Save up to 81% on your first year of web hosting!

More in Depth Configuration of Ubuntu Firewall (UFW)

Hi there again! In this tutorial, I am going to move in depth cover how to configure UFW (UncomplicatedFirewall ). If you have already installed UFW, then you can skip the first section.

This is tested to work with Ubuntu 16.04-18.04, although it may work on other versions too!

Installation of UFW and Basic Information

You can check if you already have installed the firewall by running:

which ufw

If it outputs /usr/sbin/ufw then it is already installed, if not run the following:

sudo apt-get install ufw 

You can view the status of your firewall by running

sudo ufw status 

It will output either status: inactive or status: active

To start the firewall again you simply need to send the following command:

sudo service ufw start 

To stop your Ubuntu firewall:

sudo service ufw stop

Allow Connections

When you want to allow connections you simply typesudo ufw allow , followed with the port OR program you wish to allow. An example of this is SSH.

sudo ufw allow ssh/tcp 

Or you can allow it using the port.

sudo ufw allow 22/tcp  

Below you can find a list of the most common ports, the source is utilizewindow.

PortService nameTransport protocol
 20, 21 File Transfer Protocol (FTP) TCP
 22 Secure Shell (SSH) TCP and UDP
 23 Telnet TCP
 25 Simple Mail Transfer Protocol (SMTP) TCP
 50, 51 IPSec
 53 Domain Name System (DNS) TCP and UDP
 67, 68 Dynamic Host Configuration Protocol (DHCP) UDP
 69 Trivial File Transfer Protocol (TFTP) UDP
 80 HyperText Transfer Protocol (HTTP) TCP
 110 Post Office Protocol (POP3) TCP
 119 Network News Transport Protocol (NNTP) TCP
 123 Network Time Protocol (NTP) UDP
 135-139 NetBIOS TCP and UDP
 143 Internet Message Access Protocol (IMAP4) TCP and UDP
 161, 162 Simple Network Management Protocol (SNMP) TCP and UDP
 389 Lightweight Directory Access Protocol TCP and UDP
 443 HTTPs Secure Sockets Layer (SSL) TCP and UDP
 3389 Remote Desktop Protocol TCP and UDP

So let us say we want to enable HTTP. We can see in the list above that port 80 has protocol name HTTP. To allow this we need to do the same thing as we did above. Example:

sudo ufw allow HTTP/tcp

OR

 sudo ufw allow 80/tcp 

A general equation for this would be sudo ufw allow (SERVICENAME/PORT)/(TRANSPORT PROTOCOL). You can also find what transport protocol you should use in the list above.

Block Connections

When you want to block connections you simply typesudo ufw deny, followed with the port or program you wish to block, just as shown above.

If you want to block a specific IP:

sudo ufw deny from 88.88.88.88

Just remember to replace 88.88.88.88 With the IP address of your choice. You can also block a whole subnet:

sudo ufw deny from 88.88.88.0/24 

Rate limiting with UFW

Another good feature to include is rate limiting. This would make it so if an IP address has attempted to initiate >6 connections within the last 30 seconds it would be blocked temporarily. This can be very useful for SSH as it makes brute-forcing almost impossible.

ufw limit ssh

Or limiting by port:

ufw limit 22

You can change the service ssh or 22 to the service you want to limit.

Setting up the Host Firewall to Protect Against Internal Threats

If you are not behind a properly setup hardware firewall, you may solve this by software configurations by setting the default_output_policy=drop to control all box i/o.

This assumes you’re on a 10.x.x.x network and during setup, you only need yourself to be able to access the box via ssh. Change 10.x.x.x to suit your config as shown below.

Open the configuration file by running:

sudo nano /etc/default/ufw

Make sure that Your default output policy is set to drop, like this: DEFAULT_OUTPUT_POLICY="DROP"

Save by pressing CTRL + X and follow the instructions prompted on the screen.

Back at the terminal run the following commands:

sudo ufw allow proto tcp from 10.x.x.x to any port 22
sudo ufw enable
sudo service ufw start
sudo ufw logging medium

Make sure to change 10.x.x.x to your own IP address or domain name.

If you don’t already have a VPS, or want to reward us for hard work and ad free experience you can buy a VPS from us. We would really appreciate it as we don’t have any donation buttons and this is our only source of income. Our VPSes are located in Stockholm, and we even have a Swedish branded site if you’re from Sweden.