UFW is also known as uncomplicated Firewall and is a firewall system commonly used in Linux platforms and distributions. It is used to manage and regulate both incoming and outgoing traffic based on certain rules like port numbers, protocols, or IP address ranges. This means that you can use UFW firewall to determine which port, protocol, or IP address is allowed to send requests to the server and vice-versa.
Incoming & Outgoing traffic and the role of UFW Firewall
It’s important to first understand what incoming and outgoing traffic means as you’re likely to use these two terms more often, especially when setting up UFW firewall on your server.
Now in the context of server computing and firewalls, incoming traffic also known as inbound traffic refers to data that is being sent from a source outside of the server or network and is destined for a resource located within the server or network. This can include requests for web pages, incoming emails, or data from other servers.
RECOMMENDED READING: How to deploy WordPress on a Ubuntu LAMP Server
On the other hand, outgoing traffic also known as outbound traffic refers to data that is being sent from a resource within the server or network and is destined for a destination outside of the server or network. This can include data being sent to a remote server, outgoing email, or data being sent to a user accessing a web page.
As we said at the beginning of this article], firewalls are used to filter incoming and outgoing traffic based on a set of predefined rules. For example, a firewall may be configured to block all incoming traffic except for web requests on port 80 or to allow outgoing traffic only to certain IP addresses or ports.
How to install ufw on Ubuntu
In most cases, UFW firewall usually comes preinstalled, and to check if it’s running on the system, you can run the following command;
service ufw status
If UFW firewall is running on your server, then you will be able to see something like this on your terminal:
ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2023-04-03 08:43:06 UTC; 1 weeks 3 days ago
Docs: man:ufw(8)
Process: 442 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
Main PID: 442 (code=exited, status=0/SUCCESS)
Now, assuming UFW isn’t installed on your server or your Ubuntu machine, you can run the following commands to install it;
sudo apt update
sudo apt install ufw
Setting up SSH with UFW Firewall
It is generally recommended to first allow SSH traffic through UFW firewall before you do anything. This is to ensure that you’re not locked out of your server should anything go wrong.
RECOMMENDED READING: Solved: SSL not installing on Ant Media Server
There are two ways to allow SSH traffic through UFW firewall;
- Using the port number parameter: SSH by default uses Port 22 and we can use the following command to configure it through UFW firewall:
sudo ufw allow 22
- Using SSH service parameter: We can also allow SSH through UFW firewall by defining the service name of the default port 22 as seen in the command below:
sudo ufw allow ssh
Allowing Custom SSH Port
RECOMMENDED READING: How to open Ant Media Ports through the Firewall?
As we know it, the default SSH port is 22
, but for some reason, you can choose to configure a custom port for SSH connection. Let’s say the custom SSH port you’ve set is 2222
. This means that we will have to allow this port through UFW firewall just like any other port using the following command
sudo ufw allow 2222
Allow only specific IP addresses to connect to SSH
Whitelisting only specific IP addresses to establish an SSH connection to your server could be an extra layer of security. For example, if you wanted to allow SSH traffic from IP addresses like 192.168.1.100
and 192.168.1.101
only, you can run the following commands;
sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw allow from 192.168.1.101 to any port 22
But it’s important to note that activating these rules that only whitelist specific IP addresses through the firewall can be delicate. And this means that you will only SSH into your server using these specific IP addresses you’ve defined. You must know what you’re doing if you choose this firewall configuration on your server.
RECOMMENDED READING: installer: Could not pull cloudron/base error – Suggested fix
Deny SSH access to the server
On the other hand, if you wanted to totally deny SSH traffic to the server, then we can just run the following command;
sudo ufw deny 22
In the same way, we can also deny SSH access by just defining the SSH service parameter as seen in the following command;
sudo ufw deny ssh
Alternatively, you can also blacklist specific IP addresses from having SSH access to your server using the following command,
sudo ufw deny from 192.168.1.100 to any port 22
sudo ufw deny from 192.168.1.101 to any port 22
Setting UFW for default incoming and Outgoing traffic
RECOMMENDED READING: How to use DASH & HLS Protocols in Nginx RTMP streaming
Now that we’ve allowed SSH through UFW firewall, we can go ahead and deny any incoming traffic by default unless “specific rules” are added to allow it. On the other hand, outgoing traffic will be allowed by default, which means any application on the system will be able to initiate outbound connections without the need for explicit rules.
