Uncomplicated firewall (UFW) provides easy-to-use interface for people unfamiliar with firewall concepts. It provides a framework for managing netfilter as well as the command-line interface to manipulate the firewall. With its small command set and plain English parameters, UFW makes it quick and easy to understand and set up firewall rules. At the same time, you can use UFW to configure most of the rules possible with iptables. UFW comes preinstalled with all Ubuntu installations after version 8.04 LTS.
Follow these steps to secure network with uncomplicated firewall:
1. UFW comes preinstalled on most of the systems. If not installed you may get the below error:
ufw: command not found
2. If it’s not, you can install it with the following command as per your choice of distribution:
Distribution | Command |
---|---|
Debian | apt-get install ufw |
Ubuntu | apt-get install ufw |
Arch Linux | pacman -S ufw |
Kali Linux | apt-get install ufw |
Fedora | dnf install ufw |
Raspbian | apt-get install ufw |
Lets take an example of ubuntu system:
$ sudo apt-get udpate $ sudo apt-get install UFW
3. Check the status of UFW:
$ sudo ufw status
4. Add a new rule to allow SSH:
$ sudo ufw allow ssh
5. Alternatively, you can use a port number to open a particular port:
$ sudo ufw allow 22
6. Allow only TCP traffic over HTTP (port 80):
$ sudo ufw allow http/tcp
7. Deny incoming FTP traffic:
$ sudo ufw deny ftp
8. Check all added rules before starting the firewall:
$ sudo ufw show added
9. Now enable the firewall:
$ sudo ufw enable
10. Check the ufw status, the verbose parameter is optional:
$ sudo ufw status verbose
ufw Command Examples
1. Enable ufw:
# ufw enable
2. Disable ufw:
# ufw disable
3. Show ufw rules, along with their numbers:
# ufw status numbered
4. Allow incoming traffic on port 5432 on this host with a comment identifying the service:
# ufw allow 5432 comment "Service"
5. Allow only TCP traffic from 192.168.0.4 to any address on this host, on port 22:
# ufw allow proto tcp from 192.168.0.4 to any port 22
6. Deny traffic on port 80 on this host:
# ufw deny 80
7. Deny all UDP traffic to ports in range 8412:8500:
# ufw deny proto udp from any to any port 8412:8500
8. Delete a particular rule. The rule number can be retrieved from the `ufw status numbered` command:
# ufw delete rule_number
9. Get a numbered list of added rules:
$ sudo ufw status numbered
10. You can also allow all ports in a range by specifying a port range:
$ sudo ufw allow 1050:5000/tcp
11. If you want to open all ports for a particular IP address, use the following command:
$ sudo ufw allow from 10.0.2.100
Alternatively, you can allow an entire subnet, as follows:
$ sudo ufw allow from 10.0.2.0/24
12. You can also allow or deny a specific port for a given IP address:
$ sudo ufw allow from 10.0.2.100 to any port 2222 $ sudo ufw deny from 10.0.2.100 to any port 5223
13. To specify a protocol in the preceding rule, use the following command:
$ sudo ufw deny from 10.0.2.100 proto tcp to any port 5223
14. Deleting rules:
$ sudo ufw delete allow ftp
15. Delete rules by specifying their numbers:
$ sudo ufw status numbered $ sudo ufw delete 2
16. Add a new rule at a specific number:
$ sudo ufw insert 1 allow 5222/tcp # Inserts a rule at number 1
17. If you want to reject outgoing FTP connections, you can use the following command:
$ sudo ufw reject out ftp