Vultr DocsLatest Articles

How to Configure Uncomplicated Firewall (UFW) on Ubuntu 20.04

UFWFirewallUbuntu
Updated on November 21, 2023
How to Configure Uncomplicated Firewall (UFW) on Ubuntu 20.04 header image

Security is crucial when you are running your own virtual private server (VPS). As a bare minimum, you want to be sure that only authorized users can access your server, applications, configuration, and services. This helps you stay clear from not just hacking attempts but also application vulnerabilities.

On Ubuntu, a default firewall comes pre-installed for your server called Uncomplicated Firewall (UFW). Just like its name, UFW is a pretty basic firewall that can safeguard your server from the most common attacks linked to server ports and common services. It is easy to use, excels at filtering server traffic, and it's user-friendly.

However, some basic Linux knowledge may be required to configure uncomplicated firewall (UFW) on your server. This guide takes a deep look at how to open ports on your Ubuntu 20.04 server instance deployed at Vultr.

Prerequisites

  • Deploy a Ubuntu 20.04 server on Vultr
  • A valid sudo user account (root privileges)
  • Pre-installed services such as web server, database, or storage applications.

Enable Uncomplicated Firewall (UFW)

By default, UFW is installed but disabled on Ubuntu 20.04, and you need to enable it before opening any ports on your server. But if anything, you can manually install UFW by running the following command.

$ sudo apt-get install ufw

Enable UFW

$ sudo ufw enable

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Enter Y, and proceed to allow connections to your server

Firewall is active and enabled on system startup

Please note, your current SSH will not be terminated automatically unless left idle for five or more minutes. If you don't allow SSH connections, you won't be able to log in to your server.

Allow Connections to Your Server

You can open specific ports on UFW to allow specific services to be accessed on your server. There are two ways, the simple syntax through which you specify just the port number and full syntax where you specify the port number and protocol.

You can allow connections through any port on your server by simply using the following format:

Simple Syntax

$ sudo ufw allow <port>

Full Syntax

$ sudo ufw allow <port>/<protocol>

Assuming you are running a web server, you obviously want the world to access and interact with your website. Web server applications use port 80 for regular website traffic (HTTP) and port 443 for secure connections (HTTPS). This means you must open ports 80 and 443 to allow web connections to your server.

$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp

Furthermore, to allow FTP connections, you need to allow port 21 and port 20, which are used by the transfer protocol.

$ sudo ufw allow 21/tcp
$ sudo ufw allow 20/tcp

To allow SSH connections to your server, open port 22

$ sudo ufw allow 22/tcp

Preferably, you can allow connections by simply using the application name if you are unsure of its port number. For example, to enable MySQL:

$ sudo ufw allow mysql

You can also specify comments on your firewall rules to better explain your entry by simply using the comment parameter.

$ sudo ufw reject telnet comment `telnet is insecure and unencrypted, simply unsafe to use.`

Specify Filtering Mode

To specify the direction of traffic, use the in or out parameters, For example.

Incoming Traffic.

$ sudo ufw allow in ftp

Outgoing Traffic.

$ sudo ufw allow out smtp

Deny Connections to Your Server

The same way it is important to open ports and allow connections to your server, denying connections also carries the same relevance. If you need to deny access to a certain port, use the deny command and optionally the transfer protocol.

$ sudo ufw deny <port>/<optional: protocol>

For example, to deny access to the default MySQL port.

$ sudo ufw deny 3306

The above command will block all connections to MySQL through the port, and the database server will receive incoming unless you assign a new custom port or re-enable it. For easier execution, you can use a simplified syntax for the most common service ports by simply listing the application name.

$ sudo ufw deny mysql

Rule updated
Rule updated (v6)

It is highly recommended to restrict access to your SSH port (22) from anywhere except your trusted IP addresses (example: office or home).

