Simplify your firewall setup
Fire Protection
Canonical's ufw lets you configure your firewall without the hassle of the iptables tool, while reducing the risk of misconfiguration and simplifying maintenance.
The netfilter firewall included in the Linux kernel can be comprehensively controlled with the iptables tool. However, iptables' complexity not only drives some users crazy, it also increases the risk of unintentionally tearing holes in the firewall with incorrect rules or typos.
Canonical offers a remedy with the Uncomplicated Firewall (ufw) [1]. The command-line program accepts clearly structured rules, which it translates into the appropriate iptables calls in the background. This approach also allows you the advantage of supplementing your setup with more complex rules in iptables, if needed.
Installation
Originally developed by Canonical for Ubuntu, ufw has been part of the distribution since Ubuntu 8.04. Alternately, you can install it with the ufw package. You can also now find ufw on other distributions.
If your distribution's repositories do not contain ufw, you can pick up the source code online [2]. To get started, ufw requires Python v3.4 or later, iptables 1.4 or later, gettext
, and make
. After unpacking the source code archive, just call
python3 ./setup.py install
with root privileges for a global installation. To start the firewall at boot time, integrate the command
/lib/ufw/ufw-init start
into the respective start scripts. An example unit for systemd is available in the source code archive in doc/systemd.example
.
If you also want to regulate IPv6 traffic, open the configuration file located in /etc/default/ufw
and make sure it contains a line stating IPV6=yes
. In this article, all examples use IPv4 addresses, but the commands will also work with IPv6.
Blockade
Before getting started, check whether the firewall is running with:
sudo ufw status
If a status: inactive
message appears, launch ufw by typing
sudo ufw enable
This command also ensures that the firewall starts up automatically at boot time. If necessary, you can disable it again at any time with:
sudo ufw disable
By default, ufw blocks all incoming requests and allows all outgoing messages from the machine to pass. This prevents attackers in particular from reaching any service on the corresponding system. At the same time, the behavior gives you a safety net that catches everything; unless another rule says otherwise, ufw applies the default rules. For example, if you do not define a rule for SSH access, ufw automatically blocks access from outside based on the default rules.
You can change the default behavior with the two commands shown in Listing 1. The first line takes care of all incoming connections, while the second line is for outgoing connections; deny
prohibits access, while allow
permits it. Consequently, the two commands ensure the default behavior. If you were to replace allow
with deny
in the second line of Listing 1, ufw would automatically prohibit all network traffic.
Listing 1
Connections
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Like all other commands, the two commands in Listing 1 are intuitive. Even without knowledge of the individual parameters, you can decipher what the command does. Ufw uses its own syntax, which is based on the OpenBSD PF firewall's syntax. If you have previously worked with other tools like iptables, you will need to learn ufw's syntax.
Regulators
Ufw lets you drill holes in the firewall in a targeted way. To do this, specify the appropriate service after the following command:
sudo ufw allow
For instance, the command shown in Figure 1
sudo ufw allow ssh
allows SSH connections from the outside. Repeat this step for all other services you want to allow. For example,
sudo ufw allow http
allows access to an HTTP browser via port 80. All supported names and services can be found in the /etc/services
file.
In addition, ufw also understands the names of some applications. For example,
sudo ufw allow 'CUPS'
sets up custom rules for the CUPS printing system. To determine which application names a system currently supports, use:
sudo ufw app list
On Ubuntu, the range of available applications depends largely on the installed services. For example, if the web server Nginx is not available on your system, ufw does not support it either.
If an application name contains spaces, such as Nginx Full, you will need to quote it in the ufw call, as shown in the CUPS example. Otherwise, the shell interprets the words in the name as individual parameters. It is a good idea to get into the habit of always enclosing application names in quotes.
An application's rules are defined by an application profile (Figure 2). All existing profiles are grouped in the directory /etc/ufw/applications.d/
. The files in this directory can be used as a basis for your own application profiles; its structure is self-explanatory.
When creating a firewall rule, you can also specify the port directly. For SSH, for example, you would specify the port as follows:
sudo ufw allow 22
Ufw then automatically sets up matching rules for the TCP and UDP protocols. To allow only a specific protocol, append it to the port number with a forward slash (22/tcp
). Complete port ranges can also be stored. For example,
sudo ufw allow 8080:8082/tcp
opens ports 8080, 8081, and 8082 for incoming TCP connections.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.