Linux UFW (Uncomplicated Firewall) Configuration Made Easy

Learn how to configure and manage a firewall using UFW, a critical skill for securing Linux systems.

Grant Knoetze, Contributor

August 28, 2024

13 Min View

This tutorial covers configuring and managing a basic firewall using UFW, the uncomplicated firewall, which simplifies firewall rule management on Linux systems.

Understanding how to set up and manage firewall rules is vital for protecting systems from unauthorized access by ensuring that only legitimate traffic is allowed while blocking potential threats. This tutorial provides practical, step-by-step guidance on using UFW's commands, enabling IT professionals to implement and customize security measures according to their needs. 

The following transcript has been edited for length and clarity. 

Transcript:

Grant Knoetze: Hello, and welcome to this tutorial on configuring and managing a basic firewall using UFW, the uncomplicated firewall. Using UFW is an essential skill for securing any Linux system. Let's dive in. 

What Is UFW?

What is a firewall? A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. 

What is the uncomplicated firewall? UFW, or the uncomplicated firewall, is a user-friendly frontend for managing iptables firewall rules. It simplifies the process of setting up a firewall to secure your system.

Here we are on the Ubuntu community wiki for UFW, and it says: “UFW, the uncomplicated firewall, is the default firewall configuration tool for Ubuntu. It was developed to ease iptables firewall configuration. UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. By default, UFW is disabled.”

Related:How To Implement Zero-Trust Security in Linux Environments

Getting Started With Linux UFW

Let's dive into some fundamental usage. You are going to need to open a terminal. Once you have opened your terminal, we can start with the basics of managing UFW, the uncomplicated firewall. 

The first thing you want to do is enable UFW. When you turn on UFW or enable it, it uses a default set of rules that should be fine for the average home user. In short, the default setting is:

  • All incoming is denied with some exceptions to make things easier for home users.

  • All outgoing is allowed. 

To enable UFW, type the sudo ufw enable command. We can see that the firewall is enabled and active on system startup. 

To disable UFW, you could type sudo ufw disable. We can see that the firewall is stopped and disabled at the system startup. 

If you have not installed UFW on your system, you can use your package manager for Debian. Ubuntu is apt. I will type in sudo apt install ufw. We can see that I have already installed the latest version. If it were not, it would be installed. If it installed but needed to be upgraded, it would be upgraded. That is sudo apt install ufw, and you can use whatever package manager for the distribution that you are using. 

Related:How To Set up a Secure VPN Connection in Linux

After having enabled/disabled UFW, if I want to see the status, I can type sudo ufw status and add the verbose parameter to get a more verbose output. When I hit Enter, it tells me that the status is inactive. 

Typing sudo ufw enable and hitting Enter will enable the firewall. I retype the sudo ufw status verbose command. It gives me a rich output. It tells me that the Status is active. Logging is off (We will get into logging and show you how to enable logging). Default is deny (incoming), allow (outgoing), disabled (routed). New profiles – it’s skipping. 

We can see all the rules here. For 443, it is “allow in” from anywhere. Anywhere is “allow in” from IP addresses that I have worked with in the past. Port 22/TCP is “limited.” 22 is “allow in.” 80/TCP is “deny in,” etc. It shows us whether it is Version 6. Everything else is Version 4. 

Allow or Deny Specific Rules

To allow connections based on a specific port or protocol, you can use sudo ufw allow. The port you can put in, and the protocol is optional. To allow incoming TCP and UDP packets on port 53, I would type in: 

Related:Linux Security in the Cloud Era: Best Practices for Protecting Your Cloud Workloads

sudo ufw allow 53

I hit Enter and have added the rule.

To allow specifically TCP packets coming in on port 53, I would enter: 

sudo ufw allow 53/tcp

To allow specifically UDP communication on port 53, I could enter: 

sudo ufw allow 53/udp

To deny or to create “deny” rules for the same, I could type: 

sudo ufw deny 53

Entering this command will update the rule and deny all traffic on port 53.

