Uncomplicated Firewall (ufw) for ubuntu system

The Uncomplicated Firewall (ufw) is a front end for iptables and is a host based firewall. In this tutorial we will see how to enable and configure ufw firewall on Ubuntu system. Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS. One notable feature of ufw is whenever you try to add some service rules on the firewall like to allow/deny ssh or http or smtp etc. By default it will add ipv4 and ipv6 rules simultaneously.

ufw status

By default ufw firewall is inactive in Ubuntu system. To check the status of the firewall type the below command:

sudo ufw status
Status: inactive

Default firewall policy: ufw

Firewall policy is defined for the packet which will interact with the system. Three types of options can be defined for the policy in the ufw firewall which are:

  1. INPUT (for all incoming traffic towards the firewall)
  2. OUTPUT (for all output traffic generated from the firewall)
  3. FORWARD (for all traffic pass the firewall)

To view or change the default policy open the below file with vim editor.

sudo vim /etc/default/ufw

For simplicity, we will keep the default settings.  Exit from the file. You can also set the policy from the ufw command line like below:

sudo ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

sudo ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

Enable ipv6

The ufw firewall is capable of handling ipv6 traffic. Open the  ufw file again with vim editor and make the below change.

sudo vim /etc/default/ufw

IPV6=yes

Make IPV6=YES. (By default the value is set to yes. If not, then change it to yes for enabling ipv6 support. a no will disable ipv6 on the firewall.)

Rules for SSH

Our firewall is still inactive. If you are login to your system through ssh, enabling the firewall may disconnect you from the server. To avoid this situation lets allow ssh or port 22 in our firewall. To allow ssh traffic type the below command and press enter:

sudo ufw allow ssh

Rules updated
Rules updated (v6)

As you can see the rules for ipv4 and ipv6 is added to our firewall. This time it is safe to activate our firewall.

Enable/Disable the ufw firewall

Type the below command to enable the firewall.

sudo ufw enable

You will be prompted a message like below

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Press y and you will see a message like below.

Firewall is active and enabled on system startup

The ufw firewall is active now.  To check the status of the firewall type the below command.

sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)

As you can see the firewall is active now and our ssh rules (ipv4 and ipv6) are also present on the firewall.To disable the firewall type the below command:

sudo ufw disable

Rules for SSH from specific host

Type the below command to allow ssh from a specific host. (This time you have to mention the ipv4 and ipv6 address separately).

sudo ufw allow from YOUR_IPV4_ADDRESS to any port 22 proto tcp
sudo ufw allow from YOUR_IPV6_ADDRESS to any port 22 pro to tcp

More ufw status

After activating the ufw firewall, it has two more options for status. Those are verbose and numbered. Type the below command to see the firewall status in verbose mode.

sudo ufw status verbose

You will find the list of rules, status of the firewall and also the default policy set for the chains. Type the below command to find the list of the rules with line number.

sudo ufw status numbered

The rule number is helpful for deleting the rules.

Delete rules

Rules can be deleted by the following ways.

sudo ufw delete allow 22

OR

sudo ufw delete RULE_NUMBER

Allow http and other traffic

Our default policy is set to DENY, to allow http and other traffic like ftp (21), smtp (25), https (443) etc, type the below command. It will add rules for ipv4 and ipv6 traffic.

sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 21
sudo ufw allow 25

Logging

ufw firewall also has a nice logging facility. Logging can be enabled by typing the below command

sudo ufw logging on

Different types of log level can be set in ufw firewall. The supported levels are low, medium and high. The level can be set by typing the below command.

sudo ufw logging low

Type the below command to find the log.

sudo tail -f /var/log/ufw.log

iptables

As I already told you that the ufw firewall is a front end of iptables, so writing rule using ufw has an impact on iptables chain. to see what is written in iptables type the below command:

sudo iptables -L -n

Enjoy!

Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments. 

About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *