How to Set Up a Firewall with UFW on Ubuntu 18.04

UFW on Ubuntu

How to Set Up a Firewall with UFW on Ubuntu 18.04

Posted on |
UFW on Ubuntu
 UFW on Ubuntu

INTRODUCTION

UFW on Ubuntu, or Uncomplicated Firewall, is indeed an iptables API aimed at making the framework for establishing a firewall easier. While iptables are a powerful and versatile tool, learning very well how to correctly create a firewall may be tough for novices. If you’re seeking to start safeguarding your network but aren’t sure which programme should use, UFW could be the best option.

Using Ubuntu 18.04, this guide will start with creating a firewall using UFW.

You’ll need the following items to complete this tutorial:

One Ubuntu 18.04 host with a sudo non-root login, something you might create by completing the Initial Dedicated Server with Ubuntu 18.04 tutorial’s Stages 1–3.

Ubuntu comes with UFW pre-installed. If it was removed for whatever reason, use sudo apt download UFW to reinstall it.

STEP 1: Verify that IPv6 is accessible.

IPv6 is automatically enabled in current Ubuntu releases. In reality, this implies that almost all firewall regulations apply to the client will have had both an IPv4 and an IPv6 edition, the other of which will be recognised by v6 in the current command output of UFW. You may examine your UFW file name at /etc/default/UFW to see if IPv6 is configured. Use nano or your favourite command prompt editor to access this file:

sudo nano /etc/default/ufw

STEP 2: Configuring Default Rules

Checking your preset firewall rules is a useful first step if you’re just getting started with UFW. These rules govern how information is handled when none of the other rules applies.

UFW is set to refuse all TCP packets while allowing all connection requests by default. This implies that anyone wanting to access your site will be unable to do so, but any programme running on the server will be allowed to communicate with the outside world. The exception to this stated guideline, there exists further regulations that enable certain services and locations.

You’ll immediately establish your UFW basic rules for incoming and outgoing traffic to ensure that you can follow them together with the remainder of this guide.

Run the following command to set the standard UFW incoming policy to reject:

ufw default deny inbound sudo

Default incoming policy has been set to ‘deny’

Run the following command to make the standard UFW outgoing policy allowable:

ufw default allow outgoing sudo

Default outgoing policy has been set to ‘allow’ 

These instructions make it such that incoming links are denied and outbound connections are allowed by default. For a home computer, these firewall defaults may be sufficient, however, servers must often reply to inbound requests from outside clients. Secondly, we’ll check into it.

dataserver-market
 UFW on Ubuntu

STEP 3: Enabling SSH Connections 

All inbound links would be denied if you enabled your UFW firewall right now. If you really want your host to reply to validate incoming requests, such as SSH or HTTP links, you’ll implement rules that expressly permit those sorts of queries. Whether you’re utilising a cloud service, you’ll undoubtedly want to enable inbound SSH connections so that you can control and access it.

Enabling the UFW Application Profile for OpenSSH

Most network-connected programmes will create an application profile in UFW after installation, allowing users to rapidly accept or prohibit external access to a service. You may see which accounts are presently enrolled in UFW by using the following command:

ufw app list sudo

OpenSSH is one of the apps that may be used to generate output.

Run the following command to activate the OpenSSH application profile:

allow OpenSSH sudo ufw

Addition of an Output Rule

Added a rule (v6)

This will set up firewall regulations to allow all communications on channel 22, which would be the standard port for the SSH daemon.

Allowing SSH access based on the service name

Another approach to set up UFW to accept incoming SSH connections is to use the ssh service name.

ufw allow ssh sudo

Addition of an Output Rule

Applied a rule (v6)

The /etc/services file tells UFW which ports and protocols a service uses.

Allowing SSH access based on port number

Additionally, rather than supplying the application profile or service name, you may define a similar rule by providing the address. This statement, for example, functions in the same way as the preceding ones:

sudo ufw allow 22 

Addition of an Output Rule

Added a rule (v6)

You must enter the right port if your SSH daemon is set to be using a different device. If your SSH service, for instance, listens on port 2222, you may use the following command to accept connections on that port:

sudo ufw allow 2222 

Addition of an Output Rule

Added a rule (v6)

You may activate your firewall now that it has been set to accept incoming SSH connections.

STEP 4: Configuring UFW.

SSH connections will now be allowed through your firewall. Even though the firewall has still been turned off, you may use the following command to see which rules have been implemented so far:

sudo ufw show added

Output Added user rules (for a functioning firewall, check ‘ufw status’):

Enable OpenSSH with ufw

After you’ve confirmed that you have a rule in place to accept inbound SSH connections, you may turn on the firewall by typing:

sudo ufw enable

Output

Existing ssh sessions may be disrupted by this command. Do you want to carry out the operation (y|n)? y

On systems starting, the firewall is active and enabled.

A warning will appear, stating that the command may cause current SSH connections to be disrupted. You’ve previously configured a firewall rule to permit SSH connections, so you should be good to go.

Use the letter y to answer the inquiry and then press ENTER.

The firewall has now become up and running. Seeing the restrictions that have been established, use sudo ufw status verbose. The balance of this lesson explains using UFW in further depth, including how to accept or reject different types of connections.

