Ubuntu Firewall for humans I have always been scared of IP tables. If you want to know the reason check out the Though I have heard from many people that IPtables are more robust and secure, I have never used them because it has always been daunting. I personally feel that if I am not comfortable with something like IPtables and still use it I might add more security holes while not leveraging the benefits it provides. So I have stuck to using ufw for now. It is for the same reason that I prerfer Ubuntu over other flavors. Familiarity breeds confidence and I know that I will make less blunders. Donot consider this as a promotion of Ubuntu over other more secure flavors, because it is not. It is just my personal preference. man page for the same. : Did you know that is generally translated as Side note “Ubuntu” “I am because we are," Before getting started Keep these things in mind before getting started. Use some form of firewall. If not ufw you can use iptables directly. If you are using ufw, make sure that your ufw service is started on reboot. Understand the defaults of ufw well. Blacklist all and whitelist what is required is always a better option. Set up a that gives you a trigger when ufw is down. monitoring tool like zabbix Installing ufw sudo apt install ufw Check status # ufw statusStatus: inactive We will enable after adding the relevant rules. ufw ssh Whitelist Make sure allow ssh before enabling ufw so that you can access your server from anywhere using ssh. #sudo ufw allow sshRules updatedRules updated (v6) Checking added rules You cannot check the added rules using when ufw is not active. Instead you can use You can use this even after enabling the ufw. ufw status ufw show added. # ufw show addedAdded user rules (see 'ufw status' for running firewall):ufw allow 22/tcp Enable ufw Enabling ufw without adding rule for ssh might lock you out of your server. So be careful before enabling ufw. I have not tried it though, so I can’t be sure. :P # ufw enableCommand may disrupt existing ssh connections. Proceed with operation (y|n)? yFirewall is active and enabled on system startup Check status gives you the status of ufw and also lists all the enabled rules. ufw status # ufw statusStatus: active To                         Action      From--                         ------      ----22/tcp                     ALLOW       Anywhere22/tcp (v6)                ALLOW       Anywhere (v6) can be problematic as it doesn’t give all the details. Checkout next section. ufw status UFW Defaults Not knowing the defaults cost me a couple of hours the other day. Since were not displayed and details under was not clear enough, I had assumed a few things which cost me dearly. So go through the default options before actually setting up the relevant rules for your applications. defaults Action You can get those details using ufw status verbose # ufw status verboseStatus: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skip To                         Action      From--                         ------      ----22/tcp                     ALLOW IN    Anywhere22/tcp (v6)                ALLOW IN    Anywhere (v6) As you can see from the output now Defaults are This will make sure that no outside systems can connect to your machine until you add an overriding rule for the same. deny (incoming) : Defaults are This means that all outgoing request are enabled. While this setting helps you run commands like , and without any issues. But if you want to keep your server secure it is better to make defaults as block outgoing and then allow specific IPs/domains that you need. allow (outgoing) : apt-install wget ping Default are This means that all routing is disabled and forwarding is blocked. This is a good default provided you are not using your machine as a router. disabled (routed) As you can see in Action columns it is “ALLOW IN”. Which means there is also “ALLOW OUT”. You need to add such a rule if you make the default as deny (outgoing). Changing Defaults The defaults we see above are equivalent of the following rules. sudo ufw default deny incomingsudo ufw default allow outgoing If you want to change the default to deny outgoing you can run #sudo ufw default deny outgoingDefault outgoing policy changed to 'deny'(be sure to update your rules accordingly) If you set the above default you will need to manually add rules for accessing outside systems. It can be a cumbersome process but much safer. For example let us say you want to allow outgoing traffic on port 10060 then you can run ufw allow out 10060 Instead of keeping the default as is, I think it is better to deny outgoing. Whenever you want to perform some upgrades or install software you can add rule like temporarily and then delete it once you are done. outgoing Also if you want to open only specific ports so that you can use apt you can use the following rules that I borrowed from this answer. ufw default deny incomingufw default deny outgoingufw limit sshufw allow svnufw allow gitufw allow out httpufw allow in http ufw allow out httpsufw allow in httpsufw allow out 53ufw logging onufw enable Show rules You can use to show all the added rules. ufw show added # ufw show addedufw allow 22/tcpufw allow from x.x.x.x to any port 27017ufw allow from x.x.x.x to any port 27017ufw allow from x.x.x.x to any port 10050ufw allow from x.x.x.x to any port 10050 Earlier I was using the command but now I use and then use the rules from there to delete like following. ufw status numbered ufw show added ufw delete allow 22/tcp Thumb Rules Make sure ufw is started on boot. Change the defaults to make then more restrictive based on your comfort. Deny by default and enabled only what is required. Keep your rules as specific as possible. Example sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp Add a which check the status of ufw as well any rules that are very critical. monitoring tool like Zabbix Further Reading If you want more details and more query options checkout https://help.ubuntu.com/community/UFW I had created done blunders without knowing the ufw clearly. I hope this article can stop you from committing such blunders. If you liked this article and would like to read similar articles, don’t forget to clap. Click and drag to clap more than once. 50 is the limit. You can read the others articles from the series. _I have had a kind of “love and hate” relationship with JavaScript. But nevertheless JavaScript was always intriguing…_hackernoon.com Understanding promises in JavaScript _Async and Await are extensions of promises. So if you are not clear about the basics of promises please get comfortable…_hackernoon.com Understanding async-await in Javascript — Gokul N K — Medium _I recently read a medium post where the author claimed that using async-await is better than using promises. While this…_hackernoon.com Should I use Promises or Async-Await If you are interested in cryptocurrencies checkout _“Never Invest In Something You Don’t Understand”_hackernoon.com 10 things to know/do before investing in cryptocurrencies _It has been more than an year since I started investing in cryptocurrencies. Following Warren Buffet’s advice of “Never…_hackernoon.com Beginner’s Guide to “Investing in Cryptocurrencies” _Price is an important indicator. But it can also be misleading in many cases._blog.goodaudience.com Why comparing cryptocurrency prices is wrong

Keep

Mind

Linux Systemctl

Each of The Top 100 Cryptocurrencies Explained in One Sentence

Declutter Your Mind

Read My Stories

Too Long; Didn't Read

Make resilience your competitive advantage

Understanding UFW

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Enhancing Search With Elastic

$2M Backing and a Vision: How GAM3S.GG is Reshaping Web3 Gaming

$1M Hackathon Prizes Announced By MultiversX to Expand the Blockchain Ecosystem

Windows Sticky Keys Exploit: The War Veteran That Never Dies

$PEPE, a Purple Lamborghini, and More: The Story Continues

Enhancing Search With Elastic

$2M Backing and a Vision: How GAM3S.GG is Reshaping Web3 Gaming

$1M Hackathon Prizes Announced By MultiversX to Expand the Blockchain Ecosystem

Windows Sticky Keys Exploit: The War Veteran That Never Dies

$PEPE, a Purple Lamborghini, and More: The Story Continues

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps