Introduction to ufw firewall in Linux

Let's take a look at ufw (Uncomplicated Firewall) on Linux to provide you with some insights and commands to make changes to your firewall.

ufw (Uncomplicated FireWall) really simplifies iptables. It has become the default firewall on systems such as Ubuntu and Debian in the past few years since its appearance. And ufw is surprisingly simple, which is a boon to new administrators who might otherwise need to invest a lot of time learning firewall management.

There are also GUI clients for ufw (such as gufw), but ufw commands are usually executed on the command line. This article introduces some commands for using ufw and examines how it works.

First, a quick way to check ufw 's configuration is to look at its configuration file - /etc/default/ufw . Use the following command to view its configuration. Grep is used to suppress the display of blank lines and comments (lines starting with #).

$ grep -v '^#\|^$' /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

As you can see, the default policy is to drop input but allow output. Other rules that allow you to accept specific connections need to be configured separately.

The basic syntax of the ufw command is shown below, but this summary does not mean that you only need to type ufw , but it is a quick reminder to tell you which parameters are required.

ufw [--dry-run] [options] [rule syntax]

The --dry-run option means that ufw will not run the command you specify, but will show you the results if it were executed. It will however show the entire ruleset if it were changed, so be prepared for many lines of output.

To check the status of ufw , run the following command. Note that even this command requires the use of sudo or root account.

$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW 192.168.0.0/24
9090 ALLOW Anywhere
9090 (v6) ALLOW Anywhere (v6)

Otherwise, you will see something like this:

$ ufw status

ERROR: You need to be root to run this script
Adding the verbose option will provide some additional details:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.0.0/24
9090 ALLOW IN ANYWHERE
9090 (v6) ALLOW IN Anywhere (v6)

You can easily allow and deny connections by port number using the following command:

$ sudo ufw allow 80 <== allow http access $ sudo ufw deny 25 <== deny smtp access

You can look in the /etc/services file to find the association between the port number and the service name.

$ grep 80/ /etc/services
http 80/tcp www # WorldWideWeb HTTP
socks 1080/tcp # socks proxy server
socks 1080/udp
http-alt 8080/tcp webcache # WWW caching service
http-alt 8080/udp
amanda 10080/tcp # amanda backup services
amanda 10080/udp
canna 5680/tcp # cannaserver

Alternatively, you can use the service name directly in the command.

$ sudo ufw allow http
Rule added
Rule added (v6)
$ sudo ufw allow https
Rule added
Rule added (v6)

After making changes, you should check the status again to see if they took effect:

$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW 192.168.0.0/24
9090 ALLOW Anywhere
80/tcp ALLOW Anywhere <==
443/tcp ALLOW Anywhere <==
9090 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6) <==
443/tcp (v6) ALLOW Anywhere (v6) <==

The rules followed by ufw are stored in the /etc/ufw directory. Note that you need root access to view these files, each of which contains a large number of rules.

$ ls -ltr /etc/ufw
total 48
-rw-r--r-- 1 root root 1391 Aug 15 2017 sysctl.conf
-rw-r----- 1 root root 1004 Aug 17 2017 after.rules
-rw-r----- 1 root root 915 Aug 17 2017 after6.rules
-rw-r----- 1 root root 1130 Jan 5 2018 before.init
-rw-r----- 1 root root 1126 Jan 5 2018 after.init
-rw-r----- 1 root root 2537 Mar 25 2019 before.rules
-rw-r----- 1 root root 6700 Mar 25 2019 before6.rules
drwxr-xr-x 3 root root 4096 Nov 12 08:21 applications.d
-rw-r--r-- 1 root root 313 Mar 18 17:30 ufw.conf
-rw-r----- 1 root root 1711 Mar 19 10:42 user.rules
-rw-r----- 1 root root 1530 Mar 19 10:42 user6.rules

The changes made earlier in this article, adding port 80 for http access and port 443 for https access, would look like this in the user.rules and user6.rules files:

# grep " 80 " user*.rules
user6.rules:### tuple ### allow tcp 80 ::/0 any ::/0 in
user6.rules: -A ufw6-user-input -p tcp --dport 80 -j ACCEPT
user.rules:### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
user.rules: -A ufw-user-input -p tcp --dport 80 -j ACCEPT
You have new mail in /var/mail/root
# grep 443 user*.rules
user6.rules:### tuple ### allow tcp 443 ::/0 any ::/0 in
user6.rules: -A ufw6-user-input -p tcp --dport 443 -j ACCEPT
user.rules:### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
user.rules: -A ufw-user-input -p tcp --dport 443 -j ACCEPT

Using ufw , you can also easily block connections from an IP address using the following command:

$ sudo ufw deny from 208.176.0.50

Rule added

The status command will show the changes:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.0.0/24
9090 ALLOW IN ANYWHERE
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
Anywhere DENY IN 208.176.0.50 <== new
9090 (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)

All in all, ufw is not only easy to configure, but also easy to understand.

Summarize

This is the end of this article about the introduction of Linux firewall ufw. For more relevant Linux firewall ufw content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!