How to Secure Your Linux Server with a UFW Firewall
UFW, short for “uncomplicated firewall,” is a frontend for the more complex
iptables utility. It’s designed to make managing a firewall as simple as setting ports to be open and closed, and regulating what traffic is allowed to go through.
Setting Up UFW
UFW is installed by default in Ubuntu, but if it’s not you can install it from
sudo apt-get install ufw
If you’re running another distro, you’ll have to use that distro’s package manager, but UFW is widely available. You can check the status of the firewall with:
sudo ufw status
Which should say “Inactive” if you haven’t configured it before.
A good place to start with any firewall is by closing all incoming traffic and allowing outgoing traffic. Don’t worry, this won’t cut off your SSH connection right away, as the firewall isn’t enabled yet.
sudo ufw default deny incoming sudo ufw default allow outgoing
This gives us a blank slate to work with, and add rules on top of.
Opening Ports With UFW
To open ports, use the command
ufw allow. For example, you’ll need to open up port 22, so go ahead and run:
sudo ufw allow 22
You can also leave a note for your future self when adding any rule:
sudo ufw allow 8080/tcp comment 'Open port for Express API'
Many applications install profiles for UFW, SSH being one of them. So you can also allow certain applications to open the ports they require by specifying the name:
sudo ufw allow ssh
You can view a list of available applications with
ufw app list, and view details about an application with
ufw app info [name].
You can also allow a whole range of ports by using a colon as a separator, and you can specify a protocol. For example, to allow only TCP traffic on ports 3000 through 3100, you can run:
sudo ufw allow 3000:3100/tcp
Since the default is set to deny incoming, you won’t have to manually close off any ports. If you did want to close off an outgoing port, you’ll have specify a direction alongside
sudo ufw reject out 3001
Whitelisting and Rate Limiting With UFW
You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you could run:
sudo ufw allow 192.168.1.1
To whitelist specific ports, you’ll have to use the fuller syntax:
sudo ufw allow proto tcp from 192.168.1.1 to any port 22
You likely won’t want to whitelist off SSH access in this way unless you have a backup connection or some sort of port knocking set up, as IP addresses change quite frequently. One option if you do want to restrict SSH access to only you is to set up an OpenVPN server in the same private cloud, and whitelist access to that server.
If you want to whitelist off a whole block of IP addresses, as is the case when you’re running your servers through a virtual private cloud provider, you can standard CIDR subnet notation:
sudo ufw allow 192.168.0.0/24
Subnets are pretty complicated, so you can read our guide to working with them to learn more.
Rate limiting is another useful feature of firewalls that can block connections that are obviously abusive. This is used to protect against an attacker attempting to bruteforce an open SSH port. Obviously you could whitelist the port to protect it entirely, but rate limiting is useful anyway. By default, UFW rate limits 6 connections per 30 seconds, and it’s intended to be used for SSH:
sudo ufw limit ssh
Turn On UFW
Once you’re done configuring your rules, you can enable UFW. Make sure that SSH on port 22 is open, or you’ll lock yourself out. If you want, you can disable UFW from running on boot so that a reset would fix any potential issues:
sudo systemctl disable ufw
Then, you can enable UFW with:
sudo ufw enable
If all is good, you can run
ufw status to view the current status of the firewall. If you’re not locked out, and the firewall is running, set it to run at boot with:
sudo systemctl enable ufw
Any time you make changes, you’ll need to reload the firewall with:
sudo ufw reload
You can also turn on logging, to log connections to
sudo ufw logging on
Managing and Deleting Rules
If you’d like to delete a rule, you’ll have to get its number with:
sudo ufw status numbered
Note that the numbers start at 1, not 0. You can delete a rule by number:
sudo ufw delete [number]
Again, make sure you don’t delete your rule keeping port 22 open. You can use the
--dry-run parameter to have UFW ask you for confirmation:
If you make any changes, you’ll need to reload the firewall again.