Skip to main content

Ubuntu default Firewall UFW (Uncomplicated Firewall) Command-Line

 



UFW - Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptablesfirewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

Gufw is a GUI that is available as a frontend.

Basic Syntax and Examples

Default rules are fine for the average home user

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That's at least the goal of the Ubuntu developers. In short, all 'incoming' is being denied, with some exceptions to make things easier for home users.


Enable and Disable 


Enable UFW 

To turn UFW on with the default set of rules: 
sudo ufw enable

To check the status of UFW: 
sudo ufw status verbose


The output should be like this:

youruser@yourcomputer:~$ sudo ufw status verbose 
sudo] password for youruser: 
Status: active 
Logging: on (low) 
Default: deny (incoming), allow (outgoing) 
New profiles: skip 
youruser@yourcomputer:~$ 


Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command: 
sudo ufw show raw
You can also read the rules files in /etc/ufw (the files whose names end with .rules).



Disable UFW 

To disable ufw use: 
sudo ufw disable

Allow and Deny (specific rules) Allow
sudo ufw allow /

example: To allow incoming tcp and udp packet on port 53
sudo ufw allow 53

example: To allow incoming tcp packets on port 53
sudo ufw allow 53/tcp

example: To allow incoming udp packets on port 53
sudo ufw allow 53/udp

Deny
sudo ufw deny /

example: To deny tcp and udp packets on port 53
sudo ufw deny 53

example: To deny incoming tcp packets on port 53
sudo ufw deny 53/tcp

example: To deny incoming udp packets on port 53
sudo ufw deny 53/udp


Delete Existing Rule 

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: 
ufw deny 80/tcp

Use this to delete it:
sudo ufw delete deny 80/tcp


Services 

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services: 
less /etc/services

Allow by Service Name
sudo ufw allow

example: to allow ssh by name
sudo ufw allow ssh

Deny by Service Name
sudo ufw deny

example: to deny ssh by name
sudo ufw deny ssh


Status 

Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.

To check the status of ufw: 
sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24


if ufw was not enabled the output would be: 
sudo ufw status
Status: inactive 



Logging 

To enable logging use: 
sudo ufw logging on

To disable logging use:
sudo ufw logging off


Advanced Syntax

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.


Allow Access 

This section shows how to allow specific access.


Allow by Specific IP 

sudo ufw allow from

example:To allow packets from 207.46.232.182:
sudo ufw allow from 207.46.232.182

Allow by Subnet 

You may use a net mask : 
sudo ufw allow from 192.168.1.0/24

Allow by specific port and IP address

sudo ufw allow from to port

example: allow IP address 192.168.0.4 access to port 22 for all protocols 
sudo ufw allow from 192.168.0.4 to any port 22


Allow by specific port, IP address and protocol 

 sudo ufw allow from to port proto

example: allow IP address 192.168.0.4 access to port 22 using TCP 
sudo ufw allow from 192.168.0.4 to any port 22 proto tcp


Enable PING 

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the "ACCEPT" to "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP



Deny Access 

Deny by specific IP

sudo ufw deny from

example:To block packets from 207.46.232.182: 
sudo ufw deny from 207.46.232.182


Deny by specific port and IP address 

sudo ufw deny from to port

example: deny ip address 192.168.0.1 access to port 22 for all protocols 
sudo ufw deny from 192.168.0.1 to any port 22


Working with numbered rules 

 Listing rules with a reference number

You may use status numbered to show the order and id number of rules: 
sudo ufw status numbered


Editing numbered rules 

Delete numbered rule 

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list. 
sudo ufw delete 1


Insert numbered rule 

sudo ufw insert 1 allow from

Advanced Example 

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp 
sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.

To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     ALLOW   192.168.0.0/24


Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7. 
sudo ufw delete allow from 192.168.0.0/24 to any port 22
sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7

sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status

Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     DENY    192.168.0.3
22:udp                     DENY    192.168.0.3
22:tcp                     ALLOW   192.168.0.0/24

Tutorial from ubuntu.com
Labels:

Popular posts from this blog

WordPress Site is not loading properly behind Google Cloud/AWS Load Balancer

Hello Guys, Today we are going to understand how can we fix a WordPress loading issue (CSS and JS loading issue) behind the Google Cloud Load Balancer or AWS Load Balancer. Generally, When we host a WordPress site directly with Google Cloud Compute Engine VM instance or AWS EC2 instance. It's loading perfectly fine. But once we added this WordPress server behind any Load Balancer either from GCP Load Balancer or AWS Load Balancer, you site will completely broken, means the CSS and JS of your site not loaded properly. The reason for this is - When you put a load balancer in front of WordPress, you need to modify wp-config.php to process the HTTP header HTTP_X_FORWARDED_PROTO to detect the protocol that the user is using and not the protocol the load balancer is using to connect to your backend. To fix this issue, we have to make following changes in the  wp-config.php  file and add the below code snippet on the top of  wp-config.php file - Google Cloud Platform Load Bal...
Read more

Git and GitHub Commands Mastery

1. Setup Git and GitHub Global Configuration  git config --global user.email "gautamthakur1983@gmail.com" git config --global user.name "Gautam Thakur" git config --global list git config --list 2. Git Lifecycle | Initilize, Status, Add, Commit git status git init git add git commit -m "Commit Message" git log git log --oneline 3. Git Difference between last commit changes and current version changes git diff 4. Git Compare between 2 different Git Commits git diff eac4c5b 82485b1 5. Git Statsh - To save some changes for temporary purpose ## Pop take out stash and clear but apply take out stash but not clear git stash (To save current changes for temporary) git stash pop (To take out all stash contents) git stash list git stash clear (To clear all the stash changes) git stash save "NAME"  git stash save "NAME1" (Working with multiple stash) git stash sapply 0 or 1 (0 for name, 1 for about) after that run git stash clear git stash clear 6...
Read more

How to Setup Kubernetes Cluster in Google Cloud Virtual Machine using "kubeadm"? | Ubuntu 20.04/22.04 LTS

  Hello Friends, In this post, we are going to setup Kubernetes Cluster on Virtual Machine in Google Cloud Platform using kubeadm tool. Hope this post will help you in Kubernetes learning Hand-On Labs (HOL). Requirements: Master Node: No. of VMs 1 Specifications - 2 vCPUs, 4GB RAM, 20 GB HDD (Balanced PD or SSD PD), Operating System (OS) Ubuntu 20.04 LTS x86/64, amd64  Firewall Rule - Ingress Allow 6443 (API Server) | 2379 (ETCD) | 10251 (Scheduler) | 10252 (Controller Manager) 10250 (Kubelet), sudo access with admin access  Worker Node: No. of VMs 2 Specifications - 2 vCPUs, 4GB RAM, 20 GB HDD (Balanced PD or SSD PD), Operating System (OS) Ubuntu 20.04 LTS x86/64, amd64  Firewall Rule - Ingress Allow 30000-32767 (Services) | 10250 (Kubelet),  sudo access with admin access  Disable Swap and comment fstab entry: First, Disable Swap and remove or comment the Swap entries from fstab file : sudo swapoff -a sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab Next...
Read more