UFW (Uncomplicated Firewall) is a frontend command-line utility for managing iptables rules on a Linux system. It provides a user-friendly, easy-to-manage console command as well as a GUI interface for desktop systems. It is designed to provide easy-to-manage firewalls, even if the user does not have many ideas about firewalls. The UFW aims to provide easy (complicated) commands (although it has GUIs available) for users.
This tutorial will help you to set up a firewall with UFW on Ubuntu and Debian Linux systems. Let’s begin with the installation of UFW on your system.
How to Install UFW Firewall
The Ubuntu and other Debian-based systems ship with default UFW installed. In case it is not installed, run the following command to install UFW. If it’s already installed, the command will upgrade UFW to the latest version.
Open a terminal and type:
sudo apt update
sudo apt install ufw
This will install or update UFW firewall packages on your Ubuntu, Debian, or Arch Linux systems.
How to Enable/Disable UFW Firewall
By default, UFW is an inactive state on most of the Debian systems. So use the following command to enable UFW:
Enable UFW
sudo ufw enable
To disable the UFW, you can use the following command.
Disable UFW
sudo ufw disable
Check UFW Status
Now make sure UFW is in an active state by executing the following command.
sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
Enable/Disable IPv6
You might be required to use IPv6 with your firewall. Disable IPv6 support if your system is not configured to use IPv6. To do it edit /etc/default/ufw and set IPV6 “yes” or “no”.
IPV6=no
After making changes disable and enable the firewall to apply changes.
sudo ufw disable && sudo ufw enable
Allow Connections with UFW
Here are some examples of allowing specific ports with the UFW command.
- Allow Specific Ports – To allow a single port, for example allow port 21(FTP), 80(HTTP) and 443(HTTPS).
sudo ufw allow 21/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
- Allow Specific Services – UFW uses /etc/services files to get port of specific service, So we can allow any service with name instead of defining port. Like ftp (21), http(80).
sudo ufw allow ftp/tcp
sudo ufw allow http/tcp
sudo ufw allow https/tcp
- Allow Port Range – We can also allow range of ports in single command like:
sudo ufw allow 1100-1200/tcp
- Allow Access to Specific IP – To allow connections from specific ip address use following command.
sudo ufw allow from 192.168.1.100
- Allow Access to Subnet – To allow connections from any ip address of subnet use following command.
sudo ufw allow from 192.168.1.0/24
- Allow IP to Specific Port – To allow connections from any ip address of subnet use following command.
sudo ufw allow from 192.168.1.100 to any port 22
Deny Rules with UFW
- Deny Specific Ports – To allow a single port, for example allow port 21(FTP), 80(HTTP) and 443(HTTPS).
sudo ufw deny 21/tcp
sudo ufw deny 80/tcp
sudo ufw deny 443/tcp
- Deny Port Range – We can also allow range of ports in single command like:
sudo ufw deny 1100-1200/tcp
- Deny Access to Specific IP – To deny connections from specific ip address use following command.
sudo ufw deny from 192.168.1.100
- Deny Access to Subnet – To deny connections from any ip address of subnet use following command.
sudo ufw deny from 192.168.1.0/24
- Deny IP to Specific Port -To deny connections from any ip address of subnet use following command.
sudo ufw allow from 192.168.1.100 to any port 22
Enable or Disable Logging
UFW created logs for all filtered connections in /var/log/ufw.log file. It can be helpful for troubleshooting Use below to enable or disable logging.
Enable logging:
sudo ufw logging on
Disable logging:
sudo ufw logging off
Reference: https://wiki.ubuntu.com/UncomplicatedFirewall
2 Comments
Deny IP to Specific Port -To deny connections from any ip address of subnet use following command.
sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw (deny) from 192.168.1.100 to any port 22 ?
Please do not remove the support for IPv6.
That will bite you hard if you connect to a network that supports IPv6.
If you have support for IPv6 turned on, It will not be used if you don’t have support for IPv6 routing in your machine or network. And it will protect you if you have it added. Iven if you turn off the IPv6 module.
So please, remove or at least strongly suggest not to turn of UFW support for IPv6, even id your machine/network doesn’t support IPv6 for some strange reason.