UFW is used as the firewall on Linux and in my case on Ubuntu server. UFW comes with a UI, but we’re going to use this on a headless server (hence no UI being used).
Status and enabling/disabling the firewall
Simply run the following to check whether your firewall is active or not
sudo ufw status
To enable the firewall simply use the following
sudo ufw enable
Use disable to disable the firewall (as you probably guessed).
Once enabled run the status command again and you should see a list showing which ports we have defined rules for and these will show whether to ALLOW or REJECT connections to port. For example
To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 80 ALLOW Anywhere
Allow and reject access
We can allow access to a port, reject access to ports and reject outgoing traffic on ports. When we allow, reject incoming or reject outgoing access we’re creating firewall rules.
To allow access to SSH, for example we do the following
sudo ufw allow 22
This will allow tcp and udp access, but we can be more precise and just allow tcp by using
sudo ufw allow 22/tcp
As you can see from the previous output from the status option, we’ve enabled 22/tcp already.
To reject access to a port we use reject.
Note: If you’re access your server using SSH you probably don’t want to reject access to port 22, for obvious reasons, i.e. port 22 is used by SSH and this will block your access via SSH.
sudo ufw reject 80
Application profiles
UFW includes application profiles which allow us to enable predefined lists of permissions
sudo ufw app list
The applications listed from this command can also be seen by listing /etc/ufw/applications.d, so for example on my system I have a file name openssh-server, if you open this with nano (or your preferred editor), you’ll see an INI file format, for example
[OpenSSH] title=Secure shell server, an rshd replacement description=OpenSSH is a free implementation of the Secure Shell protocol. ports=22/tcp
We can also use
sudo ufw app info OpenSSH
Replacing OpenSSH with the name of the application profile you want to view
As you can see, if our application profiles are just INI files, then you can create your own file and place it into the aforementioned folder and make it available to UFW. Once you’ve created your file you’ll need to tell UFW to load the application definitions using
sudo ufw app update MyApp
Replace MyApp with your application name in the above.
Ofcourse once we have these profiles we can allow, reject etc. using the application name, i.e.
sudo ufw allow OpenSSH
Logging
By default logging is disabled, we can turn it on using
sudo ufw logging on