Linux/Uncomplicated Firewall: Difference between revisions

From Dev Wiki
Jump to navigation Jump to search
(Add advanced rules)
(Add local network example)
Line 89: Line 89:
* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code>
* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code>
** This will only allow the given protocol from the given ip to the given port.
** This will only allow the given protocol from the given ip to the given port.
For example, to allow ssh only on the local network, run:
<code>sudo ufw allow from 192.168.1.0/24 to any port 22</code>

Revision as of 05:01, 6 November 2019

Uncomplicated Firewall, or UFW, is a simple firewall manager for Arch Linux, Debian, and Ubuntu based systems.

Install UFW

For Arch Linux, Debian, and Ubuntu systems, UFW is likely installed by default. If it's not, then install with the following commands:

  • Arch Linux: sudo pacman -S ufw
  • Ubuntu/Debian: sudo apt install ufw

Depending on the system, you may also have to run:

  • sudo systemctl start ufw
  • sudo systemctl enable ufw


Setting Firewall Rules

General Command Syntax

Generally speaking, ufw rules will follow one of two formats:

  • sudo ufw allow <port>
    • The allow rule sets the provided port to be open to the outside world, for both incoming and outgoing messages.


  • sudo ufw deny <port>
    • The deny rule sets the provided port to be closed to the outside world, for both incoming and outgoing messages.


In either case, the <port> argument can be define in one of the following ways:

  • <port_number>
    • This allows all connection types at the provided port number.
  • <port_number>/tcp
    • This allows only tcp connections at the provided port number.
  • <port_number>/udp
    • This allows only udp connections at the provided port number.


Removing Rules

If you accidentally add a wrong rule, or simply want to remove an existing rule, use the command:

  • sudo ufw delete <rule>, where <rule> follows the same <allow/deny> <port> syntax defined above.


Specifying General Rules

UFW also allows specifying general rules. These are the rules applied for any ports not explicitly defined by the above commands.
These general commands are as simple as:

  • sudo ufw default <allow|deny> <incoming|outgoing>
    • Ex: sudo ufw default allow outgoing


Recommended Rules

Before setting any rules, it's strongly recommended to allow ssh.
If using a default ssh setup, then you can use the command:

  • sudo ufw allow ssh or sudo ufw allow 22/tcp

If using a non-standard setup, then allow whatever given port is associated with your ssh connection.

Next, it's recommended to set defaults for both incoming and outgoing. These might be set by default, depending on your system, but it's always a good idea to double check.
For most setups, defaults of "allow all outgoing" and "deny all incoming" are good:

  • sudo ufw default allow outgoing
  • sudo ufw default deny incoming


At this point, you'd want to set individual rules for whatever your given setup needs.
For security reasons, it's best to only open those ports that you need, and keep the rest closed.


Enabling UFW and Viewing Status

View general UFW status with:

  • sudo ufw status


To get more detailed output, use:

  • sudo ufw status verbose


If status comes back "inactive", enable UFW with:

  • sudo ufw enable
Warn: If connecting remotely, do not enable UFW until you allow ssh ports!



To disable it again, use:

  • sudo ufw disable


Common Ports to Allow

Below are commands to allow commonly opened ports.
For security reasons, it's best to only open those ports that you need, and keep the rest closed.

  • SSH: sudo ufw allow 22/tcp
  • HTTP: sudo ufw allow 80/tcp
  • HTTPS: sudo ufw allow 443/tcp
  • RDP: sudo ufw allow 3389/tcp
  • MySQL: sudo ufw allow 3306/tcp
  • PostgreSQL: sudo ufw allow 5432/tcp


Advanced Rules

It's possible to only allow/deny from specific ip addresses. Some examples:

  • sudo ufw allow from <ip_address> to any port <port>
    • This will only allow the given ip to the given port.
  • sudo ufw allow from <ip_address> to any port <port> proto <protocol>
    • This will only allow the given protocol from the given ip to the given port.

For example, to allow ssh only on the local network, run: sudo ufw allow from 192.168.1.0/24 to any port 22