How To Setup UFW for Firewall on Ubuntu and Debian

UFW (Uncomplicated Firewall) is a front-end for iptables firewall. It’s well-suited for host-based firewalls. It is designed to provide an easy for managing firewalls, even the user not have much idea about firewalls. This tutorial will help you to setup UFW for firewall on Ubuntu and Debian Systems.

Install UFW

First make sure you have installed latest version of UFW firewall on your Ubuntu system. Use the following command to install or update UFW firewall.

$ sudo apt-get update $ sudo apt-get install ufw

Enable/Disable UFW

Use following commands to enable or disable firewall.

$ sudo ufw disable

$ sudo ufw enable

Check UFW Status

Now make sure ufw is in active mode.

rahul@tecadmin:~$ sudo ufw status  Status: active  To                         Action      From --                         ------      ---- 22                         ALLOW       Anywhere 22 (v6)                    ALLOW       Anywhere (v6)

Enable/Disable IPv6

You might be required to use IPv6 with your firewall. Disable IPv6 support if your system is not configured to use IPv6. To do it edit /etc/default/ufw and set IPV6 “yes” or “no”.

IPV6=no

After making changes disable and enable firewall

$ sudo ufw disable && sudo ufw enable

Allow Connections with UFW

Allow Specific Ports – To allow a single port, for example allow port 21(FTP), 80(HTTP) and 443(HTTPS).
```
$ sudo ufw allow 21/tcp $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp 
```
Allow Specific Services – UFW uses /etc/services files to get port of specific service, So we can allow any service with name instead of defining port. Like ftp (21), http(80).
```
$ sudo ufw allow ftp/tcp $ sudo ufw allow http/tcp $ sudo ufw allow https/tcp 
```
Allow Port Range – We can also allow range of ports in single command like:
```
$ sudo ufw allow 1100-1200/tcp 
```
Allow Access to Specific IP – To allow connections from specific ip address use following command.
```
$ sudo ufw allow from 192.168.1.100 
```
Allow Access to Subnet – To allow connections from any ip address of subnet use following command.
```
$ sudo ufw allow from 192.168.1.0/24 
```
Allow IP to Specific Port – To allow connections from any ip address of subnet use following command.
```
$ sudo ufw allow from 192.168.1.100 to any port 22 
```

Deny Connections with UFW

Deny Specific Ports – To allow a single port, for example allow port 21(FTP), 80(HTTP) and 443(HTTPS).
```
$ sudo ufw deny 21/tcp $ sudo ufw deny 80/tcp $ sudo ufw deny 443/tcp 
```
Allow Port Range – We can also allow range of ports in single command like:
```
$ sudo ufw deny 1100-1200/tcp 
```
Deny Access to Specific IP – To deny connections from specific ip address use following command.
```
$ sudo ufw deny from 192.168.1.100 
```
Deny Access to Subnet – To deny connections from any ip address of subnet use following command.
```
$ sudo ufw deny from 192.168.1.0/24 
```
Deny IP to Specific Port -To deny connections from any ip address of subnet use following command.
```
$ sudo ufw allow from 192.168.1.100 to any port 22 
```

Enable or Disable Logging

UFW created logs for all filtered connections in /var/log/ufw.log file. It can be helpful for troubleshooting Use below to To enable or disable logging.
Enable logging:

$ sudo ufw logging on

Disable logging:

$ sudo ufw logging off

Reference: https://wiki.ubuntu.com/UncomplicatedFirewall

Harry The Devops Guy

Search This Blog