For example, if you have a web server running on your machine, it won’t be accessible from outside the network by default as incoming traffic is denied. However, the web server can make outgoing requests to other servers on the internet without any restrictions.
RECOMMENDED READING: How to install Ant Media Server on VPS
When we deny incoming traffic, we are essentially blocking any unsolicited network traffic from reaching our system. This can prevent various types of attacks, such as port scanning, network reconnaissance, and denial-of-service attacks, from being successful. This ensures that our system is only accessible to the specific services and protocols that we have explicitly allowed. And it can allow us to have better control over what traffic is allowed to access our system, minimizing the potential for security vulnerabilities and exploits.
To deny default incoming and allow default outgoing traffic, we can use the following commands;
sudo ufw default deny incoming
sudo ufw default allow outgoing
Enabling UFW
When you enable UFW, it will block all incoming traffic by default, except for the traffic that is explicitly allowed by the rules. This is why it’s important to first allow SSH access through the firewall before attempting other steps. Now, to enable UFW firewall on Ubuntu, you have to run the following command;
sudo ufw enable
After enabling UFW, you can now run the following command to see if it’s active:
sudo ufw status verbose
RECOMMENDED READING: How to use Alibaba Cloud Free credit to Set up Ubuntu server
Allowing default Ports and Protocols
You should know that there are a total of 65,535 network ports that exist. These ports are identified by numbers ranging from 0 to 65535. Out of these ports, a number of them have been assigned to default services.
So, you can use UFW firewall to allow traffic to and from any port assigned to a particular service. Here is how:
Open HTTP on port 80
HTTP stands for Hypertext Transfer Protocol, and it’s a protocol used by web servers to receive and respond to client “unencrypted” requests for webpages and files. HTTP is assigned Port 80
as the default port number. This means that whenever you install a Web server like Apache or Nginx, you have to open Port 80
so traffic can pass through. We can achieve this using UFW firewall by running the following command:
sudo ufw allow 80
Alternatively, you can also use the following command, and it will work just in the same way as the first one above:
sudo ufw allow http
Open HTTPS on Port 443
HTPPS is the encrypted version of HTPP and it stands for Secure Hypertext Transfer Protocol. This is the protocol used by web servers to receive and respond to “encrypted” client requests for web pages. The transit of encrypted data like passwords, or Credit Card info uses the HTTPS protocol on the internet. By default, HTTPS is assigned Port 443
.
This means that if you configured a web server and you wanted to accept encrypted HTPPS traffic, you would have to open port 443
. We can achieve this using UFW firewall by running the following command:
sudo ufw allow 443
Or you can just use the service name instead of its port number using the following command:
sudo ufw allow https
Other Ports and services
RECOMMENDED READING: How to set up Nginx RTMP Server on Ubuntu to Live stream videos
Obviously, we can’t exhaust and configure the entire list of ports and their default services. You can only open and configure ports through the firewall when you need to use services attached to them. And for your reference, here is a table containing some of the commonly used default ports and their corresponding services:
Port Number | Assigned Service | Description |
---|---|---|
20 | FTP Data | File Transfer Protocol (FTP) data transfer |
21 | FTP Control | File Transfer Protocol (FTP) control |
22 | SSH | Secure Shell (SSH) remote login protocol |
23 | Telnet | Telnet remote terminal protocol |
25 | SMTP | Simple Mail Transfer Protocol (SMTP) email transfer |
53 | DNS | Domain Name System (DNS) name resolution |
67 | DHCP Server | Dynamic Host Configuration Protocol (DHCP) server |
68 | DHCP Client | Dynamic Host Configuration Protocol (DHCP) client |
80 | HTTP | Hypertext Transfer Protocol (HTTP) web server |
110 | POP3 | Post Office Protocol version 3 (POP3) email retrieval |
