This article shows you how to install and use UFW on your Ubuntu 20.04 LTS system.
Installation
UFW comes pre-installed on most Ubuntu systems. If your build does not have this program already installed, you can install it using either the snap or the apt package managers.$ sudo snap install ufw
I personally prefer using the apt package manager to do this because snap is less popular and I don’t want to have this extra complexity. At the time of this writing, the version published for UFW is 0.36 for the 20.04 release.
Incoming vs. Outgoing traffic
If you are a beginner in the world of networking, the first thing you need to clarify is the difference between incoming and outgoing traffic.
When you install updates using apt-get, browse the internet, or check your email, what you are doing is sending “outgoing” requests to servers, such as Ubuntu, Google, etc. To access these services, you do not even need a public IP. Usually, a single public IP address is allocated for, say, a home broadband connection, and every device gets its own private IP. The router then handles the traffic using something known as NAT, or Network Address Translation.
The details of NAT and private IP addresses are beyond the scope of this article, but the video linked above is an excellent starting point. Coming back to UFW, by default, UFW will allow all regular outgoing web traffic. Your browsers, package managers, and other programs pick a random port number – usually a number above 3000 – and that is how each application can keep track of its connection(s).
When you are running servers in the cloud, they usually come with a public IP address and the above rules of allowing outgoing traffic still hold. Because you will still use utilities, like package managers, that talk to the rest of the world as a ‘client,’ UFW allows this by default.
The fun begins with incoming traffic. Applications, like the OpenSSH server that you use to login to your VM, listen on specific ports (like 22) for incoming requests, as do other applications. Web servers need access to ports 80 and 443.
It is part of the job of a firewall to allow specific applications to listen in on certain incoming traffic while blocking all the unnecessary ones. You may have a database server installed on your VM, but it usually does not need to listen for incoming requests on the interface with a public IP. Usually, it just listens in on the loopback interface for requests.
There are many bots out in the Web, which constantly bombard servers with bogus requests to brute force their way in, or to do a simple Denial of Service attack. A well-configured firewall should be able to block most of these shenanigans with the help of third-party plugins like Fail2ban.
But, for now, we will focus on a very basic setup.
Basic Usage
Now that you have UFW installed on your system, we will look at some basic uses for this program. Since firewall rules are applied system-wide, the below commands are run as the root user. If you prefer, you can use sudo with proper privileges for this procedure.
Status: inactive
By default, UFW is in an inactive state, which is a good thing. You do not want to block all incoming traffic on port 22, which is the default SSH port. If you are logged into a remote server via SSH and you block port 22, you will be locked out of the server.
UFW makes it easy for us to poke a hole just for OpenSSH. Run the below command:
Available applications:
OpenSSH
Notice that I have still not enabled the firewall. We will now add OpenSSH to our list of allowed apps and then enable the firewall. To do so, enter the following commands:
Rules updated
Rules updated (v6)
# ufw enable
The command may disrupt existing SSH connections. Proceed with operation (y|n)? y.
The firewall is now active and enabled on system startup.
Congratulations, UFW is now active and running. UFW now allows only OpenSSH to listen in on incoming requests at port 22. To check the status of your firewall at any time, run the following code:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
As you can see, OpenSSH can now receive requests from anywhere on the Internet, provided it reaches it on port 22. The v6 line indicates that the rules are applied for IPv6, as well.
You can, of course, ban particular ranges of IP, or allow only a particular range of IPs, depending on the security constraints you are working within.
Adding Applications
For the most popular applications, the ufw app list command automatically updates its list of policies upon installation. For example, upon installation of the Nginx web server, you will see the following new options appear:
# ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
Go ahead and try experimenting with these rules. Note that you can simply allow port numbers, rather than waiting for an application’s profile to show up. For example, to allow port 443 for HTTPS traffic, simply use the following command:
# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
443 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Conclusion
Now that you have the basics of UFW sorted, you can explore other powerful firewall capabilities, starting from allowing and blocking ranges of IP. Having clear and secure firewall policies will keep your systems safe and protected.