Introduction

The first step in securing your system is configuring a firewall. To set up and manage your firewall, Linux has designed iptables, a flexible firewall utility.

Users who are new to network security may find iptables a bit intimidating. That’s why we recommend starting with UFW. UFW (Uncomplicated Firewall) is a user-friendly interface implemented on top of iptables. It provides a simple way to configure a firewall.

In this tutorial, you will learn how to set up firewall protection of your Ubuntu 18.04 system with UFW.

tutorial on how to set up a firewall with uwf on ubuntu operating system

Prerequisites

  • A user account with sudo privileges
  • Access to a command line/terminal window (CtrlAltT)

Install UFW on Ubunutu

UFW comes pre-installed with Ubuntu 18.04.

In the unlikely case you do not have UFW, run the following command to install it:

sudo apt install ufw

Configure UFW to Support IPv6

If the system has both IPv4 and IPv6, you need to modify the UFW configuration file to support both protocols.
Open the file using Nano or any other text editor:

sudo nano /etc/default/ufw

set ufw configuration file to support IPv6

The IPv6 value should be set to yes.

Save and close the file.

Set Up Default UFW Policy

The default UFW configuration is set to allow all outgoing connections and deny all incoming connections.

These rules work fine for personal computers which do not need to respond to incoming requests.

If you want to return to the default settings, run the following commands:

sudo ufw default deny incoming
sudo ufw default allow outgoing

commands for setting up default ufw rules

Allow SSH Connections

If you plan to connect to your server from remote locations, you need to set up UFW to allow incoming SSH connections.
Configure UFW to allow SSH connections with the command:

sudo ufw allow ssh

command to allow ssh connections

Enable UFW

After you have configured the firewall to allow SSH connections, you can enable it with:

sudo ufw enable

The output will inform you that existing SSH connections could be disrupted by enabling the firewall. Confirm you want to proceed by typing y and hitting Enter.

The output should inform you that the firewall is now active, as in the image below:

firewall is active and enabled on system startup

Check UFW Status

To check UFW status and then set rules run the command:

sudo ufw status verbose

You will see its status, the default settings, and which ports are open for connection as in the image below.

check ufw status and rules on ubuntu

Adding More UFW Rules

You can add more rules to further define the extent of communication the server has.

Specify which connections are allowed and which are denied.

Allow Incoming Connections on Other Ports

Depending on what you use the server for, you may need to open some other ports to allow specific incoming connections. Create additional UWF rules to add these connections to your firewall configuration.

Set your server to listen to HTTP (on port 80) by typing:

sudo ufw allow http

Or:

sudo ufw allow 80

To enable HTTPS connections, use one of the following two commands:

sudo ufw allow https
sudo ufw allow 443

You might be using the server as a remote machine to which you want complete access from your home system. To set a rule that allows access to all ports from a specific IP address, run:

sudo ufw allow from [IP.address]

To allow access from a particular machine to a specific port run the command:

sudo ufw allow from [IP.address] to any port [port number]

To allow access to a range of ports, specify the range values and the type of protocol (TCP or UDP). For instance, the following command will allow connections from ports 2000 to 2004 for TCP and UDP:

sudo ufw allow 2000:2004/tcp
sudo ufw allow 2000:2004/udp

Note: TCP (Transmission Control Protocol) is a connection-oriented protocol used to guarantee that all the data transmitted is in order. UDP (User Datagram Protocol) is a connection-less oriented protocol that transfers data faster, but is not as reliable.


Deny Incoming Connections on Other Ports

To create a deny rule to forbid connection from a specific IP address run the command:

sudo ufw deny from [IP.address]

You can also deny access to particular ports by typing:

sudo ufw deny from [IP.address] to any port [number]

Delete UFW Rules

If you want to delete a rule you no longer need, there are two ways to do so.

One option is to display a list of all the rules and find the assigned number of the rule. First, run the command:

sudo ufw status numbered

find the number of ufw rule

As in the image above, the output will list the rules you have defined so far. Each rule has a number according to the order in which it was set.

To delete a rule, use the following syntax with the appropriate rule number:

sudo ufw delete [rule_number]

An alternative way to delete a rule is to specify it word for word (as you added it):

sudo ufw delete [rule]

For example, to remove a rule that allows connection to port 2000, use the command:

sudo ufw delete allow 2000

Application Profiles

Each package installed with the apt command has an application profile in the /etc/ufw/applications.d directory. The profile provides information about the software and its UFW settings.

To see a list of all application profiles use the command:

sudo ufw app list

See more information about a specific package (along with open ports) by typing:

sudo ufw app info '[package name]'

In the example below, there is only one application profile – CUPS. The app info option shows you that the package opens port 631.

example of application profile

Conclusion

By following the instructions in our guide, using UFW to set up a firewall should be simple. Ensuring stable firewall protection is the least you can do to protect your server.

Once you have that in place, move on to learning more about server protection by checking out our list of 21 Server Security Tips.


Next you should also read