STEP 5: Allowing Other Connections

Accept all of the additional connections that your server has to react to at this stage. The links you must authorize are determined by your individual requirements. You currently know how to create rules that enable connections based on a program profile, a hostname, or a port; you’ve done it before with SSH on port 22. You may also use this method for:

sudo ufw allow HTTP or sudo ufw allow 80 HTTPS on port 443, and is what secured web host utilize, sudo ufw allow HTTPS or sudo ufw allow 443 Apache with both HTTP and HTTPS, sudo ufw allow ‘Apache Full’ Nginx with both HTTP and HTTPS, sudo ufw allow ‘Nginx Full’

Do not really neglect to use the sudo ufw app list to see which program characteristics are accessible for your server.

Aside from giving a port or even a known service description, there are a few more options for allowing connections. We’ll take a look at a few of these next.

Ranges of Specific Ports

UFW allows you to select port ranges. Some programmes take advantage of numerous ports.

Use these instructions, for instance, to enable X11 sessions on ports 6000-6007:

sudo ufw allow 6000:6007/TCP

sudo ufw allow 6000:6007/UDP

When using UFW to provide port numbers, you must also specify the protocol (tcp or udp) to which the restrictions should apply. We didn’t mention it earlier since not providing a standard enables both methods to be used, which is OK in most circumstances.

IP Addresses That Are Unique

You may also provide IP addresses in your policies when dealing with UFW. If you wish to accept connections from a certain IP address, such as 203.0.113.4 at work or at home, you must use the from the argument and provide the Internet address you would like to accept:

sudo ufw allow from 203.0.113.4

Addition of an Output Rule

You may also write to just about any port preceded by the port number to define a port to which the Internet address is authorised to communicate. Use this script, for instance, to enable 203.0.113.4 to access port 22 (SSH):

sudo ufw allow any port 22 from 203.0.113.4

Nodes were introduced to the Output Rule.

You can define a specification in CIDR notation if you really want to enable a subnet of IP addresses. For instance, if you wish to accept all IP addresses between 203.0.113.1 and 203.0.113.254, you may use the following command:

sudo ufw allow from 203.0.113.0/24 sudo ufw enable from 203.0.113.0/24 sudo ufw allow

Addition of an Output Rule

Similarly, you may provide the target port to which the subnet 203.0.113.0/24 can join.

We’ll use port 22 (SSH) as an instance once more:

sudo ufw allow any port 22 from 203.0.113.0/24

Output

Added a rule

Particular Network Adapter Links

You may put “allow in on” preceded by the id of the local network to construct a firewall rule that really only pertains to that network connection.

Before continuing, you might want to double-check your internet protocol.

STEP 6: Denying Connections

UFW is set to refuse all incoming packets if you’ve not altered the standard rule for connection requests. In principle, this makes designing a secure firewall policy easier by forcing you to define rules that clearly allow specified ports and IP addresses to pass.

However, you may wish to block particular connections depending on the originating IP address or subnet, for example, if you believe your system is being targeted from that location. You’ll also have to write deny policies for just any applications or IP addresses that you might not want to accept connections for if you really want to alter your general incoming policy to allow (which isn’t suggested).

Step 7: Remove Rules

It’s just as crucial to know how and where to remove firewall rules as it is to learn how to put them. You can select which regulations to remove in one of two ways: by lesson number but by its human-readable designation.

Delete a UFW Rule Based on a Number

To remove a UFW policy by numbers, you’ll need a checklist of all existing firewall rules beforehand. The UFW condition statement contains a setting that allows you to see figures beside each rule.

Getting Rid of a UFW Regulation By Name

You can identify a policy by its human-readable name, which would be dependent on the kind of rule (usually permit or prohibit) and also the hostname or destination port that would be the objective for this policy, or even the service account name if one was employed. For instance, if you wish to disable an allow rule for the Apache Full application configuration that was formerly allowed, follow these steps.

For policies that reference service by its hostname or address, the remove function works the same way.

STEP 8: Monitoring the UFW State and Regulations

This function may be used to verify the state of UFW at any time:

sudo ufw status verbose

You’ll hear that phrase if UFW is deactivated, as it is by default:

Status of Output: inactive

If UFW is operational, as it should have been if you completed step 3, the result will declare so and identify any restrictions that have been established. If the firewall is configured to accept SSH (port 22) access from any location.

STEP 9: UFW Removing or Reboot (optional)

If you choose not to utilise UFW, use the following command to turn it off:

sudo ufw disable

On startup, the Output Firewall is turned off and deactivated.

Any rules that you made using UFW would be disabled. If you really need to enable it later, simply type sudo ufw allow.

You may use the erase function to begin over unless you already possess UFW rules setup but wish to start again:

sudo ufw reset

Epilogue

Your firewall should now accept (at the very least) SSH connections. To keep your server functioning and safe, be sure to enable any extra inbound connections that your service needs while blocking any superfluous connections.

DataServerMarket

You may use DataServerMarket to locate connectivity solutions for your IT problems. DataServerMarket creates shared facilities that may be used by a variety of clients on-site. 

Some of the services that DataServerMarket provides are listed below:

  • For quicker communication, DataServerMarket links multiple clouds and data storage sites. 
  • DataServerMarket provides business solutions for data and processing connectivity. 
  • DataServerMarket also provides specialist professional guidance and electronic adaptability and connectivity services. 
  • Cloud video conferencing, worldwide telephony services, and IP communication between consumers and Service Providers are also available through DataServerMarket. 
  • Storage choices, Vpn Clouds, private mail systems, relocation, and data transfer solutions are all available through DataServerMarket.

READ MORE BLOGS “CLICK HERE”

GET DISCOUNT COUPON “CLICK HERE”

Leave a Reply

Your email address will not be published. Required fields are marked *