How to Set Up Firewall Policies using Uncomplicated Firewall (UFW)
Introduction
Uncomplicated Firewall (UFW) is a network packet filtering application that runs on Linux servers and mostly Debian-based operating systems such as Ubuntu. UFW filters network packets based on the server interfaces, ports, and services to protect the system from internal or external security threats. To ensure improved control of a system's networking environment, use UFW to add a security layer of access to the system services.
This article explains how to set up firewall policies using UFW on a Vultr Cloud Server. You will explore the firewall policies, set up sample rules, and modify the direction of network requests to secure your server.
Prerequisites
Before you start:
- Deploy a Vultr Ubuntu server to use as the management workstation.
- Access the server using SSH as a non-root user with sudo privileges.
- Update the server.
Install UFW
Verify the UFW application status and verify that it's not available on the server. By default, the application is available on most server distributions but inactive.
console$ sudo ufw status
If you receive a
Status: inactivemessage, UFW is unavailable on the server. Install it using the defaultAPTpackage manager.Install the UFW application package on the server.
console$ sudo apt install ufw
Enable UFW to start at boot time.
console$ sudo systemctl enable ufw
Add the default SSH port
22to the UFW rules table to keep the remote session active.console$ sudo ufw allow 22/tcp
Start UFW.
console$ sudo ufw enable
View the UFW system service status and verify that it's actively running.
console$ sudo systemctl status ufw
Output:
● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: active (exited) since Mon 2024-01-08 15:58:32 UTC; 2 months 20 days ago Docs: man:ufw(8) Main PID: 237 (code=exited, status=0/SUCCESS) CPU: 4ms Jan 08 15:58:32 ubuntu systemd[1]: Starting Uncomplicated firewall... Jan 08 15:58:32 ubuntu systemd[1]: Finished Uncomplicated firewall.
Configure Firewall Policies using UFW
UFW filters server traffic by detecting both incoming and outgoing network directions. By default, all outgoing connections are allowed through the firewall table, but incoming connections are blocked depending on the configured policies. Follow the steps below to configure UFW firewall policies to filter incoming and outgoing network connections on the server.
Allow all outgoing connections from the server.
console$ sudo ufw default allow outgoing
Deny all incoming connections to the server.
console$ sudo ufw default deny incoming
The above command blocks all incoming connections to the server unless specified in the UFW table. Denying incoming connection requests to the server without any active rules blocks access to server using ports such as the SSH port
22.Deny all network forwarding requests on the server.
console$ sudo ufw default deny forward
The above command blocks all network forwarding requests on the server. For example, if the server runs as a NAT gateway, all forwarding connections are blocked when the above rule is active.
Set Up Firewall Rules using UFW
UFW filters server network traffic based on available rules in the firewall table. While firewall policies explicitly operate on outgoing, incoming, and forwarded traffic, firewall rules operate on specific network ports on the server. Follow the sections below to allow, deny, or specify the direction of connection requests on the server.
Allow Specific Networking Ports
Allow incoming connections to an essential port such as the HTTP port
80.console$ sudo ufw allow 80
View the UFW table and verify that the new firewall rule is successful.
console$ sudo ufw status
Output:
Status: inactive To Action From -- ------ ---- 22/tcp ALLOW AnywhereAllow another port such as the SSH port
22and define TCP as the connection protocol.console$ sudo ufw 22/tcp
The above rule allows all connection requests to the TCP port
22and blocks any connections with another scheme such as UDP.Allow the UDP DNS port
53.console$ sudo ufw 53/udp
The above rule enables connections to the UDP port
53and blocks any non-matching rules such as TCP.View the firewall table.
console$ sudo ufw status
Reload the UFW rules to apply the new firewall table changes.
console$ sudo ufw reload
Deny Connection Requests to Specific Server Ports
Deny connection requests to an internal special service port such as the MySQL port
3306.console$ sudo deny 3306
View the UFW rules table.
console$ sudo ufw status
Reload the UFW rules to apply the firewall table changes.
console$ sudo ufw reload
Allow Network Connections to System Services
UFW filters network connection requests based on the available system services and the target application service name. Specific services may run with a variation of ports that can be blocked by the firewall. Follow the steps below to allow network connections to the system services available on the server.
