Setting Up UFW
UFW is installed by default in Ubuntu, but if it’s not you can install it from apt:
If you’re running another distro, you’ll have to use that distro’s package manager, but UFW is widely available. You can check the status of the firewall with:
Which should say “Inactive” if you haven’t configured it before.
A good place to start with any firewall is by closing all incoming traffic and allowing outgoing traffic. Don’t worry, this won’t cut off your SSH connection right away, as the firewall isn’t enabled yet.
This gives us a blank slate to work with, and add rules on top of.
Opening Ports With UFW
To open ports, use the command ufw allow. For example, you’ll need to open up port 22, so go ahead and run:
You can also leave a note for your future self when adding any rule:
Many applications install profiles for UFW, SSH being one of them. So you can also allow certain applications to open the ports they require by specifying the name:
You can view a list of available applications with ufw app list, and view details about an application with ufw app info [name].
You can also allow a whole range of ports by using a colon as a separator, and you can specify a protocol. For example, to allow only TCP traffic on ports 3000 through 3100, you can run:
Since the default is set to deny incoming, you won’t have to manually close off any ports. If you did want to close off an outgoing port, you’ll have specify a direction alongside ufw reject:
Whitelisting and Rate Limiting With UFW
You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you could run:
To whitelist specific ports, you’ll have to use the fuller syntax:
You likely won’t want to whitelist off SSH access in this way unless you have a backup connection or some sort of port knocking set up, as IP addresses change quite frequently. One option if you do want to restrict SSH access to only you is to set up an OpenVPN server in the same private cloud, and whitelist access to that server.
If you want to whitelist off a whole block of IP addresses, as is the case when you’re running your servers through a virtual private cloud provider, you can standard CIDR subnet notation:
Subnets are pretty complicated, so you can read our guide to working with them to learn more.
Rate limiting is another useful feature of firewalls that can block connections that are obviously abusive. This is used to protect against an attacker attempting to bruteforce an open SSH port. Obviously you could whitelist the port to protect it entirely, but rate limiting is useful anyway. By default, UFW rate limits 6 connections per 30 seconds, and it’s intended to be used for SSH:
Turn On UFW
Once you’re done configuring your rules, you can enable UFW. Make sure that SSH on port 22 is open, or you’ll lock yourself out. If you want, you can disable UFW from running on boot so that a reset would fix any potential issues:
Then, you can enable UFW with:
If all is good, you can run ufw status to view the current status of the firewall. If you’re not locked out, and the firewall is running, set it to run at boot with:
Any time you make changes, you’ll need to reload the firewall with:
You can also turn on logging, to log connections to /var/log/:
Managing and Deleting Rules
If you’d like to delete a rule, you’ll have to get its number with:
Note that the numbers start at 1, not 0. You can delete a rule by number:
Again, make sure you don’t delete your rule keeping port 22 open. You can use the –dry-run parameter to have UFW ask you for confirmation:
If you make any changes, you’ll need to reload the firewall again.