Setting up Ubuntu Server firewall

UFW is used as the firewall on Linux and in my case on Ubuntu server. UFW comes with a UI, but we’re going to use this on a headless server (hence no UI being used).

Status and enabling/disabling the firewall

Simply run the following to check whether your firewall is active or not

sudo ufw status

To enable the firewall simply use the following

sudo ufw enable

Use disable to disable the firewall (as you probably guessed).

Once enabled run the status command again and you should see a list showing which ports we have defined rules for and these will show whether to ALLOW or REJECT connections to port. For example

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
80                         ALLOW       Anywhere

Allow and reject access

We can allow access to a port, reject access to ports and reject outgoing traffic on ports. When we allow, reject incoming or reject outgoing access we’re creating firewall rules.

To allow access to SSH, for example we do the following

sudo ufw allow 22

This will allow tcp and udp access, but we can be more precise and just allow tcp by using

sudo ufw allow 22/tcp

As you can see from the previous output from the status option, we’ve enabled 22/tcp already.

To reject access to a port we use reject.

Note: If you’re access your server using SSH you probably don’t want to reject access to port 22, for obvious reasons, i.e. port 22 is used by SSH and this will block your access via SSH.

sudo ufw reject 80

Application profiles

UFW includes application profiles which allow us to enable predefined lists of permissions

sudo ufw app list

The applications listed from this command can also be seen by listing /etc/ufw/applications.d, so for example on my system I have a file name openssh-server, if you open this with nano (or your preferred editor), you’ll see an INI file format, for example

[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp

We can also use

sudo ufw app info OpenSSH

Replacing OpenSSH with the name of the application profile you want to view

As you can see, if our application profiles are just INI files, then you can create your own file and place it into the aforementioned folder and make it available to UFW. Once you’ve created your file you’ll need to tell UFW to load the application definitions using

sudo ufw app update MyApp

Replace MyApp with your application name in the above.

Ofcourse once we have these profiles we can allow, reject etc. using the application name, i.e.

sudo ufw allow OpenSSH

Logging

By default logging is disabled, we can turn it on using

sudo ufw logging on