Use UFW as a firewall (How to secure a web server – Part 2)

The main tool to set up the firewall on Ubuntu is iptables. It is powerful, but very complicated to learn. Fortunately, there is an alternative called UFW (for Uncomplicated FireWall), that is described by Ubuntu as “a frontend for iptables”. Basically, UFW lets you set rules for your firewall in a much easier way that iptables does. Let’s learn how to set some basic rules using UFW!

Before we start

Make sure to read our article about improving SSH security too. It will guide you through the steps to take to enable key-based authentication and disable root login on your server. SSH is one of the main risk factors on a server, don’t ignore it!

I’ll be using a $5 Digital Ocean Droplet for this tutorial. They’re a great cloud VPS provider, with a reliable service and a very clean and easy interface. I definitely recommend them if you’re starting with server management and need a cheap server to start playing with. And with this free $10 credit, you’ll be able to run a $5 Droplet for 2 months for free! Having the ability to turn on/off a server, and create or delete Droplets instantly on demand is extremely useful to experiment and learn.

Installing UFW

UFW should be pre-installed with Ubuntu. To check if it is installed on your machine, use the command:

If this command returns nothing, you can install UFW by running sudo apt-get install ufw.

Getting help

At any point, you can run ufw -h to get basic help about UFW. This command will list all the commands UFW accepts. If you need more help, feel free to leave a comment below!

Firewall status

To get the status of the firewall, type:

This will be empty when the firewall is disabled though, in which case you can see rules by looking at /etc/ufw/user.rules. For example here is the default configuration:

The rules you add to UFW will not be effective until you explicitly enable it by running sudo ufw enable.

Resetting the rules

At any point, you can reset the firewall rules by typing sudo ufw reset. It will disable UFW and delete all existing rules (except default policies set using ufw default [...]).

Basic configuration

Deny incoming connections

Let’s first set the default behavior of the firewall, which is going to be:

  • Accept all outgoing connections: as our server will most likely have to send data to other machines (response from a web server for example), we have to allow all outgoing traffic.
  • Deny all incoming connections: except for specific connections such as SSH or the port for a web server, we want to block all connections.

Note: this configuration will block ALL incoming connections, even SSH. Do not enable your firewall until we explicitly allow SSH.

Accept SSH

In most cases, SSH is the only way to access a remote server. We need to tell the firewall that it should accept incoming SSH connections. If your SSH server listens on default SSH port 22, you should first consider changing it to listen to another port (see our previous article for a complete SSH security overview). If you still want to keep it on port 22, allow incoming connections by running either of the following commands:

If you changed your SSH server to listen to another port, simply replace 22 by the port:

Basically, sudo ufw allow <port_number>  configures your firewall to accept all incoming connections on port <port_number> .

A note on using service names instead of port number: when you give UFW a service name (such as “ssh” or “http”), it figures out the corresponding port number by looking at /etc/services. For example, you can find the default port number for SSH by running:

Again, do not use the service name if you configured your SSH server to listen to a specific port!

If you look at /etc/ufw/user.rules, you’ll see it was updated, including:

This syntax is essentially the same as the one used by iptables.

Blocking a specific port

To deny access to a specific port, use ufw deny . For example we could block access to HTTP requests (default port 80):

This is however not needed if your default policy is to deny incoming connections.

Enable the firewall

To apply the rules and enable the firewall, run:

This should also enable UFW at startup.

Once again, do NOT enable UFW until you have allowed SSH connections! It would lock you out of your server, and you wouldn’t be able to connect again.

Check configuration

Run the following command to get a list of all active rules. Note that the lines with (v6) are for IPv6; see Enabling IPv6 further below for more details.

Delete a rule

If you want to delete a rule to allow a port, type sudo ufw delete allow 22.

Similarly, use sudo ufw delete deny 22 for “deny” rules.

More advanced rules

Use port ranges

To allow or deny a range of ports, for example ports 2000 to 2010, use the colon notation as shown below. When specifying multiple port, you also have to give the protocol (tcp or udp):

When you don’t specify the protocol like we did before, UFW configures the rule for both UDP and TCP.

Use specific IP addresses

You can give specific IP addresses to UFW, which can be useful if you want to ban a given IP address of always allow your home computer access. You can also specify which port applies to this rule by adding “to any port” at the end of the command.

Note that the order in which you add rules is the order that UFW will use when processing an incoming connection. So if you first have a rule to allow SSH access on port 22, UFW will allow access to everyone, even if a specific IP address is blocked for all incoming connections. To add a rule at the highest priority, use the following command

Where <rule>  is a rule like we’ve seen before (for example, deny from 111.222.333.444).

The comment is optional, and will add a comment line for this rule in the configuration file.

Enabling IPv6

This option was enabled by default on my server. UFW can automatically create rules for both IPv4 and IPv6. To do so, edit the file /etc/default/ufw and find the line with IPV6=.... Set this value to “yes”. You’ll have to edit the file as root (use sudo).

As stated by the comments in this file, you’ll have to disable and enable the firewall for the changed to take effect:

Automatic setup

To simplify the process, we can create a script that will set up a list of predefined firewall rules. We’ll also give it the SSH port as an optional argument (if not defined, it will use port 22).

The script is the following. Feel free to modify it for your application, and add or remove rules if you need to.

You’ll need to create a file “ufw_rules.conf” in a folder “files”. An example of such file is:

Having an automated script like this one allows you to add rules to the configuration file, and be able to run the script on any machine without having to type each command individually.

Related web server security articles

Make sure to read our other articles in this web server security series:

Be the first to comment

%d bloggers like this: