Introduction

The first step in securing your system is configuring a firewall. To set up and manage your firewall, Linux has designed iptables, a flexible firewall utility.

Users who are new to network security may find iptables a bit intimidating. That’s why we recommend starting with UFW. UFW (Uncomplicated Firewall) is a user-friendly interface implemented on top of iptables. It provides a simple way to configure a firewall.

In this tutorial, you will learn how to set up firewall protection of your Ubuntu 18.04 system with UFW.

How to set up a firewall with UFW on Ubuntu.

Prerequisites

  • A user account with sudo privileges
  • Access to a command line/terminal window (CtrlAltT)

Set Up UFW from Command Line

Install UFW on Ubunutu

UFW comes pre-installed with Ubuntu 18.04.

In the unlikely case you do not have UFW, run the following command to install it:

sudo apt install ufw

Configure UFW to Support IPv6

If the system has both IPv4 and IPv6, you need to modify the UFW configuration file to support both protocols.
Open the file using Nano or any other text editor:

sudo nano /etc/default/ufw

set ufw configuration file to support IPv6

The IPv6 value should be set to yes.

Save and close the file.

Set Up Default UFW Policy

The default UFW configuration is set to allow all outgoing connections and deny all incoming connections.

These rules work fine for personal computers which do not need to respond to incoming requests.

If you want to return to the default settings, run the following commands:

sudo ufw default deny incoming
sudo ufw default allow outgoing

commands for setting up default ufw rules

Allow SSH Connections

If you plan to connect to your server from remote locations, you need to set up UFW to allow incoming SSH connections.
Configure UFW to allow SSH connections with the command:

sudo ufw allow ssh

command to allow ssh connections

Enable UFW

After you have configured the firewall to allow SSH connections, you can enable it with:

sudo ufw enable

The output will inform you that existing SSH connections could be disrupted by enabling the firewall. Confirm you want to proceed by typing y and hitting Enter.

The output should inform you that the firewall is now active, as in the image below:

firewall is active and enabled on system startup

Check UFW Status

To check UFW status and then set rules run the command:

sudo ufw status verbose

You will see its status, the default settings, and which ports are open for connection as in the image below.

check ufw status and rules on ubuntu

Adding More UFW Rules

You can add more rules to further define the extent of communication the server has.

Specify which connections are allowed and which are denied.

Allow Incoming Connections on Other Ports

Depending on what you use the server for, you may need to open some other ports to allow specific incoming connections. Create additional UWF rules to add these connections to your firewall configuration.

Set your server to listen to HTTP (on port 80) by typing:

sudo ufw allow http

Or:

sudo ufw allow 80

To enable HTTPS connections, use one of the following two commands:

sudo ufw allow https
sudo ufw allow 443

You might be using the server as a remote machine to which you want complete access from your home system. To set a rule that allows access to all ports from a specific IP address, run:

sudo ufw allow from [IP.address]

To allow access from a particular machine to a specific port run the command:

sudo ufw allow from [IP.address] to any port [port number]

To allow access to a range of ports, specify the range values and the type of protocol (TCP or UDP). For instance, the following command will allow connections from ports 2000 to 2004 for TCP and UDP:

sudo ufw allow 2000:2004/tcp
sudo ufw allow 2000:2004/udp

Note: TCP (Transmission Control Protocol) is a connection-oriented protocol used to guarantee that all the data transmitted is in order. UDP (User Datagram Protocol) is a connection-less oriented protocol that transfers data faster, but is not as reliable.


Deny Incoming Connections on Other Ports

To create a deny rule to forbid connection from a specific IP address run the command:

sudo ufw deny from [IP.address]

You can also deny access to particular ports by typing:

sudo ufw deny from [IP.address] to any port [number]

Delete UFW Rules

If you want to delete a rule you no longer need, there are two ways to do so.

One option is to display a list of all the rules and find the assigned number of the rule. First, run the command:

sudo ufw status numbered

find the number of ufw rule

As in the image above, the output will list the rules you have defined so far. Each rule has a number according to the order in which it was set.

To delete a rule, use the following syntax with the appropriate rule number:

sudo ufw delete [rule_number]

An alternative way to delete a rule is to specify it word for word (as you added it):

sudo ufw delete [rule]

For example, to remove a rule that allows connection to port 2000, use the command:

sudo ufw delete allow 2000

Application Profiles

Each package installed with the apt command has an application profile in the /etc/ufw/applications.d directory. The profile provides information about the software and its UFW settings.

To see a list of all application profiles use the command:

sudo ufw app list

See more information about a specific package (along with open ports) by typing:

sudo ufw app info '[package name]'

In the example below, there is only one application profile – CUPS. The app info option shows you that the package opens port 631.

example of application profile

Set Up UFW Via GUI

Install GUFW on Ubuntu

If you prefer managing your UFW firewall over a graphical user interface, you can install GUFW.

This can be done by running a few commands in the terminal or by using the systems software center.

Option 1: Install GUFW Via Terminal

1. To set up GUFW, you first need to enable the University Repository. To do so, type in the following command in the terminal:

sudo add-apt-repository universe

2. Then, update the repository:

sudo apt update -y

3. With everything set, you can install GUFW by running the following command:

sudo apt install gufw -y

Option 2: Install GUFW Via Software Center

For users who want to stay away from the terminal completely, another option to install GUFW is downloading it from the Software Center.

1. Open the Software Center and type GUFW in the search bar.

2. The search results will display the Firewall Configuration package. Select the icon and click Install.

Install GUFW (Firewall Configuration) using the Software Center on Ubuntu.

Open and Get Started with GUFW

To open the Firewall Configuration, use the search bar on your Ubuntu system and type in GUFW.

Click on the icon that appears as in the image below.

Open GUFW (firewall configuration) using GUI Ubuntu.

This launches the Firewall window. In it, you will notice a menu with different parameters you can set according to your needs.

Getting started with GUI firewall settings.

As the instructions imply, if you are a normal user the Basic configuration should suffice your needs. This includes:

  • Profile: Home (or any of the other names offered)
  • Status: ON
  • Incoming: Deny
  • Outgoing: Allow

If you want to add rules and label them for future use, click Rules and then the plus sign (+).

Add firewall rules on Ubuntu.

A pop-up window Add a Firewall Rule will appear. Configure the new rule and click Add.

Conclusion

By following the instructions in our guide, using UFW to set up a firewall should be simple. Ensuring stable firewall protection is the least you can do to protect your server.

Once you have that in place, move on to learning more about server protection by checking out our list of 21 Server Security Tips.


Next you should also read