Firewall Configuration with UFW

Now that you've learned about networking and remote access with SSH, it's time to secure your system by controlling network traffic. In this lesson, we'll explore UFW (Uncomplicated Firewall), Ubuntu's user-friendly interface for managing iptables firewall rules.

Learning Goals:

• Understand what UFW is and why it's important
• Install and enable UFW on Ubuntu
• Configure basic firewall rules for common services
• Manage and monitor firewall status
• Create advanced rules for specific use cases

What is UFW?

UFW, or Uncomplicated Firewall, is a simplified firewall management tool that provides an easy-to-use interface for the underlying iptables firewall system. While iptables is powerful, it can be complex for everyday use. UFW abstracts this complexity while maintaining flexibility.

tip

UFW is specifically designed for Ubuntu but works on other Debian-based distributions. If you're using a different Linux distribution, you might encounter firewalld (RHEL/CentOS) or other firewall management tools.

Installing and Enabling UFW

Most Ubuntu systems come with UFW pre-installed. Let's verify and install it if necessary:

Check UFW installation

sudo ufw status

If UFW isn't installed, install it with:

Install UFW

sudo apt update
sudo apt install ufw

Now let's enable UFW with basic security defaults:

Enable UFW with defaults

# First, ensure SSH is allowed so we don't get locked out
sudo ufw allow ssh

# Enable the firewall
sudo ufw enable

# Check the status
sudo ufw status verbose

Basic UFW Commands

Let's explore the essential UFW commands you'll use regularly:

Common UFW operations

# Check firewall status
sudo ufw status

# More detailed status information
sudo ufw status verbose

# Show numbered rules (useful for deleting specific rules)
sudo ufw status numbered

# Disable the firewall (temporarily turn off)
sudo ufw disable

# Reset all rules to default
sudo ufw reset

Configuring Common Service Rules

UFW makes it easy to allow or deny traffic for common services. Here are the most frequently used configurations:

Allow common services

# Allow SSH (already done earlier, but shown for completeness)
sudo ufw allow ssh

# Allow HTTP web traffic
sudo ufw allow http

# Allow HTTPS secure web traffic
sudo ufw allow https

# Allow specific port
sudo ufw allow 8080

# Allow port range
sudo ufw allow 8000:8010/tcp

warning

Always allow SSH before enabling UFW if you're managing a remote server. Otherwise, you'll lose access to your system!

Advanced Rule Configuration

For more specific control, UFW allows detailed rule specification:

Advanced rule examples

# Allow from specific IP address
sudo ufw allow from 192.168.1.100

# Allow to specific port from specific IP
sudo ufw allow from 192.168.1.100 to any port 22

# Allow from subnet
sudo ufw allow from 192.168.1.0/24

# Deny specific service
sudo ufw deny http

# Allow specific protocol
sudo ufw allow 53/udp

Let's look at a practical example using tabs for different approaches:

By Service Name

Using service names

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow smtp

By Port Number

Using port numbers

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 25

Advanced Rules

Complex rule examples

# Allow SSH only from specific network
sudo ufw allow from 192.168.1.0/24 to any port 22

# Allow web traffic with rate limiting
sudo ufw limit http
sudo ufw limit https

# Deny FTP explicitly
sudo ufw deny ftp

Managing and Deleting Rules

As your firewall configuration grows, you'll need to manage existing rules:

Rule management examples

# List rules with numbers for deletion
sudo ufw status numbered

# Delete rule by number (replace X with actual number)
sudo ufw delete 1

# Delete specific rule by specification
sudo ufw delete allow http

# Insert rule at specific position
sudo ufw insert 1 allow from 192.168.1.50

Application Profiles

UFW supports application profiles that define multiple ports and protocols for complex applications:

Working with application profiles

# List available application profiles
sudo ufw app list

# Show details for a specific profile
sudo ufw app info 'Apache Full'

# Allow traffic for an application profile
sudo ufw allow 'Apache Full'

Common Pitfalls

• Locking yourself out: Forgetting to allow SSH before enabling UFW on remote servers
• Overly restrictive rules: Blocking essential system services or monitoring tools
• Rule order confusion: Not understanding that UFW processes rules in order
• Forgetting to reload: Making multiple changes without checking the final configuration
• Mixing allow/deny rules: Creating conflicting rules that don't behave as expected
• Ignoring IPv6: Remember that UFW manages both IPv4 and IPv6 rules by default

Summary

UFW provides a straightforward way to manage your Ubuntu system's firewall. You've learned how to install and enable UFW, create basic and advanced rules for common services, manage existing rules, and work with application profiles. Remember to always test your configuration and maintain a backup method of access when working on remote systems.

Quiz

Show quiz

1. What command should you run before enabling UFW on a remote server to avoid getting locked out?
2. How do you view UFW rules with numbers to make them easier to delete?
3. What's the difference between ufw allow http and ufw allow 80?
4. How can you allow SSH connections only from the 192.168.1.0/24 subnet?
5. What command completely resets UFW to its default state?

---

Answers:

1. sudo ufw allow ssh - This ensures SSH traffic is permitted before enabling the firewall
2. sudo ufw status numbered - Shows rules with numbers for easy reference in deletion commands
3. There's no functional difference - both allow traffic on port 80, but one uses the service name and the other uses the port number directly
4. sudo ufw allow from 192.168.1.0/24 to any port 22
5. sudo ufw reset - This removes all rules and disables UFW, returning it to default state