Allow Connections from only Trusted IP Addresses

Typically, you would need to allow access only to publicly open ports such as port 80, which allows connections to your website. Access to all other ports needs to be restricted or limited. For example, you can choose to allow only your home or office public IP address (assigned by the service provider) to be able to access your server through SSH and download/upload files via FTP.

Allow an IP Address to access Port 22.

$ sudo ufw allow from 192.168.0.1 to any port 22

To also allow the same IP to access databases through the MySQL server port.

$ sudo ufw allow from 192.168.0.1 to any port 3306

Only allowed IP Addresses will be able to connect through the specified ports.

Check UFW Status

Now that you have enabled UFW and set some rules, check the current firewall table and operation.

$ sudo ufw status

Your output should be like the one below:

user@example:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Apache                     DENY        Anywhere                  
80                         DENY        Anywhere                  
22                         ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere

For a more detailed output, use the verbose parameter.

$ sudo ufw status verbose

Your output will be like:

user@example:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp (Apache)            DENY IN     Anywhere                  
80                         DENY IN     Anywhere                  
22                         ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
21                         ALLOW IN    Anywhere                   # FTP Connections
3306/tcp                   ALLOW IN    Anywhere                  
21/tcp                     ALLOW IN    Anywhere

Removing Firewall Rules

To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter numbered. This allows you to select a rule by entry number.

$ sudo ufw status numbered

Your output should be like the one below.

user@example:~$ sudo ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 1] Apache                     DENY IN     Anywhere
[ 2] 80                         DENY IN     Anywhere
[ 3] 22                         ALLOW IN    Anywhere
[ 4] 80/tcp                     ALLOW IN    Anywhere
[ 5] 21                         ALLOW IN    Anywhere                   # FTP Connections
[ 6] 3306/tcp                   ALLOW IN    Anywhere
[ 7] 21/tcp                     ALLOW IN    Anywhere
[ 8] 25/tcp                     ALLOW OUT   Anywhere                   (out)

Notice the numbers in square brackets? It's time to remove any of these rules you don't want on your firewall list; you will need to use the number associated with your target rule.

$ sudo ufw delete number

For example, let's remove the port 21 rule.

user@example:~$ sudo ufw delete 5
Deleting:
allow 21 comment 'FTP Connections'
Proceed with operation (y|n)?

Changes will automatically take effect.

Set Logging Level

By default, the Uncomplicated Firewall logging level is set to low. However, multiple logging levels are supported, and you have a preferred setting based on what firewall logs you wish to keep.

off disables ufw logging.

low logs blocked packets that don't match your set rules and packets matching logged rules.

medium logs low level, allowed packets that don't match the set policy, invalid packets, and all new connections to your server.

high logs medium without attempts/rate-limiting and all packets with attempt limiting.

full logs all firewall packets without rate/access attempts limiting.

To set your UFW logging level, use the command below.

$ sudo ufw logging LEVEL

For example:

$ sudo ufw logging medium

To enable logging for a specific firewall rule, such as SSH, use the command.

$ sudo allow log 22/tcp

Enable IPV6 Support

If you use IPv6 on your server, you need to ensure that IPv6 support is enabled in the Uncomplicated Firewall (UFW). To do so, open the ufw configuration file in a text editor.

$ sudo vim /etc/default/ufw

Locate the IPV6 line and make sure it is set to yes

IPV6=yes

Save and close the file.

Disable / Reload UFW

To disable (stop) Uncomplicated Firewall, run the command.

$ sudo ufw disable

If you need to reload UFW (reload rules), use the reload parameter.

$ sudo ufw reload

To restart UFW, you will need to disable it first and then enable it again.

$ sudo ufw disable
$ sudo ufw enable

Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.

Back to Default Settings

If you need to reset UFW back to default settings, type the following command. This will delete all existing rules and reset the firewall to default values.

user@example:~$ ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)?

Conclusion

UFW can protect your Ubuntu 20.04 server instance against the most common hacking attempts.