rule in the above example.
To show the number of rule to denote which rule that you have to delete. Execute the below command.
user1@linuxhelp:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 2290 ALLOW IN Anywhere
[ 4] 2287 ALLOW IN Anywhere
[ 5] 2286:2357/tcp ALLOW IN Anywhere
[ 6] 2286:2357/udp ALLOW IN Anywhere
[ 7] Anywhere ALLOW IN 192.168.5.103
[ 8] Anywhere ALLOW IN 192.168.5.0/24
[ 9] 22/tcp ALLOW IN 192.168.5.196
[10] 22 (v6) ALLOW IN Anywhere (v6)
[11] 22/tcp (v6) ALLOW IN Anywhere (v6)
[12] 2290 (v6) ALLOW IN Anywhere (v6)
[13] 2287 (v6) ALLOW IN Anywhere (v6)
[14] 2286:2357/tcp (v6) ALLOW IN Anywhere (v6)
[15] 2286:2357/udp (v6) ALLOW IN Anywhere (v6)
Here you will delete the first rule. Select " y" , this will permanently delete the rule.
user1@linuxhelp:~$ sudo ufw delete 1 Deleting: allow 22 Proceed with operation (y|n)? y Rule deleted user1@linuxhelp:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 2290 ALLOW IN Anywhere [ 3] 2287 ALLOW IN Anywhere [ 4] 2286:2357/tcp ALLOW IN Anywhere [ 5] 2286:2357/udp ALLOW IN Anywhere [ 6] Anywhere ALLOW IN 192.168.5.103 [ 7] Anywhere ALLOW IN 192.168.5.0/24 [ 8] 22/tcp ALLOW IN 192.168.5.196 [ 9] 22 (v6) ALLOW IN Anywhere (v6) [10] 22/tcp (v6) ALLOW IN Anywhere (v6) [11] 2290 (v6) ALLOW IN Anywhere (v6) [12] 2287 (v6) ALLOW IN Anywhere (v6) [13] 2286:2357/tcp (v6) ALLOW IN Anywhere (v6) [14] 2286:2357/udp (v6) ALLOW IN Anywhere (v6)
To Reset Rules
To reset all the rules, run the following command.
user1@linuxhelp:~$ sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up ' after.rules' to ' /etc/ufw/after.rules.20160423_105956'
Backing up ' after6.rules' to ' /etc/ufw/after6.rules.20160423_105956'
Backing up ' user6.rules' to ' /lib/ufw/user6.rules.20160423_105956'
Backing up ' user.rules' to ' /lib/ufw/user.rules.20160423_105956'
Backing up ' before.rules' to ' /etc/ufw/before.rules.20160423_105956'
Backing up ' before6.rules' to ' /etc/ufw/before6.rules.20160423_105956'
On selecting " y" , then ufw will backup all existing rules before reset. Once the rules is Reset the firewall will be disabled. You can enable it again if you like to use this.
Comments ( 0 )
No comments available