How to Secure Your Linux Server with a UFW Firewall

Quick Links

Setting Up UFW

Opening Ports With UFW

Whitelisting and Rate Limiting With UFW

Turn On UFW

Managing and Deleting Rules

UFW, short for "uncomplicated firewall," is a frontend for the more complex

        iptables

utility. It's designed to make managing a firewall as simple as setting ports to be open and closed, and regulating what traffic is allowed to go through.

Setting Up UFW

UFW is installed by default in Ubuntu, but if it's not you can install it from

apt

sudo apt-get install ufw

If you're running another distro, you'll have to use that distro's package manager, but UFW is widely available. You can check the status of the firewall with:

sudo ufw status

Which should say "Inactive" if you haven't configured it before.

A good place to start with any firewall is by closing all incoming traffic and allowing outgoing traffic. Don't worry, this won't cut off your SSH connection right away, as the firewall isn't enabled yet.

sudo ufw default deny incoming

sudo ufw default allow outgoing

This gives us a blank slate to work with, and add rules on top of.

Opening Ports With UFW

To open ports, use the command ufw allow. For example, you'll need to open up port 22, so go ahead and run:

sudo ufw allow 22

You can also leave a note for your future self when adding any rule:

sudo ufw allow 8080/tcp comment 'Open port for Express API'

Many applications install profiles for UFW, SSH being one of them. So you can also allow certain applications to open the ports they require by specifying the name:

sudo ufw allow ssh

You can view a list of available applications with ufw app list, and view details about an application with ufw app info [name].

You can also allow a whole range of ports by using a colon as a separator, and you can specify a protocol. For example, to allow only TCP traffic on ports 3000 through 3100, you can run:

sudo ufw allow 3000:3100/tcp

Since the default is set to deny incoming, you won't have to manually close off any ports. If you did want to close off an outgoing port, you'll have specify a direction alongside ufw reject:

sudo ufw reject out 3001

Whitelisting and Rate Limiting With UFW

You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you could run:

sudo ufw allow 192.168.1.1

To whitelist specific ports, you'll have to use the fuller syntax:

sudo ufw allow proto tcp from 192.168.1.1 to any port 22

You likely won't want to whitelist off SSH access in this way unless you have a backup connection or some sort of port knocking set up, as IP addresses change quite frequently. One option if you do want to restrict SSH access to only you is to set up an OpenVPN server in the same private cloud, and whitelist access to that server.

If you want to whitelist off a whole block of IP addresses, as is the case when you're running your servers through a virtual private cloud provider, you can standard CIDR subnet notation:

sudo ufw allow 192.168.0.0/24

Subnets are pretty complicated, so you can read our guide to working with them to learn more.

Rate limiting is another useful feature of firewalls that can block connections that are obviously abusive. This is used to protect against an attacker attempting to bruteforce an open SSH port. Obviously you could whitelist the port to protect it entirely, but rate limiting is useful anyway. By default, UFW rate limits 6 connections per 30 seconds, and it's intended to be used for SSH:

sudo ufw limit ssh

Turn On UFW

Once you're done configuring your rules, you can enable UFW. Make sure that SSH on port 22 is open, or you'll lock yourself out. If you want, you can disable UFW from running on boot so that a reset would fix any potential issues:

sudo systemctl disable ufw

Then, you can enable UFW with:

sudo ufw enable

If all is good, you can run ufw status to view the current status of the firewall. If you're not locked out, and the firewall is running, set it to run at boot with: