Simple firewall in Ubuntu with UFW

The default firewall configuration tool for Ubuntu is UFW. Developed to ease iptables firewall configuration, UFW provides a user friendly way to create an IPv4 or IPv6 host-based firewall. — Ubuntu community documentation

By default UFW is disabled. Although it might not be strictly needed to run a firewall in all cases, it is good advice for most users. UFW can be configured to allow all outgoing traffic and deny all incoming traffic. This is the “normal” operation mode for desktop PC’s. In general, it is advisable to run a firewall, so that if you are mis-configuring and opening up a port, your firewall will protect you. This is especially relevant when your machine is a laptop that you use on other people’s WiFi networks or when your network supports IPv6. If you run a web server and you want to open up ports to allow incoming traffic you can configure UFW using either a GUI (graphical user interface) or the CLI (command line interface).

Using the GUI to configure UFW

The Gufw GUI for UFW can be installed by executing the following simple command:

sudo apt-get install gufw

In the GUI you can go to “Edit” and “Preferences” to turn off or adjust the logging levels. The preferences pane also allows you to toggle the listening applications list. This is a nice overview, but not as powerful as the output of the commands “netstat -plant” and “ps aux”.

Gufw_1
Figure 1: A screenshot from the Gufw GUI for “ufw”

Configure UFW using the CLI

Normally, I advise desktop users to use a GUI for configuring the software, but the “ufw” CLI is so easy-to-use (or uncomplicated) that you might prefer it. The commands you typically have to type at the prompt are:

sudo ufw enable
sudo ufw logging off
sudo ufw status verbose

First we execute the “ufw enable” command to enable the firewall. Second we issue the “ufw logging off” command to prevent log lines in “/var/log/syslog” when connections are denied. Last we run the status command to check whether the firewall is running with the right configuration. Note that if you want to start all over again and wish to throw the configuration away you can run the “ufw reset” command. By default the enabled UFW will deny incoming and allow outgoing traffic.

ufw2
Figure 2: A sample of ufw log lines that show up in /var/log/syslog

Check firewall status

If you want to make sure the effective firewall rules are correct you can run the following command:

maurits@nuc:~$ sudo ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip
maurits@nuc:~$

Allow some (incoming) traffic

If you are running Apache (or Nginx) to serve HTTP (port 80) traffic from your box to your network or even the Internet, then allow it like this:

maurits@nuc:~$ sudo ufw allow 80
Rule added
Rule added (v6)
maurits@nuc:~$

Remove a rule

If you want to delete a rule, just prefix the rule with the word “delete” like this:

maurits@nuc:~$ sudo ufw delete allow 80
Rule deleted
Rule deleted (v6)
maurits@nuc:~$

Remove a rule by number

You can also identify and delete a rule using a (sequence) number. First use the “numbered” suffix on the “status” command to list the rules with their numbers, like this:

maurits@nuc:~$ sudo ufw status numbered
Status: active

To                         Action      From
--                         ------      ----
[ 1] 80                         ALLOW IN    Anywhere
[ 2] 80                         ALLOW IN    Anywhere (v6)

maurits@nuc:~$

Then execute the command for deletion, like this:

maurits@nuc:~$ sudo ufw delete 2
Deleting:
 allow 80
Proceed with operation (y|n)? y
Rule deleted (v6)
maurits@nuc:~$

Note that every time you delete a rule, all other sequence numbers might change.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *