By default, Ubuntu comes with firewall configuration tool which is called as UFW. UFW stands for Uncomplicated Firewall used to manage firewall rules in Ubuntu. In this tutorial, described how to setup UFW firewall on Ubuntu.
Before going to ahead and configure UFW on Ubuntu 18.04, you should logged in as non-root user with sudo privileges.
As we described above that UFW is installed in Ubuntu by default. For any reason you have uninstalled then you should first install UFW to your Ubuntu system.
sudo apt install ufw
Check UFW Status
You can check the status of ufw once the installation is finished. For that run the below command:
sudo ufw status verbose
If you never activated UFW before then it will show output as inactive because by default, UFW is disabled:
Output Status: inactive
Once you will activated UFW then status output will show as below:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
If UFW is not enabled on your system then you can do it easily by typing:
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
It will show warning that it may disrupt existing ssh connections if enabling the firewall. Press y and hit Enter to continue.
Now if you want to check status you can check again and it should show activated.
Set UFW Default Policies
UFW will block all of the incoming connections and allow all outbound connections. Commonly, we need only some of ports open for incoming connections and block all other ports. The default polices are defined in the
/etc/default/ufw file. Using UFW you can set and manage this type of rules polices.
Use below command to deny all incoming connections to your system:
sudo ufw default deny incoming
To allow all outgoing connections type following in terminal.
sudo ufw default allow outgoing
Add Rules to UFW
It is very easy to add rules for any service or port numbers. Following is the basic syntax to add rule for any port.
sudo ufw ACTION PORT_NUMBER
ACTION should replace with deny or allowed and
PORT_NUMBER is the number of port for which you want to set rule.
Allow SSH Connections Port 22
To allow incoming and outgoing connections on port
22 (SSH) run below command:
sudo ufw allow 22
You also can run command with the service name as below:
sudo ufw allow ssh
It will show output as below:
Output Rule added Rule added (v6)
Open port 80 – HTTP
You can allow HTTP connections using below command:
sudo ufw allow http
Instead of http you can use the port number, 80:
sudo ufw allow 80/tcp
Open port 443 – HTTPS
If your website using SSL then your server should open 443 port to allow connections over it. Run below command to allow port 443:
sudo ufw allow https
Same as http your can use port number instead of service name:
sudo ufw allow 443/tcp
Deny Traffic on Port 972
You can deny traffic on specific port using below command:
sudo ufw deny 972
If you have added any rule and no need more now then you can delete it easily using delete action. For example, if we don’t want rule for https then run below command to delete rule for https:
sudo ufw delete allow 443
Allow Specific IP Addresses
If you want allow connections from a specific IP address for all ports then just need to specify IP address as given below:
sudo ufw allow from 22.214.171.124
It will add that IP address to whitelist.
Allow Specific IP Addresses on Specific port
If you have requirement that specific IP address should allow connections for specific ports only then run below command:
sudo ufw allow from 126.96.36.199 to any port 22
In above command you can see that we have followed port number after IP address to allow for specific port. So connections from 188.8.131.52 are allowed only for port 22.
Deny Specific IP Addresses
To deny all the connections from a specific IP address, you need to specify IP address with deny option as given below:
sudo ufw deny from 184.108.40.206
It will add that IP address to blacklist.
Deny Specific IP Addresses on Specific port
When you want to deny connections from specific IP address for specific ports only then you can do it by run below command:
sudo ufw deny from 220.127.116.11 to any port 22
You can see in above command we have given port number after IP address to deny for specific port. Thus, connections from 18.104.22.168 are deny only for port 22.
If you have requirement to disable UFW then you can simple do it by run below command:
sudo ufw disable
If you messed up rules and want to start again then reset UFW will help. It will disable UFW and delete all the current rules. To reset UFW type following command:
sudo ufw reset
Logging in UFW
You can enable or disable logging in UFW with three levels. Default log level is low out of low, medium and high.
Type below command to enable logging:
sudo ufw logging on
You have learned complete details about setup UFW on Ubuntu 18.04 system. It advised to deny all the incoming connections except necessary ports.
If you have any question or facing issue with setup UFW then comment below.