How to install UFW and use it to set up a basic firewall

Objective

UFW basics including UFW installation and setting up a basic firewall.

Distributions

Debian and Ubuntu

Requirements

A working Debian or Ubuntu install with root privileges

Conventions

  • # – requires given linux command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ – given linux command to be executed as a regular non-privileged user

Introduction

Setting up a firewall can be a huge pain. Iptables isn’t exactly known for its friendly syntax, and management isn’t much better. Fortunately, UFW makes the process a lot more bearable with simplified syntax and easy management tools.

UFW lets you write your firewall rules more like plain sentences or traditional commands. It lets you manage your firewall like any other service. It even saves you from remembering common port numbers.

Install UFW

Start off by installing UFW. It’s available in both Debian and Ubuntu’s repositories.

$ sudo apt install ufw

Set Your Defaults

Like with iptables, it’s best to start out by setting your default behavior. On desktops, you probably want to deny incoming traffic and allow connections coming from your computer.

$ sudo ufw default deny incoming

The syntax for allowing traffic is similar.

$ sudo ufw default allow outgoing


Basic Use

Now, you’re set up and ready to start setting up rules and managing your firewall. These commands should all feel easy to read.

Starting and Stopping

You can use systemd to control UFW, but it has its own controls that are easier. Start by enabling and starting up UFW.

$ sudo ufw enable

Now stop it. This simultaneously disables it during startup.

$ sudo ufw disable

When you want to check if UFW is running and which rules are active, you can.

$ sudo ufw status

Commands

Start off with a basic command. Allow inbound HTTP traffic. This is necessary if you want to view a website or download anything from the Internet.

$ sudo ufw allow http

Try it again with SSH. Again, this is super common.

$ sudo ufw allow ssh

You can do the exact same thing using port numbers, if you know them. This command allows inbound HTTPS traffic.

$ sudo ufw allow 443

You can also allow traffic from a specific IP address or range of addresses. Say you want to allow all local traffic, you’d use a command like the one below.

$ sudo ufw allow 192.168.1.0/24

If you need to allow an entire range of ports, like for using Deluge, you can do that too. When you do, though, you’ll need to specify either TCP or UDP.

$ sudo ufw allow 56881:56889/tcp

Of course, this does go both ways. Use deny instead of allow for the opposite effect.

$ sudo ufw deny 192.168.1.110

You should also know that all the commands up until now only control inbound traffic. To specifically target outbound connections, include out.

$ sudo ufw allow out ssh


Setting Up A Desktop

UFW Status Desktop

UFW Status Desktop

If you’re interested in setting up a basic firewall on your desktop, this is a good place to start. This is just an example, so it certainly not universal, but it should give you something to work off.

Begin by setting the defaults.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Next, allow HTTP and HTTPS traffic.

$ sudo ufw allow http
$ sudo ufw allow https

You’re probably going to want SSH too, so allow that.

$ sudo ufw allow ssh

Most desktops rely on NTP for the system time. Allow that too.

$ sudo ufw allow ntp

Unless you’re using a static IP, allow DHCP. It’s ports 67 and 68.

$ sudo ufw allow 67:68/tcp

You’re definitely also going to need DNS traffic to go through too. Otherwise, you won’t be able to access anything with its URL. The port for DNS is 53.

$ sudo ufw allow 53

If you plan on using a torrent client, like Deluge, enable that traffic.

$ sudo ufw allow 56881:56889/tcp

Steam is a pain. It uses a load of ports. These are the ones you need to allow.

$ sudo ufw allow 27000:27036/udp
$ sudo ufw allow 27036:27037/tcp
$ sudo ufw allow 4380/udp


Setting Up A Web Server

Web servers are another very common use case for a firewall. You need something to shut down all the garbage traffic and malicious actors before they become a real problem. At the same time, you need to ensure that all of your legitimate traffic goes through uninhibited.

For a server, you might want to tighten things up more by denying everything by default. Disable the firewall before doing this, or it will cut off your SSH connections.

$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing
$ sudo ufw default deny forward

Enable both inbound and outbound web traffic.

$ sudo ufw allow http
$ sudo ufw allow out http
$ sudo ufw allow https
$ sudo ufw allow out https

Allow SSH. You definitely will need it.

$ sudo ufw allow ssh
$ sudo ufw allow out ssh

Your server probably uses NTP to keep the system clock. You should allow it as well.

$ sudo ufw allow ntp
$ sudo ufw allow out ntp

You’re going to need DNS for updates to your server too.

$ sudo ufw allow 53
$ sudo ufw allow out 53

Closing Thoughts

By now, you should have a firm grasp of how to use UFW for basic tasks. It doesn’t take a lot to set up your firewall with UFW, and it can really help to secure your system. UFW, despite being simple, is absolutely ready for prime time in production too. It’s just a layer on top of iptables, so you get the same quality security.



Comments and Discussions
Linux Forum