Sign in Subscribe
how to 🪄

How to Configure a Firewall with UFW on Ubuntu Server.

One of the first lines of defense in securing your server would probably a good functioning firewall, don't you think❓😎

Aleksandra Sloan, yannick Coffi, Kenzo Kylo

4 min read
How to Configure a Firewall with UFW on Ubuntu Server.



What is UFW?

UFW, or Uncomplicated Firewall, is a front-end to iptables written in Python. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. And, yes, UFW is surprisingly uncomplicated – in fact, a boon for newer admins who might otherwise have to invest a lot of energy to get up to speed on firewall management. As such, it’s a great way to get started securing your server. It supports both IPv4 and IPv6.


Before we get started.

UFW should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using apt-get using the following commands:
sudo apt-get install ufw -y

Set default policy.

By default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would run the following commands:
sudo ufw default allow outgoing
and
sudo ufw default deny outgoing

Add firewall rules.

You can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of port 80. Then run the following linux command using the port number.
sudo ufw allow 80
Or, run the following command using the name service, here HTTP.
sudo ufw allow http

To further fine-tune your rules, you can also allow packets based on TCP or UDP. The following allows TCP packets on port 80 and allows UDP packets on port 1725:

sudo ufw allow 80/tcp
sudo ufw allow 1725/udp

It is also advised to check the status of added rules using the following linux command.
sudo ufw status verbose

You should see the following output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From
-- ------ ----
80/tcp ALLOW IN Anywhere
1725/udp ALLOW IN Anywhere
80/tcp (v6) ALLOW IN Anywhere (v6)
1725/udp (v6) ALLOW IN Anywhere (v6)

Delete firewall rules.

There are two options to delete rules. The most straightforward one is to use the following syntax:

sudo ufw delete allow ssh
sudo ufw delete allow 80/tcp
or
sudo ufw delete allow 1050:2500/tcp (see our Advanced UFW rules- below)

The second, simpler alternative is to type:

sudo ufw status numbered

which will have UFW list out all the current rules in a numbered list. Then, we issue the command:

sudo ufw delete [number]
where “[number]” is the line number you wish to delete.

Enable the firewall.

After we are satisfied with your UFW's settings, we can turn it on using this command (remember: configuring a default reject or deny rule can lock you out of your server unless explicit allow rules are in place. Ensure that you have configured allow rules for SSH before enabling UFW):

sudo ufw enable

Similarly, to disable UFW’s rules:
sudo ufw disable

Reset everything.

If, for whatever reason, you need to reset your server’s rules to their default settings, you can do this by typing this command:

sudo ufw reset

Advanced UFW rules.

Port Ranges

You can also specify port ranges with UFW. To allow ports 1050 through 2500, use the command:

sudo ufw allow 1050:2500/tcp
If you want UDP:
sudo ufw allow 1050:2500/udp

Add a specific IP address.

You can also add a specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.1.250 to access all services on the server:

sudo ufw allow from 192.168.1.250

To deny the IP 192.168.1.250 to access all services on the server:

sudo ufw deny from 192.168.1.250

You can allow a range of IP addresses in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:

sudo ufw allow from 192.168.1.0/24

To allow IP address 192.168.1.250 access to SSH port 22 using TCP, run the following:

sudo ufw allow from 192.168.1.250 to any port 22 proto tcp

For instance, if you want to block access to port 22 from IPs 192.168.1.4 and 192.168.1.120 but allow all other IPs to access port 22, run the following command:

sudo ufw deny from 192.168.1.4 to any port 22
sudo ufw deny from 192.168.1.120 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22

To allow HTTP traffic on the network interface eth0, run the following:

ufw allow in on eth0 to any port 80



TIP.


By default, UFW allows ping requests. if you want to deny a ping request, you will need to edit /etc/ufw/before.rules file:

sudo nano /etc/ufw/before.rules

and uncomment the following lines out as such:

# ok icmp codes for INPUT

#-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or replace ACCEPT by DROP

# ok icmp codes for INPUT

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Save the file.
Reload the service sudo ufw reload
and try to ping your server.

ping -c 3 192.168.x.xxx


You should receive a 100% packet loss!

Sign up for more like this.

Enter your email
Subscribe