Minimal UFW Setup
UFW (Uncomplicated Firewall) is a firewall software package that is a front-end to iptables that is easy to use initially and yet flexible enough for power users.
Install ufw UFW if it not already installed,
Code Block |
---|
|
sudo apt-get install ufw # install the firewall software |
Now, if you are not using a console, issuing multiple commands as shown on one line via remote SSH should ensure that you can ssh back into your system. If you do end up getting disconnected should still be able to get back in.
...
UFW once installed does not automatically start. First open up ports that are necessary for the administration of the system,
Code Block |
---|
|
sudo ufw enable # enables the the firewall; sudo ufw allow 22 # allows ssh traffic |
Note |
---|
Note to self, consider modifying the command to run in background process. |
Additionally open other ports that you require. For this tutorial it would be,
Code Block |
---|
|
sudo ufw allow 80 # Web Server
sudo ufw allow 443 # SSL over Web Server |
Before starting UFW make sure you have port 22 open you can check again by running the allow 22 command again and if the rule is added should output.
Code Block |
---|
|
sudo ufw allow 22
"Skipping adding existing rule" |
After you have confirmed 22 is open you can go ahead and enable UFW.
Code Block |
---|
|
sudo ufw enable |
From your desktop, use Telnet to confirm 22 port is open,
Code Block |
---|
|
telnet Ubuntuservername 22 # if you server is not named, user the server's IP address |
If telnet worked you should see something like this,
Code Block |
---|
|
Connected to Ubuntuservername.
Escape character is '^]'.
^] |
Finally check that all your rules are in place,
Code Block |
---|
|
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere |
Info |
---|
UFW status verbose will not work if UFW is not enabled. |
There is much more to ufw UFW but the above steps should get you going.
More UFW Commands
Here are some more useful ufw commands,
Removing Rules
You can disable or delete rules. The example shown here is two step,
Code Block |
---|
|
sudo ufw deny 443 # Disables and leave the entry in the status. Useful tofor a port you leave on and off sometimes.
sudo ufw delete deny 443 # Actually delete the firewall rule entry.Delete the rule. Here you must have it disabled to delete it. |
Not exactly intuitive is that the delete command needs to be literal. In the above example we had "delete deny port 443". If the port was enabled and we wanted to delete in one step, the command would look like this,
Code Block |
---|
|
sudo ufw delete allow 443 # Deletes an enabled rule. |
You can put comment in the rules and have it show up in the ufw status
Code Block |
---|
|
sudo ufw allow 22 comment 'enable TCP' |
Article Improvements
Warning |
---|
This article can be improved in the following areas. |
How I can put comments in the firewall rules and have it show up in the ufw status? Using applications.d. Will add details from here,http://manpages.ubuntu.com/manpages/jaunty/en/man8/ufw.8.html
References
https://help.ubuntu.com/9.10/serverguide/C/firewall.html - official docs from Ubuntu.