UFW(uncomplicated firewall) is a default firewall comes pre-installed on all Ubuntu servers. UFW is a simple firewall to use and you can easily manage it. We will talk about how to configure UFW firewall on Ubuntu for a web server.
With UFW you can block ports and services, authorize and allow only access to specific services you would like the world to reach.
It comes pre-installed, but if not you can just install it with
apt install ufw.
Note: do not enable it until make sure at least the ports you access the server with are allowed. e.g: ssh
Check it’s status through systemctl.
systemctl status ufw
You will see it is running but not enabled yet.
Running it’s status command(
ufw status) will give you:
ufw default allow outgoing
This will allow the server to reach to the Internet for anything you want to download or update etc.
ufw default deny incoming
This will block all the incoming traffic to the server as we would like to selectively allow handful of services only.
Allow the SSH port so we can access the server, change the port number if it’s different.
Bonus: you can add a comment flag to write an explanation for future references.
ufw allow 22 comment 'Allow ssh port 22'
Rule updated Rule updated (v6)
You can also allow/deny services by it’s name. e.g:
ufw allow ssh
Allow access to web server ports.
ufw allow 80 ufw allow 443
You can allow another port if you have any other application running on it.
At this point if you only want to allow ssh from a specific IP, you can do that by:
ufw allow from 192.168.0.1 to any port 22
Note: be very careful with allowing only IP for ssh if your IP is dynamic. It will lock you out when the IP changes.
You can now enable the firewall.
You will be prompted to type y or n to proceed.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
ufw status to know the status and allowed/denied ports and services.
Allowing only IP to access a specific service could be useful. For example, you want to allow only port 21(ftp) for a specific user/client to access for downloading/uploading files.
ufw allow from 192.168.0.1 to any port 21
This will only allow access to port 21 from 192.168.0.1.
Also while at it, you can add flags for outgoing or incoming traffic with
ufw allow in 21
This will allow traffic on port 21 to the server.
Service specific access
As mentioned above you can allow services by it’s name too if you do not the know the port number. For example smtp, imap, mysql, ftp, http, https etc. The point is to allow access where it is needed and block anything else for better security.
ufw allow mysql
You can delete a port or service from the ufw list. For that run
ufw status numbered to list the entries with numbers.
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 80 ALLOW IN Anywhere [ 3] 443 ALLOW IN Anywhere [ 4] 22 ALLOW IN 192.168.0.1
We have two entries for port 22 here, one with access from anywhere. This one we can remove if the IP is what we want.
ufw delete 1
You can also delete rules by specifying the port. This will remove both v4 and v6 IP addresses. Careful with this approach it will delete all entries for that port.
ufw delete allow 22/tcp
Here are the common commands to perform certain tasks.
Reload ufw rules:
Reset will reset all the changes made to the rules and default settings will be applied.
You will be prompted with:
Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)?