Linux/Uncomplicated Firewall: Difference between revisions
Brodriguez (talk | contribs) (Create page) |
Brodriguez (talk | contribs) m (Brodriguez moved page Linux Uncomplicated Firewall to Linux/Uncomplicated Firewall: Clean url with subpages) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 81: | Line 81: | ||
* '''MySQL''': <code>sudo ufw allow 3306/tcp</code> | * '''MySQL''': <code>sudo ufw allow 3306/tcp</code> | ||
* '''PostgreSQL''': <code>sudo ufw allow 5432/tcp</code> | * '''PostgreSQL''': <code>sudo ufw allow 5432/tcp</code> | ||
== Advanced Rules == | |||
It's possible to only allow/deny from specific ip addresses. Some examples: | |||
* <code>sudo ufw allow from <ip_address> to any port <port></code> | |||
** This will only allow the given ip to the given port. | |||
* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code> | |||
** This will only allow the given protocol from the given ip to the given port. | |||
For example, to allow ssh only on the local network, run: | |||
<code>sudo ufw allow from 192.168.1.0/24 to any port 22</code> |
Latest revision as of 08:53, 15 May 2020
Uncomplicated Firewall, or UFW, is a simple firewall manager for Arch Linux, Debian, and Ubuntu based systems.
Install UFW
For Arch Linux, Debian, and Ubuntu systems, UFW is likely installed by default. If it's not, then install with the following commands:
- Arch Linux:
sudo pacman -S ufw
- Ubuntu/Debian:
sudo apt install ufw
Depending on the system, you may also have to run:
sudo systemctl start ufw
sudo systemctl enable ufw
Setting Firewall Rules
General Command Syntax
Generally speaking, ufw rules will follow one of two formats:
sudo ufw allow <port>
- The allow rule sets the provided port to be open to the outside world, for both incoming and outgoing messages.
sudo ufw deny <port>
- The deny rule sets the provided port to be closed to the outside world, for both incoming and outgoing messages.
In either case, the <port> argument can be define in one of the following ways:
<port_number>
- This allows all connection types at the provided port number.
<port_number>/tcp
- This allows only tcp connections at the provided port number.
<port_number>/udp
- This allows only udp connections at the provided port number.
Removing Rules
If you accidentally add a wrong rule, or simply want to remove an existing rule, use the command:
sudo ufw delete <rule>
, where<rule>
follows the same<allow/deny> <port>
syntax defined above.
Specifying General Rules
UFW also allows specifying general rules. These are the rules applied for any ports not explicitly defined by the above commands.
These general commands are as simple as:
sudo ufw default <allow|deny> <incoming|outgoing>
- Ex:
sudo ufw default allow outgoing
- Ex:
Recommended Rules
Before setting any rules, it's strongly recommended to allow ssh.
If using a default ssh setup, then you can use the command:
sudo ufw allow ssh
orsudo ufw allow 22/tcp
If using a non-standard setup, then allow whatever given port is associated with your ssh connection.
Next, it's recommended to set defaults for both incoming and outgoing. These might be set by default, depending on your system, but it's always a good idea to double check.
For most setups, defaults of "allow all outgoing" and "deny all incoming" are good:
sudo ufw default allow outgoing
sudo ufw default deny incoming
At this point, you'd want to set individual rules for whatever your given setup needs.
For security reasons, it's best to only open those ports that you need, and keep the rest closed.
Enabling UFW and Viewing Status
View general UFW status with:
sudo ufw status
To get more detailed output, use:
sudo ufw status verbose
If status comes back "inactive", enable UFW with:
sudo ufw enable
To disable it again, use:
sudo ufw disable
Common Ports to Allow
Below are commands to allow commonly opened ports.
For security reasons, it's best to only open those ports that you need, and keep the rest closed.
- SSH:
sudo ufw allow 22/tcp
- HTTP:
sudo ufw allow 80/tcp
- HTTPS:
sudo ufw allow 443/tcp
- RDP:
sudo ufw allow 3389/tcp
- MySQL:
sudo ufw allow 3306/tcp
- PostgreSQL:
sudo ufw allow 5432/tcp
Advanced Rules
It's possible to only allow/deny from specific ip addresses. Some examples:
sudo ufw allow from <ip_address> to any port <port>
- This will only allow the given ip to the given port.
sudo ufw allow from <ip_address> to any port <port> proto <protocol>
- This will only allow the given protocol from the given ip to the given port.
For example, to allow ssh only on the local network, run:
sudo ufw allow from 192.168.1.0/24 to any port 22