UFW (Uncomplicated Firewall)
The Linux kernel provides a packet filtering system called netfilter. Netfilter is usually controlled by the iptables commands. Using iptables, you can manage Netfilter in a flexible way; however, iptables are not easy to use. UFW (Uncomplicated Firewall) is a frontend program for iptables that provides an easy-to-use user interface for people who are not familiar with firewall concepts.
Overview of UFW
There are six types of ufw commands.
- Check UFW Status
- Enable and Disable UFW
- Default Policy Setting
- Allow or Deny Ports
- Allow or Deny IP Addresses
- Delete Policies
To run ufw commands, you need the superuser privilege. For better operational efficiency, switch to the superuser for this section.
sudo su -
1. Check UFW Status
As a default setting, UFW is not enabled yet, although the ufw.service daemon process may be already running. Check UFW status by running the ufw status command.
ufw status
Status: inactive
2. Enable and Disable UFW
To enable UFW, use the ufw enable command. There will be an alert about ssh connection.
ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
IMPORTANT
As VPS or servers on the cloud are usually managed through SSH, you need to carefully manage the settings. The existing SSH session can be continued; however, as soon as the session ends, the firewall setting will be applied and there is a risk that you will not be able to connect to the server anymore.
To avoid this risk, you need to allow SSH port 22 as soon as you enable UFW.
Once UFW is enabled, you can check its status. Check the status using the ufw status verbose command this time. This command will give you a more detailed status, including default policy status, which will be explained in the next section.
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
If you want to disable UFW, run the ufw disable command like shown below.
ufw disable
Firewall stopped and disabled on system startup
3. Default Policy Setting
The default policy is applied to all ports. As an initial setting, the incoming firewall policy is set as deny. This means all traffic to this server is denied regardless of ports. On the other hand, the outgoing traffic initial firewall policy is allow, which means outgoing traffic is allowed regardless of the ports.
The default setting can be updated using the ufw default command. If you want to change the default policy to allow, run the command below.
ufw default allow
Default incoming policy changed to 'allow'
(be sure to update your rules accordingly)
If you want to switch back to ‘deny’, run the command below.
ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
4. Allow or Deny Ports
If the default is ‘deny’, you can list up allowed ports (whitelist) using the ufw allow command. For example, if you want to allow port 22 for ssh, run the command below.
ufw allow 22
Rules updated
Rules updated (v6)
You can also use a protocol name like ssh as an argument.
ufw allow ssh
Note: Blacklist vs. Whitelist
You can use allow as the default policy and list up ports as a blacklist; however, the whitelist approach, which is shown in the illustration below, is more common.
5. Allow or Deny IP Addresses
You can also specify an IP address to block or allow. For example, if you want to allow access from network address "111.65.0.0/16" for HTTP, run the following command. The "any" part can be the host's IP address.
ufw allow from 111.65.0.0/16 to any port 80
6. Delete Policies
The policies listed can be deleted using the ufw delete command. For this command, you need to specify the number of the policy that you want to delete. You can check the policy number using the ufw status numbered command. If you don't have many policies, you can also count from the top to find the number of the policy you want to delete.
Check the policy number by running the ufw status numbered command when UFW is enabled.
ufw enable
ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN 111.65.0.0/16
[ 3] 22 (v6) ALLOW IN Anywhere (v6)
To delete a second policy, run the command below. The command line will ask if you want to proceed. To delete, enter the y key.
ufw delete 2
Deleting:
allow from 111.65.0.0/16 to any port 80
Proceed with operation (y|n)? y
Rule deleted
Check the status to confirm that the policy has been deleted.
ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
The Linux kernel provides a packet filtering system called netfilter. Netfilter is usually controlled by the iptables commands. Using iptables, you can manage Netfilter in a flexible way; however, iptables are not easy to use. UFW (Uncomplicated Firewall) is a frontend program for iptables that provides an easy-to-use user interface for people who are not familiar with firewall concepts.
Overview of UFW
There are six types of ufw commands.
- Check UFW Status
- Enable and Disable UFW
- Default Policy Setting
- Allow or Deny Ports
- Allow or Deny IP Addresses
- Delete Policies
To run ufw commands, you need the superuser privilege. For better operational efficiency, switch to the superuser for this section.
sudo su -
1. Check UFW Status
As a default setting, UFW is not enabled yet, although the ufw.service daemon process may be already running. Check UFW status by running the ufw status command.
ufw status
Status: inactive
2. Enable and Disable UFW
To enable UFW, use the ufw enable command. There will be an alert about ssh connection.
ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
IMPORTANT
As VPS or servers on the cloud are usually managed through SSH, you need to carefully manage the settings. The existing SSH session can be continued; however, as soon as the session ends, the firewall setting will be applied and there is a risk that you will not be able to connect to the server anymore.
To avoid this risk, you need to allow SSH port 22 as soon as you enable UFW.
Once UFW is enabled, you can check its status. Check the status using the ufw status verbose command this time. This command will give you a more detailed status, including default policy status, which will be explained in the next section.
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
If you want to disable UFW, run the ufw disable command like shown below.
ufw disable
Firewall stopped and disabled on system startup
3. Default Policy Setting
The default policy is applied to all ports. As an initial setting, the incoming firewall policy is set as deny. This means all traffic to this server is denied regardless of ports. On the other hand, the outgoing traffic initial firewall policy is allow, which means outgoing traffic is allowed regardless of the ports.
The default setting can be updated using the ufw default command. If you want to change the default policy to allow, run the command below.
ufw default allow
Default incoming policy changed to 'allow'
(be sure to update your rules accordingly)
If you want to switch back to ‘deny’, run the command below.
ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
4. Allow or Deny Ports
If the default is ‘deny’, you can list up allowed ports (whitelist) using the ufw allow command. For example, if you want to allow port 22 for ssh, run the command below.
ufw allow 22
Rules updated
Rules updated (v6)
You can also use a protocol name like ssh as an argument.
ufw allow ssh
Note: Blacklist vs. Whitelist
You can use allow as the default policy and list up ports as a blacklist; however, the whitelist approach, which is shown in the illustration below, is more common.
5. Allow or Deny IP Addresses
You can also specify an IP address to block or allow. For example, if you want to allow access from network address "111.65.0.0/16" for HTTP, run the following command. The "any" part can be the host's IP address.
ufw allow from 111.65.0.0/16 to any port 80
6. Delete Policies
The policies listed can be deleted using the ufw delete command. For this command, you need to specify the number of the policy that you want to delete. You can check the policy number using the ufw status numbered command. If you don't have many policies, you can also count from the top to find the number of the policy you want to delete.
Check the policy number by running the ufw status numbered command when UFW is enabled.
ufw enable
ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN 111.65.0.0/16
[ 3] 22 (v6) ALLOW IN Anywhere (v6)
To delete a second policy, run the command below. The command line will ask if you want to proceed. To delete, enter the y key.
ufw delete 2
Deleting:
allow from 111.65.0.0/16 to any port 80
Proceed with operation (y|n)? y
Rule deleted
Check the status to confirm that the policy has been deleted.
ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
