The Uncomplicated Firewall (ufw) is a front end for iptables and is a host based firewall. In this tutorial we will see how to enable and configure ufw firewall on Ubuntu system. Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS. One notable feature of ufw is whenever you try to add some service rules on the firewall like to allow/deny ssh or http or smtp etc. By default it will add ipv4 and ipv6 rules simultaneously.
By default ufw firewall is inactive in Ubuntu system. To check the status of the firewall type the below command:
sudo ufw status Status: inactive
Default firewall policy: ufw
Firewall policy is defined for the packet which will interact with the system. Three types of options can be defined for the policy in the ufw firewall which are:
- INPUT (for all incoming traffic towards the firewall)
- OUTPUT (for all output traffic generated from the firewall)
- FORWARD (for all traffic pass the firewall)
To view or change the default policy open the below file with vim editor.
sudo vim /etc/default/ufw
For simplicity, we will keep the default settings. Exit from the file. You can also set the policy from the ufw command line like below:
sudo ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) sudo ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)
The ufw firewall is capable of handling ipv6 traffic. Open the ufw file again with vim editor and make the below change.
sudo vim /etc/default/ufw IPV6=yes
Make IPV6=YES. (By default the value is set to yes. If not, then change it to yes for enabling ipv6 support. a no will disable ipv6 on the firewall.)
Rules for SSH
Our firewall is still inactive. If you are login to your system through ssh, enabling the firewall may disconnect you from the server. To avoid this situation lets allow ssh or port 22 in our firewall. To allow ssh traffic type the below command and press enter:
sudo ufw allow ssh Rules updated Rules updated (v6)
As you can see the rules for ipv4 and ipv6 is added to our firewall. This time it is safe to activate our firewall.
Enable/Disable the ufw firewall
Type the below command to enable the firewall.
sudo ufw enable
You will be prompted a message like below
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Press y and you will see a message like below.
Firewall is active and enabled on system startup
The ufw firewall is active now. To check the status of the firewall type the below command.
sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
As you can see the firewall is active now and our ssh rules (ipv4 and ipv6) are also present on the firewall.To disable the firewall type the below command:
sudo ufw disable
Rules for SSH from specific host
Type the below command to allow ssh from a specific host. (This time you have to mention the ipv4 and ipv6 address separately).
sudo ufw allow from YOUR_IPV4_ADDRESS to any port 22 proto tcp
sudo ufw allow from YOUR_IPV6_ADDRESS to any port 22 pro to tcp
More ufw status
After activating the ufw firewall, it has two more options for status. Those are verbose and numbered. Type the below command to see the firewall status in verbose mode.
sudo ufw status verbose
You will find the list of rules, status of the firewall and also the default policy set for the chains. Type the below command to find the list of the rules with line number.
sudo ufw status numbered
The rule number is helpful for deleting the rules.
Rules can be deleted by the following ways.
sudo ufw delete allow 22
sudo ufw delete RULE_NUMBER
Allow http and other traffic
Our default policy is set to DENY, to allow http and other traffic like ftp (21), smtp (25), https (443) etc, type the below command. It will add rules for ipv4 and ipv6 traffic.
sudo ufw allow 80 sudo ufw allow 443 sudo ufw allow 21 sudo ufw allow 25
ufw firewall also has a nice logging facility. Logging can be enabled by typing the below command
sudo ufw logging on
Different types of log level can be set in ufw firewall. The supported levels are low, medium and high. The level can be set by typing the below command.
sudo ufw logging low
Type the below command to find the log.
sudo tail -f /var/log/ufw.log
As I already told you that the ufw firewall is a front end of iptables, so writing rule using ufw has an impact on iptables chain. to see what is written in iptables type the below command:
sudo iptables -L -n
Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.