How to Configure Firewall with UFW on Ubuntu 18.04

Uncomplicated Firewall or UFW is an interface to iptables that is designed to simplify the process of configuring a firewall. While iptables is a firm and flexible tool, it can be sometimes tricky for beginners to learn how to use it to properly configure a firewall. If a user is looking to get started securing his or her network, UFW may be the appropriate solution.

In this guide, we will learn how to configure firewall with UFW on Ubuntu 18.04.

Step 1: Set Up Default Policies

UFW is installed on Ubuntu by default. If it has been uninstalled for some reason, we can install it with the following command.

$ sudo apt install ufw

By default, UFW denies all incoming connections and allows all outgoing connections. It means that a client trying to reach our server would not be able to connect. When an application from our server tries to connect any other server outside, it will be allowed. The following commands serve the purpose.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Step 2: Allow SSH Connections

By default we have restricted all the incoming connections to our server as we can see in our previous step. To allow connections using secured SSH, we will use the following command.

$ sudo ufw allow ssh

The above command will create firewall rules that will allow all connections on port 22, which is the default port on which the SSH daemon listens. The UFW listens to port listed in the file file /etc/services.

If SSH daemon is configured on a port other than the default, we can specify that in our command to listen to that port. The following command listens to port 2222 in case if SSH is configured by us on it.

We can also specify protocol (tcp or udp) in our above command. It is optional. The above command is used for both protocols.

$ sudo ufw allow 2222

Step 3: Allow Specific Incoming Connections

To allow incoming connections on a specific port, we will use following commands to specify rule for UFW. For e.g., if we want our server to listen to HTTP on port 80, below is the command to execute.

$ sudo ufw allow http

It is equivalent to the following

$ sudo ufw allow 80

We can use any of the above for port 80. For HTTPS, any of the following commands will serve the purpose to allow to connect.

$ sudo ufw allow https

Or

$ sudo ufw allow 443

We can specify a range of ports also, means more than one port. One thing to note is that we must specify protocol in the command (tcp or udp). The following command allows connections from ports 6000 to 6003 for both tcp and udp.

$ sudo ufw allow 6000:6003/tcp
$ sudo ufw allow 6000:6003/udp

Step 4: Deny Incoming Connections

Sometimes we want to deny specific connections based on the source IP address. It is so because we sometimes know that our server is being attacked from there. So we will create a deny rule for the specific IP address. The following command denies connection from an IP address 203.0.123.5

$ sudo ufw deny from 203.0.123.5

Step 5: Enabling UFW

After all the UFW configurations, next step is to enable it. The following command serves the purpose.

$ sudo ufw enable

We will see a warning message after executing the above command. It will say that the command may disrupt existing SSH connections. But in this case, we have already set up a firewall rule that allows SSH connections, so it will not disrupt our configuration. We will enter y and hit ENTER key to apply. The firewall settings are applied now.

Step 6: Check Status of UFW

We can check the status with the following command.

$ sudo ufw status verbose

The following is the output when it is inactive.

Status: inactive

In our case, it is active so the following will be output and results.

Status: active
To                             Action      From

--                             ------          ----

22                             ALLOW IN    Anywhere
80                             ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
2222                       ALLOW IN    Anywhere
6000:6003/tcp              ALLOW IN        Anywhere
6000:6003/udp              ALLOW IN        Anywhere
Anywhere                       DENY            203.0.123.5

Conclusion

In this article, we have configured firewall with the help of powerful UFW tool. With it’s help, we have defined SSH, HTTP and HTTPS incoming connections to be allowed. We have also specified a rule to deny incoming connection from a specific IP address. We can also check the status of our rules which we have created.

Check out these top 3 VPS services: