The default firewall configuration tool for Ubuntu is UFW. Developed to ease iptables firewall configuration, UFW provides a user friendly way to create an IPv4 or IPv6 host-based firewall. — Ubuntu community documentation
By default UFW is disabled. Although it might not be strictly needed to run a firewall in all cases, it is good advice for most users. UFW can be configured to allow all outgoing traffic and deny all incoming traffic. This is the “normal” operation mode for desktop PC’s. In general, it is advisable to run a firewall, so that if you are mis-configuring and opening up a port, your firewall will protect you. This is especially relevant when your machine is a laptop that you use on other people’s WiFi networks or when your network supports IPv6. If you run a web server and you want to open up ports to allow incoming traffic you can configure UFW using either a GUI (graphical user interface) or the CLI (command line interface).
Using the GUI to configure UFW
The Gufw GUI for UFW can be installed by executing the following simple command:
sudo apt-get install gufw
In the GUI you can go to “Edit” and “Preferences” to turn off or adjust the logging levels. The preferences pane also allows you to toggle the listening applications list. This is a nice overview, but not as powerful as the output of the commands “netstat -plant” and “ps aux”.
Figure 1: A screenshot from the Gufw GUI for “ufw”
Configure UFW using the CLI
Normally, I advise desktop users to use a GUI for configuring the software, but the “ufw” CLI is so easy-to-use (or uncomplicated) that you might prefer it. The commands you typically have to type at the prompt are:
sudo ufw enable sudo ufw logging off sudo ufw status verbose
First we execute the “ufw enable” command to enable the firewall. Second we issue the “ufw logging off” command to prevent log lines in “/var/log/syslog” when connections are denied. Last we run the status command to check whether the firewall is running with the right configuration. Note that if you want to start all over again and wish to throw the configuration away you can run the “ufw reset” command. By default the enabled UFW will deny incoming and allow outgoing traffic.
Figure 2: A sample of ufw log lines that show up in /var/log/syslog
Check firewall status
If you want to make sure the effective firewall rules are correct you can run the following command:
maurits@nuc:~$ sudo ufw status verbose Status: active Logging: off Default: deny (incoming), allow (outgoing) New profiles: skip maurits@nuc:~$
Allow some (incoming) traffic
If you are running Apache (or Nginx) to serve HTTP (port 80) traffic from your box to your network or even the Internet, then allow it like this:
maurits@nuc:~$ sudo ufw allow 80 Rule added Rule added (v6) maurits@nuc:~$
Remove a rule
If you want to delete a rule, just prefix the rule with the word “delete” like this:
maurits@nuc:~$ sudo ufw delete allow 80 Rule deleted Rule deleted (v6) maurits@nuc:~$
Remove a rule by number
You can also identify and delete a rule using a (sequence) number. First use the “numbered” suffix on the “status” command to list the rules with their numbers, like this:
maurits@nuc:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 80 ALLOW IN Anywhere [ 2] 80 ALLOW IN Anywhere (v6) maurits@nuc:~$
Then execute the command for deletion, like this:
maurits@nuc:~$ sudo ufw delete 2 Deleting: allow 80 Proceed with operation (y|n)? y Rule deleted (v6) maurits@nuc:~$
Note that every time you delete a rule, all other sequence numbers might change.