How to work with your firewall (UFW - Uncomplicated Firewall)
Last updated: January 10th 2024
Introduction
UFW or Uncomplicated Firewall is a command-line interface to iptables and is specially designed to simplify the process of configuring a firewall.
Iptables is an extremely flexible firewall utility that was built for Linux operating systems. Iptables is a great tool with many functionalities that can be used to secure your Linux system from unwanted traffic. However, it can be difficult for beginners to learn how to use it properly when configuring the firewall. As a result, the UFW is well-suited for beginners, and you can learn, configure and use it easily.
UFW is a great firewall tool that is designed to be run on hosts or servers. It allows or blocks incoming and outgoing connections to and from the server. You can block ports, IPs or even entire subnets using UFW. It is not as flexible as iptables but is vastly easier for basic operations. It aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing.
In this tutorial, we will show you how to use the UFW firewall with hands-on examples.
Please note: Doing these actions bring the risk of downtime for your server if you are not careful. Do not do this on a live site if you do not know exactly what you are doing. It is recommended to create a new server from a snapshot and test this out - then migrate your changes back to your live server once you've verified everything is working.
Prerequisites
- A Webdock cloud Ubuntu instance
- You have shell (SSH) access to your VPS.
Verify UFW is installed
The UFW firewall is pre-installed on Webdock stacks. By default, it is configured to allow incoming connections to the ports 21, 22, 80, 443 and 50000-50099.
You can check all the rules added by the UFW firewall using the following command:
ufw status verbose
You should get the following output:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 21 ALLOW IN Anywhere 50000:50099/tcp ALLOW IN Anywhere 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 21 (v6) ALLOW IN Anywhere (v6) 50000:50099/tcp (v6) ALLOW IN Anywhere (v6) 22 (v6) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6) 20/tcp ALLOW OUT Anywhere 20/tcp (v6) ALLOW OUT Anywhere (v6)
As you can see, UFW firewall is configured to allow HTTP, HTTPS, SSH and FTP services from the outside network.
Note : Don't delete any of the above rules unless you know what you are doing as they are necessary for our LAMP/LEMP stack to function.
Allowing Incoming Connections with UFW
You can add UFW rules by specifying a service or port number.
For example, to add the UFW rule to allow the TCP port 80 and 443, run the following command:
ufw allow 80/tcp ufw allow 443/tcp
You can also allow the MySQL and HTTPS service by referencing them by name. The following command is equivalent to the above:
ufw allow mysql ufw allow https
Add the UFW rule to allow the UDP port 21 using the following command:
ufw allow 21/udp
You can also allow specific port range through the UFW firewall. For example, add the UFW rule to allow TCP port 6000 to 6500, run the following command:
ufw allow 6000:6500/tcp
You can also allow a specific IP (192.168.0.100) to access all port with the UFW firewall as shown below:
ufw allow from 192.168.0.100
To allow a specific IP (192.168.0.200) to access a specific port 8088, run the following command:
ufw allow from 192.168.0.200 to any port 8088
To allow a specific network subnet (192.168.2.0/24) to access all port, run the following command:
ufw allow from 192.168.2.0/24
Denying Incoming Connections with UFW
Per default UFW blocks all incoming connections so usually it is not required to add specific deny rules. However, if you have allowed a range of ports for example, adding specific deny rules might be appropriate, or if you want to deny traffic from specific IP addresses for example.
As an example, the UFW rule to deny the service SMTP, run the following command:
ufw deny smtp
To deny the TCP port 389, run the following command:
ufw deny 389/tcp
To deny the UDP port 137, run the following command:
ufw deny 137/udp
To deny all connections from a specific IP (192.168.0.150), run the following command:
ufw deny from 192.168.0.150
To deny a specific port range (8000:8200), run the following command:
ufw deny 8000:8200/tcp
To combine the two commands in order to deny traffic from a specific ip to a specific port range you would simply do
ufw deny from 192.168.0.150 to any port 8000:8200/tcp
Listing UFW Rules
If you want to list all UFW rules which are added, run the following command:
ufw show added
You should see all UFW rules in the following output:
Added user rules (see 'ufw status' for running firewall): ufw allow 21 ufw allow 50000:50099/tcp ufw allow out 20/tcp ufw allow 22 ufw allow 80 ufw allow 443 ufw allow 6000:6500/tcp ufw allow from 192.168.0.200 to any port 8088 ufw allow from 192.168.0.100 ufw allow from 192.168.2.0/24 ufw deny 25/tcp ufw deny 8000:8200/tcp ufw allow 3306
Deleting UFW Rules
There are two ways to delete the UFW rules.
Deleting Rules By Specification
The simple and easiest way to delete the UFW rule is by specifying the actual rule.
To delete the "allow mysql" UFW rule, run the following command:
ufw delete allow mysql
To delete the "allow 443/tcp" UFW rule, run the following command:
ufw delete allow 443/tcp
To delete the "allow 21/udp" UFW rule, run the following command:
ufw delete allow 21/udp
Deleting Rules By Rule Number
If you want to delete the UFW rules using rule number, you will first need to list all your UFW rules by rule number.
You can run the following command to list all firewall rules by numbers.
ufw status numbered
You should get the following output:
Status: active
To Action From
-- ------ ----
[ 1] 21 ALLOW IN Anywhere
[ 2] 50000:50099/tcp ALLOW IN Anywhere
[ 3] 20/tcp ALLOW OUT Anywhere (out)
[ 4] 22 ALLOW IN Anywhere
[ 5] 80 ALLOW IN Anywhere
[ 6] 443 ALLOW IN Anywhere
[ 7] 6000:6500/tcp ALLOW IN Anywhere
[ 8] 8088 ALLOW IN 192.168.0.200
[ 9] Anywhere ALLOW IN 192.168.0.100
[10] Anywhere ALLOW IN 192.168.2.0/24
[11] 25/tcp DENY IN Anywhere
[12] 8000:8200/tcp DENY IN Anywhere
[13] 3306 ALLOW IN Anywhere
[14] 21 (v6) ALLOW IN Anywhere (v6)
[15] 50000:50099/tcp (v6) ALLOW IN Anywhere (v6)
[16] 20/tcp (v6) ALLOW OUT Anywhere (v6) (out)
[17] 22 (v6) ALLOW IN Anywhere (v6)
[18] 80 (v6) ALLOW IN Anywhere (v6)
[19] 443 (v6) ALLOW IN Anywhere (v6)
[20] 6000:6500/tcp (v6) ALLOW IN Anywhere (v6)
[21] 25/tcp (v6) DENY IN Anywhere (v6)
[22] 8000:8200/tcp (v6) DENY IN Anywhere (v6)
[23] 3306 (v6) ALLOW IN Anywhere (v6)
Once you have all UFW rules with the number, you can use the "ufw delete" command followed by the rule number that you want to remove.
For example, to delete the UFW rule with number 20, run the following command:
ufw delete 20
You will be asked to confirm that you want to delete the rule:
Deleting: allow 6000:6500/tcp Proceed with operation (y|n)? y Rule deleted (v6)
Type y and hit Enter to delete the rule.
Important: The rule number will change automatically after deleting a rule. So it is recommended to list the rules before deleting another rule.
Disabling UFW Firewall
If you want to disable the UFW firewall, run the following command:
ufw disable
You can re-enable the UFW firewall any time by just running the following command:
ufw enable
If you want to reset UFW firewall completely and remove all existing rules, you can use the following command:
ufw reset
You will be asked to reset all rules to the default one as shown below:
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Type y and press Enter to remove all rules:
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200408_160447' Backing up 'user.rules' to '/lib/ufw/user.rules.20200408_160447' Backing up 'before.rules' to '/etc/ufw/before.rules.20200408_160447' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200408_160447' Backing up 'after.rules' to '/etc/ufw/after.rules.20200408_160447' Backing up 'user6.rules' to '/lib/ufw/user6.rules.20200408_160447'
Please Note: If you are managing your server over SSH, don't delete the UFW rule that allows SSH traffic (typically port 22) as that will make you loose shell access. You will be locked out of your server and unable to connect to your Webdock server without contacting support so we can enable access once again.
Checking if your rules have worked
Please Note: Some applications, such as Docker, may modify IPTables directly where UFW will not list these exceptions when running ufw status. This may lead to ports being open to the internet. The solution is to manually insert deny rules to after.rules and after6.rules.As the warning above states, you may still have open ports despite UFW claiming otherwise, especially if you are running Docker applications. To see how to check if there are any open ports, please see our guide on the topic.
Conclusion
As you can see, the UFW is a simple and easy to use tool to configure and manage your iptables firewall. All commands which you have seen in the above guide are important for understanding how the UFW firewall works and how you can use it in a production environment. Hopefully you now know how you can now limit any unwanted connections using UFW firewall.
Related articles
-
Server Security Checklist
In this article we list a number of things you should check if you are setting up a server from scratch as well as a few things which can enhance security on our Perfect Server Stacks.
Last updated: November 10th 2022
-
How to check for open ports on your Ubuntu server
This article details various approaches to finding out which ports are open and accessible on your server.
Last updated: November 10th 2022
-
SSH Security Configuration Settings
This article lists various settings for the SSH Daemon which impact server security.
Last updated: February 1st 2024
-
How to configure Fail2Ban for common services
How fail2ban can be configured for common services as well as how to utilize the fail2ban CLI tools to check status of various jails, unbanning users and more.
Last updated: August 22nd 2023
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 18.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Bionic 18.04.
Last updated: November 10th 2022
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 20.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Focal 20.04.
Last updated: March 8th 2024
-
How to configure Security Headers in Nginx and Apache
Here we outline which security headers are important to set in different scenarios in Nginx and Apache.
Last updated: November 10th 2022
-
How to enable Encryption for MariaDB
Enable Encryption of your database data with MariaDB as well as force all new tables created to be encrypted.
Last updated: October 29th 2024
-
How to Scan Your Webdock Server for Malware and Virus
This guide provides basic step-by-step instructions to install various tools to scan your server for malware and viruses.
Last updated: July 19th 2023
-
How To Use Our Free BotGuard Bot Protection
In this article we show you how to activate and use our Free BotGuard Bot Protection which is included for free with all our VPS servers.
Last updated: November 4th 2024
-
Enhancing Nginx Security with IP Filtering and Password
A guide to enhance Nginx security with IP filtering (specific IP, and, IP ranges) and Password
Last updated: November 25th 2023
-
Securing Ubuntu: How to Detect System Vulnerabilities
Detect system vulnerabilities using Vuls
Last updated: December 20th 2023
-
Secure VPS Communication with SSL and UFW
A detailed guide to securely your communicate with your servers without requiring a VLAN setup.
Last updated: March 4th 2024
-
Configuring UFW and Fail2Ban to Mitigate Basic DDos Attacks
Instructions to protect your server from basic DDos attacks using UFW and Fail2Ban
Last updated: May 28th 2024