UFW is very simple to use and configure. It’s available right in the Debian repositories, and it integrates well into a Debian system. The simplified controls and ability to easily start and stop your firewall make in an excellent option for desktops and small servers.
In this tutorial you will learn:
- How to Install UFW
- How to Set the Defaults on UFW
- How to Allow Ports
- How to Allow Interfaces
- How to Allow Protocol
- How to Allow IP Addresses
- How to Enable UFW
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Debian 10 Buster |
Software | UFW |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to Install UFW
UFW is available right in the Debian repositories. Go ahead an install it. Unlike other Debian services, UFW won’t start immediately, so you won’t need to worry about getting locked out.
$ sudo apt install ufw
How to Set the Defaults on UFW
The first step in setting up any firewall is setting your default behaviors. It’s generally a good idea to drop incoming requests by default and allow outgoing traffic. If you’d prefer to block everything, you can, but be cautious of that when getting set up.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
How to Allow Ports
Now, you can start allowing certain incoming traffic. The most obvious and simplest way to do that is using ports. Start by allowing the most important port to enable access, port 22 for SSH.
$ sudo ufw allow 22
You can allow other common ports too. For example, on a web server, you’d want to allow HTTP and HTTPS traffic.
$ sudo ufw allow 80 $ sudo ufw allow 443
If you have something non-standard, you can always punch that in too. In fact, you can allow arrange of ports with a colon(:).
$ sudo ufw allow 27015:27030
UFW also has the option of using the name of common ports instead of a number. For example, if you wanted to allow FTP:
$ sudo ufw allow ftp
As you may have guessed, any of these will work in reverse by using deny
in place of allow
.
$ sudo ufw deny 25
How to Allow Interfaces
If you want to allow traffic only on a certain interface but not another, you can specify that too.
$ sudo ufw allow in on eth0 to any port 22
Again, you can reverse it to deny traffic on a certain interface.
$ sudo ufw deny in on eth0 to any port 22
How to Allow Protocol
If you’d only like to allow a certain protocol(TCP or UDP) over a port, you can do that as well. This is great for services like Samba which operate with specific protocols.
$ sudo ufw allow 137/udp
How to Allow IP Addresses
You can also specify certain IP addresses to allow traffic from. If you wanted to limit SSH traffic to a certain IP address for security, this would be a way to accomplish that.
$ sudo ufw allow from ##.##.###.### to any port 22
The same thing works with ranges of IP addresses too.
$ sudo ufw allow from 192.168.1.0/24 to any port 445
How to Enable UFW
Once you have your desired ports allowed, you can start up UFW and enable it at boot.
$ sudo ufw enable
To check the status of your firewall and the rules in use run:
$ sudo ufw status
If, for some reason, you’d like to disable UFW, you can do that just as easily.
$ sudo ufw disable
Conclusion
You’re now ready to get started with UFW. Remember that these are just the building blocks, so you can put together anything you like. UFW is simple, but it’s definitely possible to combine these commands together into something altogether more complex.