119 | NNTP | Network News Transfer Protocol (NNTP) news retrieval |
123 | NTP | Network Time Protocol (NTP) time synchronization |
143 | IMAP | Internet Message Access Protocol (IMAP) email retrieval |
161 | SNMP | Simple Network Management Protocol (SNMP) network management |
194 | IRC | Internet Relay Chat (IRC) chat protocol |
443 | HTTPS | HTTP Secure (HTTPS) web server |
465 | SMTPS (SMTP over SSL) | Simple Mail Transfer Protocol (SMTP) over SSL encrypted email transfer |
587 | SMTP Submission | SMTP Submission email submission protocol |
993 | IMAPS (IMAP over SSL) | Internet Message Access Protocol (IMAP) over SSL encrypted email retrieval |
995 | POP3S (POP3 over SSL) | Post Office Protocol version 3 (POP3) over SSL encrypted email retrieval |
3389 | RDP (Remote Desktop) | Remote Desktop Protocol (RDP) remote access and control of Windows-based systems over the network |
There are a ton of default ports assigned to specific protocols and services, and you can’t exhaust all of them. You can also learn more about them here
Allowing Specific Port ranges
When setting up Uncomplicated Firewall (UFW), you can also specify a port range to allow or block traffic to or from specific ports.
A port range is a set of consecutive port numbers, such as 8000-9000,
which allows traffic to pass through all ports within that range. You may need to open a port range when you want to allow incoming or outgoing network traffic to a range of ports, rather than just a single port. This can be useful for applications or services that require access to multiple ports to function properly.
RECOMMENDED READING: How can I simulate traffic on a Linux server using Apache Bench?
So, you can use UFW firewall to allow a specific port range. To do this, you need also to specify the category of protocol whether TCP or UDP which the rules should apply.
Configuring Port range for incoming traffic
The following rule will open the port range 6000
–6007
for incoming TCP traffic:
sudo ufw allow 6000:6007/tcp
If it is incoming UDP traffic, then this is the rule you would use;
sudo ufw allow 6000:6007/udp
Configuring the Port range for outgoing traffic
The following rule will open the port range 100-200
for outgoing TCP traffic:
sudo ufw allow out 100:200/tcp
Allowing Specific IP Addresses
Just as we did for SSH, we can use UFW to allow connection to the server from only specified IP addresses. For example, the following rule will whitelist this IP address: 203.0.113.4
, through the firewall:
sudo ufw allow from 203.0.113.4
You can also specify which port number a whitelisted IP address is allowed to connect to using a rule like this one:
sudo ufw allow from 203.0.113.4 to any port 22
This means that this IP address: 203.0.113.4
is only allowed to connect to port 22
which is the default port for SSH.
Whitelisting Subnets
A subnet is a range of IP addresses. This means that you can define a particular subnet and whitelist it through UFW firewall. Let’s assume you want to whitelist this Subnet 203.0.113.0/24
, here is the rule you would use:
sudo ufw allow from 203.0.113.0/24
Similarly, you can define a specific port to which you want a particular subnet to connect to. In this example, we’re assuming you want your subnet to connect to port 22
which is the default port for SSH. Here is the rule you would apply:
sudo ufw allow from 203.0.113.0/24 to any port 22
RECOMMENDED READING: How does Alibaba Cloud Free trial work?
Allowing specific Network Interfaces
The network interface allows the server to send and receive data over a network, and it typically has a unique identifier called a Media Access Control (MAC) address. It can be a physical hardware device, such as a network card or Ethernet adapter, or it can be a virtual interface created by the virtualization software, especially in the VPS environment.
Now, it is possible to set up a firewall rule that only applies to a specific network interface. To do this, you can start by listing all your network interfaces integrated into your system. For example, you can use this command on your Linux system to know which interfaces you have;
ip addr
Once you run the command above, your network interfaces will be listed as seen below;
Output Excerpt
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .
