Getting started with UFW on Ubuntu

Sam

Code for this tutorial can be found on GitHub

UFW

Firewall

Security

Setting Up UFW (Uncomplicated Firewall) on Ubuntu

Hey there! Today we'll walk through setting up UFW on Ubuntu. If you're not familiar with UFW, it's a user-friendly way to manage your firewall rules without getting lost in the complexity of iptables. Let's get started!

Prerequisites

  • An Ubuntu system (this guide works for all recent versions)
  • A user account with sudo privileges
  • A few minutes of your time

Step 1: Check UFW Status

First, let's make sure UFW is installed and check its status. UFW comes pre-installed on Ubuntu, but if it's missing, you can install it with:

sudo apt install ufw

To check the current status:

sudo ufw status

If you see "Status: inactive", that means UFW is installed but not running yet.

Step 2: Configure Default Policies

Before enabling UFW, let's set up some default policies. It's good practice to deny all incoming connections and allow all outgoing connections:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 3: Allow Essential Services

Now, let's add rules for the services you need. Here are some common examples:

# Allow SSH (important to do this first!)
sudo ufw allow 22/tcp

# Allow HTTP
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

Pro tip: You can also use service names instead of port numbers:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

Step 4: Enable UFW

With our basic rules in place, we can now enable UFW:

sudo ufw enable

You'll get a warning about potentially disrupting existing SSH connections. Type 'y' and press Enter to continue.

Step 5: Verify Your Configuration

Check your rules:

sudo ufw status verbose

This will show you a complete list of your current rules and their status.

Common UFW Commands

Here are some helpful commands you might need:

# Delete a rule
sudo ufw delete allow 80/tcp

# Allow connections from a specific IP
sudo ufw allow from 192.168.1.100

# Allow connections to a specific port from a specific IP
sudo ufw allow from 192.168.1.100 to any port 22

# Deny specific ports
sudo ufw deny 3306

# Enable logging
sudo ufw logging on

Troubleshooting Tips

  1. Can't connect after enabling UFW? Double-check that you allowed SSH (port 22) before enabling the firewall.

  2. Need to start over? Reset UFW to default settings:

    sudo ufw reset

  3. Want to temporarily disable UFW?

    sudo ufw disable

Best Practices

  • Always allow SSH before enabling UFW
  • Use specific rules instead of allowing broad port ranges
  • Regularly review your rules with sudo ufw status numbered
  • Keep logs enabled for security monitoring
  • Remove rules you no longer need

Remember: security is about finding the right balance between protection and usability. Only open the ports you actually need, and regularly review your firewall rules to maintain a secure system.

Need help? You can always check the UFW manual:

man ufw

That's it! You now have a basic but solid firewall configuration that you can build upon based on your specific needs.

Table of Contents