If you need to easily deploy a host firewall in Linux, ufw could be a good start. The Linux kernel provides a type of packet filtering called netfilter. The most common and native interface to netfilter is the iptables utility. iptables is powerful and is included by default in most Linux distributions. However, it’s moderately difficult to learn and to fully master it; it has a very steep learning curve.
For this reason there have been many efforts to simplify the manipulation of firewalls on Linux. One of them is a package called “uncomplicated firewalls” (ufw). The name of the package makes it clear that this is a firewall setup utility, and it’s easy to use.
Let’s see if we should believe it.
To install ufw type:
apt-get install ufw
Once you do that, you can see the status of the firewall and its rules as follows:
netbeez.net$ sudo ufw status verbose Status: inactive
ufw attempts to avoid surprises, and by default, it’s not enabled because its default rules are to block all incoming connections and allow all outgoing. One of the most common ports that need to be open is port 22, for ssh’ing.
Before enabling the firewalls, we have to make sure that port 22’s incoming connections are allowed, otherwise we may lose ssh access to the Linux host.
Here is how to do that:
netbeez.net$ allow ssh/tcp Rule added Rule added (v6) netbeez.net$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6)
As you can see, tcp connections on port 22 are allowed from anywhere on both IPv4 and IPv6. Now we are ready to enable the firewall rules with:
netbeez.net$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ufw warns that we are currently using port 22 for ssh, and if for some reason this is blocked by ufw, our connection will drop. If you did everything correctly you shouldn’t worry about it and answer “y.”
Uncomplicated firewalls have a simple and intuitive syntax. Let’s look at some more examples:
Logging is very useful in order to be able to go back in time and examine post mortem problems or even to keep an eye on our system in real time. To enable logging type:
sudo ufw logging on Logging enabled
And from now on, all activity will be logged in “/var/log/ufw.log.” Here is an example:
netbeez.net$ tail -f /var/log/ufw.log Jan 28 21:55:14 raspberrypi kernel: [ 1491.315976] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:50:3e:aa:52:97:9f:08:00 SRC=192.168.0.25 DST=184.108.40.206 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 Jan 28 21:55:43 raspberrypi kernel: [ 1520.398129] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:01:38:3b:c8:3e:d4:31:08:00 SRC=192.168.0.1 DST=220.127.116.11 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 Jan 28 21:55:43 raspberrypi kernel: [ 1520.602782] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:a4:34:d9:56:ac:8e:08:00 SRC=192.168.0.38 DST=18.104.22.168 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=21030 PROTO=2
Specify host and subnet
You can allow or block traffic based on the IP or the subnet of the host that is sending the traffic:
netbeez.net$ sudo ufw allow from 172.30.0.7 Rule added netbeez.net$ sudo ufw allow from 172.30.0.7/16 Rule added netbeez.net$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- Anywhere ALLOW IN 172.30.0.7 Anywhere ALLOW IN 172.30.0.0/16
Deleting rules is as easy and intuitive as adding rules. Here is how to remove the last rule that we added:
netbeez.net$ sudo ufw delete allow from 172.30.0.7/16 Rule deleted netbeez.net$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- Anywhere ALLOW IN 172.30.0.7
Deleting rules by repeating the rules is a bit cumbersome, and there is an easier way to do that. First we need to display the rules with their corresponding number and delete the rule by using this unique number:
netbeez.net$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] Anywhere ALLOW IN 172.30.0.7 [ 3] 22/tcp (v6) ALLOW IN Anywhere (v6) netbeez.net$ sudo ufw delete 2 Deleting: allow from 172.30.0.7
ufw is my go to utility when I want to manipulate firewall rules on a Linux host. It makes my life much better when it comes to adding, removing, or modifying firewall rules. It should be your go-to tool for setting up firewalls too.