In our case, we see that we have two network interfaces named eth0
and eth1
. We can use any of these interfaces to allow specific traffic connections.
Let’s say we wanted to use a Network Interface named eth0
to allow incoming HTTP traffic through port 80
, here is the UFW firewall rule we would use:
sudo ufw allow in on eth0 to any port 80
So, you can apply any rule for any port using this same format above.
Denying connections
By default, UFW is set to deny all incoming connections This makes it easy to harden the security of your system by only creating rules that allow specific ports or IP addresses.
On the other hand, UFW also allows you to deny connections from specific ports, IP addresses, or subnets. To set up any deny rule using UFW, you can just replace allow
with deny
in the syntax. For example, if you wanted to block HTTP connections to your server, here is the deny rule you would apply;
sudo ufw deny http
When you close HTTP port 80, this means that your web server won’t respond to any request for web pages by clients.
In the same way, you can deny traffic for a specific IP address using a rule like this below:
sudo ufw deny from 203.0.113.4
Deleting UFW Firewall rules
You can either delete UFW rules by number or by the rule itself. What does this mean?
Deleting by rule number
UFW rules are listed by numbers on the system. For example, when you have rules configured on the system, you can list all of them using the following command:
sudo ufw status numbered
And the output on your terminal will look like this below;
Numbered Output:
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN Anywhere
We see in this example that we have two UFW rules listed with numbers 1 & 2. Assuming we needed to delete the second rule, we would use its assigned list number: 2 as seen in the following command:
sudo ufw delete 2
Deleting by the actual rule
Alternatively, you can remove UFW rules by the actual rules themselves. For example, as we know it, the rule that opens HTTP is allow http
. We can now delete this rule using a command like this:
sudo ufw delete allow http
We can also delete the same rule using the Port number instead of using the service name, HTTP. And here is the command we would use;
sudo ufw delete allow 80
Checking UFW status and rules
To check if UFW firewall is active, you can run the following command;
sudo ufw status verbose
UFW firewall is not enabled by default. And so if it’s not configured yet, you’re likely to see something like this on your terminal, indicating that UFW is inactive.
Output
Status: inactive
On the other hand, when UFW is active, you will be able to see the list of all the available rules configured like in this example below;
Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
Disabling or Resetting UFW
If you no longer need to use UFW firewall, you can disable it on the system by running the following command:
sudo ufw disable
This means that all the rules you had previously configured on the system will also be deactivated. You can always re-enable UFW firewall and the previously configured rules will apply again. Here is the command to enable UFW on your system:
sudo ufw enable
On the other hand, if you want to totally reset your UFW, erasing all the rules you’ve configured, here is the command you would use to do it;
sudo ufw reset
More Ubuntu-related articles to explore
- How can I install an Open SSH Server on Ubuntu Linux?
- How to host a Laravel application on Ubuntu using Apache
- How can I update Ant Media Server on Ubuntu?
- How to use Alibaba Cloud Free credit to Set up Ubuntu server
- How to install and configure UFW firewall on Ubuntu Linux
- How to set up Nginx RTMP Server on Ubuntu to Live stream videos
- How can I create FTP User Directory in Ubuntu?
- Step-by-Step Guide to Installing FTP on Ubuntu Server
- How to deploy WordPress on a Ubuntu LAMP Server
- How to deploy a MySQL Server on Ubuntu
- What is the easiest way to install Apache Server on Ubuntu?
- How to configure iptables to secure Apache server on Ubuntu
- How to enable root user on AWS ec2 Ubuntu Linux instance
- How to Install OpenVPN Server on Ubuntu
- How to install a Graphical User Interface on Ubuntu Server
- How to install Ant Media Server on Ubuntu Linux Server
- How to Dual Boot Kali Linux and Windows on a Laptop
- How to Install WordPress on a VPS Server using Cloudron?
- How to use the apt command in Linux | Syntaxes & Examples
- Is deploying and managing a VPS server hard?