Uncomplicated Firewall (UFW)
-frontend for iptables and is a program for managing a netfilter firewall.
Some key things to consider:
1. Installation:
apt install ufw
2. Verify if ufw is enabled:
systemctl is-enabled ufw
3. Enabling the ufw will flush its chains and may result of disconnection with sessions like SSH. So when working remotely, it is recommended to allow SSH or port 22 first before enabling it.
ufw allow proto tcp from any to any port 22
Enable the ufw:
ufw enable
4. Take note that there’s a chance of conflict if running both ufw and the iptables-persistent package, so it is recommended to remove it.
apt purge iptables-persistent
5. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:
IPv4: 127.0.0.0/8
IPv6: ::1/128
Apply the rules:
ufw allow in on lo
ufw allow out from lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1
6. Outbound connections are allowed for all interfaces
ufw allow out on all
Sample Output:
root@freelinux:~# ufw allow out on all
Rule added
Rule added (v6)
root@freelinux:~# ufw status
Status: active
To Action From
— —— —-
Anywhere ALLOW OUT Anywhere on all
Anywhere (v6) ALLOW OUT Anywhere (v6) on all
7. Allow only open ports that are needed
There are few ways to verify open or listening ports, e.g. using “ss” command
Sample Output:
root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*
root@freelinux:~# ufw status
Status: active
To Action From
— —— —-
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on all
Anywhere (v6) ALLOW OUT Anywhere (v6) on all
Syntax:
ufw allow in <portnumber>/<tcp or udp protocol>
8. Default deny should be configured
The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.
For example you want to allow the following ports and services
a. allow incoming web access (http & https)
b. allow incoming SSH access
c. allow outgoing for DNS or port 53
d. allow logging
e. deny everything
ufw allow in http
ufw allow in https
ufw allow in ssh
ufw allow out 53
ufw logging onufw default deny incoming
ufw default deny outgoing
ufw default deny routed
Sample Output:
root@freelinux:~# ufw allow in http
Rule added
Rule added (v6)
root@freelinux:~# ufw allow in https
Rule added
Rule added (v6)
root@freelinux:~# ufw allow in ssh
Rule added
Rule added (v6)
root@freelinux:~# ufw allow out 53
Rule added
Rule added (v6)
root@freelinux:~# ufw logging on
Logging enabled
root@freelinux:~# ufw default deny incoming
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
root@freelinux:~# ufw default deny outgoing
Default outgoing policy changed to ‘deny’
(be sure to update your rules accordingly)
root@freelinux:~# ufw default deny routed
Default routed policy changed to ‘deny’
(be sure to update your rules accordingly)
Verify:
root@freelinux:~# ufw status
Status: active
To Action From
— —— —-
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on all
53 ALLOW OUT Anywhere
Anywhere (v6) ALLOW OUT Anywhere (v6) on all
53 (v6) ALLOW OUT Anywhere (v6)