Linux for Network Engineers: How to Set Up Firewall Rules with ufw

By January 30, 2019Linux

The Linux kernel provides a type of packet filtering called netfilter. The most common and native interface to netfilter is the iptables utility. iptables is powerful and is included by default in most Linux distributions. However, it’s moderately difficult to learn and to fully master it; it has a very steep learning curve.

For this reason there have been many efforts to simplify the manipulation of firewalls on Linux. One of them is a package called “uncomplicated firewalls” (ufw). The name of the package makes it clear that this is a firewall setup utility, and it’s easy to use.

Let’s see if we should believe it.

Installation

To install ufw type:

apt-get install ufw

Once you do that, you can see the status of the firewall and its rules as follows:

netbeez.net$ sudo ufw status verbose
Status: inactive

Allow ssh

ufw attempts to avoid surprises, and by default, it’s not enabled because its default rules are to block all incoming connections and allow all outgoing. One of the most common ports that need to be open is port 22, for ssh’ing.

Before enabling the firewalls, we have to make sure that port 22’s incoming connections are allowed, otherwise we may lose ssh access to the Linux host.

Here is how to do that:

netbeez.net$ allow ssh/tcp
Rule added
Rule added (v6)
netbeez.net$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

As you can see, tcp connections on port 22 are allowed from anywhere on both IPv4 and IPv6. Now we are ready to enable the firewall rules with:

netbeez.net$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

ufw warns that we are currently using port 22 for ssh, and if for some reason this is blocked by ufw, our connection will drop. If you did everything correctly you shouldn’t worry about it and answer “y.”

Uncomplicated firewalls have a simple and intuitive syntax. Let’s look at some more examples:

Enable Logging

Logging is very useful in order to be able to go back in time and examine post mortem problems or even to keep an eye on our system in real time. To enable logging type:

sudo ufw logging on
Logging enabled

And from now on, all activity will be logged in “/var/log/ufw.log.” Here is an example:

netbeez.net$ tail -f /var/log/ufw.log
Jan 28 21:55:14 raspberrypi kernel: [ 1491.315976] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:50:3e:aa:52:97:9f:08:00 SRC=192.168.0.25 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 28 21:55:43 raspberrypi kernel: [ 1520.398129] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:01:38:3b:c8:3e:d4:31:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 28 21:55:43 raspberrypi kernel: [ 1520.602782] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:a4:34:d9:56:ac:8e:08:00 SRC=192.168.0.38 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=21030 PROTO=2

Specify host and subnet

You can allow or block traffic based on the IP or the subnet of the host that is sending the traffic:

netbeez.net$ sudo ufw allow from 172.30.0.7
Rule added
netbeez.net$ sudo ufw allow from 172.30.0.7/16
Rule added
netbeez.net$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    172.30.0.7
Anywhere                   ALLOW IN    172.30.0.0/16

Delete Rule

Deleting rules is as easy and intuitive as adding rules. Here is how to remove the last rule that we added:

netbeez.net$ sudo ufw delete allow from 172.30.0.7/16
Rule deleted
netbeez.net$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    172.30.0.7

Deleting rules by repeating the rules is a bit cumbersome, and there is an easier way to do that. First we need to display the rules with their corresponding number and delete the rule by using this unique number:

netbeez.net$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] Anywhere                   ALLOW IN    172.30.0.7
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

netbeez.net$ sudo ufw delete 2
Deleting:
 allow from 172.30.0.7

ufw is my go to utility when I want to manipulate firewall rules on a Linux host. It makes my life much better when it comes to adding, removing, or modifying firewall rules. It should be your go-to tool for setting up firewalls too.