Allow network connections to a system service such as the Nginx web server.
console$ sudo ufw allow nginx-full
The above rule allows network connections to all ports associated with the Nginx system service.
Allow a service such as FTP through the firewall regardless of the system service daemon.
console$ sudo ufw allow ftp
View the UFW rules table to verify the new firewall changes.
console$ sudo ufw status
Reload the UFW rules to apply the new configuration changes.
console$ sudo ufw reload
Set Up Directional UFW rules
Directional firewall rules define the source and destination of network traffic on the server. Follow the steps below to set up directional UFW rules that operate on specific network interfaces.
Allow incoming requests to the SSH port
22from your public IP address.console$ sudo ufw allow from 192.0.2.100 to any port 22
The above rule accepts SSH connection requests to the server but only from your public IP Address. UFW blocks all connections from other IP Addresses to the same SSH port.
Allow connection requests from a specific network interface such as
enp8s0to the HTTP port80.console$ sudo ufw allow in on enp8s0 proto tcp to any port 80
The above firewall rule accepts all connection requests to the HTTP port
80from the server network interfaceenp8s0. UFW blocks all connection requests that don't match the interface as the source.Allow outgoing connections through the public interface
enp1s0on port 443.console$ sudo ufw allow out on enp1s0 proto tcp to any port 443
Deny connection requests to the SSH port to all hosts on the public network IP
192.0.2.100while accepting connections from other addresses such as the local network address.console$ sudo ufw deny from 192.0.2.500 to any port 22
View the UFW rules table.
console$ sudo ufw status
Reload the UFW rules to apply the firewall table changes.
console$ sudo ufw reload
Delete UFW Firewall Rules
Depending on your server environment, you can remove UFW firewall rules from the filtering table and use the default UFW policies associated with the connection type. Follow the steps below to remove multiple firewall rules set up by UFW.
View the UFW rules table and verify the target rule numbers to remove.
console$ sudo ufw status
Output:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 21/tcp ALLOW Anywhere 80/tcp on enp8s0 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) on enp8s0 ALLOW Anywhere (v6)Based on the above output, remove the HTTP port
80directional rule with number3and the FTP service rule with number2from the firewall table.Remove a firewall rule number from the UFW table. For example
3to remove the HTTP port80rule.console$ sudo ufw delete 3
Enter
ywhen prompted to delete the firewall rule from the UFW table.Deleting: allow 80/tcp Proceed with operation (y|n)? yRemove another firewall rule number from the table. For example, rule number
5to remove the FTP service.console$ sudo ufw delete 5
View the UFW rules table to verify the new firewall changes.
console$ sudo ufw status
Output:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) on enp8s0 ALLOW Anywhere (v6)Based on the above output, UFW removes all firewall rules that match the entry number. Any similar entries are not affected by the delete operation such as the IPV6 connection rules because they don't match the target rule number.
Apply Firewall Rule Comments using UFW
Firewall rules are numerical or text-based depending on your target connection type. Apply firewall rule comments to identify specific firewall table entries depending on the target effect by following thr steps below.
Apply a comment to the custom SSH firewall rule that permits your public IP address. For example,
My secure public IP SSH Connection.console$ sudo ufw allow from 192.0.2.100 to any port 22 comment "My secure public IP SSH Connection"
Apply a comment on a special port such as
3306for the MySQL port. For example,MySQL database server port for external access.console$ sudo ufw allow 3306/tcp comment "MySQL database server port for external access"
Reload the UFW rules table to apply the configuration changes.
console$ sudo ufw reload
View the UFW rules table and verify the new firewall rule comments.
console$ sudo ufw status
Output:
Status: active To Action From -- ------ ---- 22 ALLOW 192.0.2.100 # My secure public IP SSH Connection 3306/tcp ALLOW Anywhere # MySQL database server port for external access 3306/tcp (v6) ALLOW Anywhere (v6) # MySQL database server port for external access
Conclusion
You have set up firewall policies and rules using UFW on a cloud server. Depending on your networking environment, UFW filters network requests on the server while an advanced firewall such as the Vultr Firewall further tightens your server security by filtering requests before forwarding them to the server. Modify the configuration files in the UFW data directory /etc/ufw to set up advanced firewall rules which include before or after specific server events. For more information about UFW, visit the application manual page using the man ufw command.