A firewall is the last point of contact before anyone in the vast internet can get into your server. Getting a firewall up is crucial before deploying a server online.
UFW means Uncomplicated Firewall and is included in Ubuntu. Iptables is the standard firewall built into Linux and is more popular for the experts to do more complex rulesets. UFW allows a user to create iptables rules through a simpler interface.
Installation
UFW is included in Ubuntu. If yo haven't recently, just do a quick update:
sudo apt-get update
Check UFW status:
sudo ufw status
It should say "inactive".
Configuration
sudo ufw default allow outgoing
sudo ufw default deny incoming
For SSH, do either:
sudo ufw allow ssh
or sudo ufw allow 22
Now run:
sudo ufw enable
You will get asked:
Choose "yes". I didn't lose my connection.
Finally, do:
ufw status
And you will see UFW is up with SSH port 22 enabled.
Additional Options
Changes can also be made to the config file at:
sudo vi /etc/default/ufw
If you make changes to the config or through the command line, do sudo ufw disable
and sudo ufw enable
again. sudo ufw status
will always tell you if its on or not.
To deny port traffic you can do: sudo ufw deny 111
This can apply with any port used for an application, like http, and apply to TCP or UDP segments: sudo ufw allow http/tcp
and sudo ufw allow 1725/udp
. Just do the ssh allow command for now. More advanced setting allow for allowing or blocking by specific IP as well.
If ever you want to remove a rule, use: sudo ufw delete allow 22
or ssh instead of 22.
If you want to see the logs in /var/logs/ufw
, then enable logging with:
sudo ufw logging on
There are more parameters for the logging, please check the wiki for more info.
Summary
To get started, here it is all in one:
sudo apt-get update
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw enable
And that's it for now. Firewall setup completed!
All outgoing connections from your server to the internet are open, and all incoming connections from the internet to your server are closed off, except port 22 for SSH. If you setup a webserver, port 80 needs to be opened unless you change the default port. Any other program to allow external access needs the port opened as well.
Setting this up is almost a breeze, it types itself. If you want more power, check out iptables!
Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.
If you appreciate and value the content, please consider:
Upvoting , Sharing and Reblogging below.
@krnel
2016-11-30, 6:35am