To specifically deny according to protocol: 

sudo ufw deny 53/tcp

Similarly, for UDP:

sudo ufw deny 53/udp

Delete an Existing Rule 

To delete a rule, prefix the original rule with Delete. For example, if the original rule was sudo ufw deny 80/tcp, I could prefix this with sudo ufw delete deny:

sudo ufw delete deny 80/tcp

I press Enter and I delete the rule. 

Deny or Allow by Service Name

You can also allow or deny by service name since UFW reads from etc services. 

To get a list of services, you can use sudo or not, but we can use less

less /etc/services

We can see a list of all our services. For example, it shows Secure Shell (SSH) running on port 22/tcp. To traverse through less, you can use your spacebar. To exit, you can hit the Q key.

Let’s look at how to allow by service name. For example, let's use Secure Shell: 

sudo ufw allow ssh

We have updated the rule. 

To deny by service name, we type: 

sudo ufw deny ssh

We have updated the rule and denied SSH.

Enable or Disable Logging

Let's talk about logging. Logging is helpful for troubleshooting, and it's also critical for security. For example, you would want to look at firewall logs when responding to an incident. 

You can enable logging in UFW by simply typing in:  

sudo ufw logging on

If you'd like to disable logging, you type:

sudo ufw logging off

Advanced Syntax 

You can also use a fuller syntax, specifying the source and destination addresses, ports, and protocol. Let's look at allowing by specific IP address. 

To allow by specific IP address, I type sudo ufw allow from and then specify the IP address. For example: 

sudo ufw allow from 192.168.1.1

I press Enter and add the rule. 

To deny traffic from that same IP address, I put the deny keyword where the allow keyword was:

sudo ufw deny from 192.168.1.1

Allow by Specific Port and IP Address

If I want to allow from a specific port and an IP address, I can type in sudo ufw allow from, then my IP address is the target (192.168.1.1, for example). I can add to any port. I'm going to use port 22 as an example. 

sudo ufw allow from 192.168.1.1 to any port 22

To deny, I would change the allow keyword to deny:

sudo ufw deny from 192.168.1.1 to any port 22

To allow by any specific port, IP address, and protocol, I use the same command and then add proto, or protocol keyword. I add the protocol. In this case, I’m choosing TCP. 

sudo ufw deny from 192.168.1.1 to any port 22 proto tcp

You can go ahead and do the same thing for another protocol, UDP:

sudo ufw deny from 192.168.1.1 to any port 22 proto udp

Working With Numbered Rules

UFW stores and deals with rules in a numbered way. You can use the status numbered command to show the order and number of the rules:

sudo ufw status numbered

We can see my rules in a numbered order, from one to 23.

Editing Numbered Rules

You may delete rules using the number. 

Let's type in our status numbered. We can identify which rule we'd like to delete. For example, we can delete rule number 10, UDP. You can use: 

sudo ufw delete 10

We see that it's deleting and would like to prompt me for a yes or no. I choose yes and delete the rule.

When I run my status numbered, I can see that that rule has been deleted and the list has been shifted by one. Rule number 10 is now a different rule. 

To insert a numbered rule, the same numbered rule, we can type in: 

sudo ufw insert 10 allow from 192.168.1.1 to any port 53

When I type sudo ufw status numbered, we can see that rule 10, port number 53, from the specified IP address, has been inserted. 

Recap

To recap, we've been through the basics of using the uncomplicated firewall. For more resources and help, you can use the man pages in Linux. We can see that our manual pages exist for UFW. Use your spacebar to go through them and use Q to quit. Or you could type in ufw --help, and we have simplified help. 

I hope you've enjoyed this tutorial. I look forward to seeing you on the next one.

About the Author

Grant Knoetze

Contributor

Grant Knoetze is a cybersecurity analyst with a special interest in DFIR, programming languages, incident response, red-teaming, and malware analysis. His full-time job includes teaching and instructing in various topics from basic Linux all the way through to malware incident response, and other advanced topics. He is also a speaker at various conferences worldwide.

www.grantknoetze.com

https://github.com/Grant-Knoetze

https://www.linkedin.com/in/grant-knoetze-563b0b1b6/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like