Hi there again! In this tutorial, I am going to move in depth cover how to configure UFW (UncomplicatedFirewall ). If you have already installed UFW, then you can skip the first section.
This is tested to work with Ubuntu 16.04-18.04, although it may work on other versions too!
Installation of UFW and Basic Information
You can check if you already have installed the firewall by running:
which ufw
If it outputs /usr/sbin/ufw then it is already installed, if not run the following:
sudo apt-get install ufw
You can view the status of your firewall by running
sudo ufw status
It will output either status: inactive or status: active
To start the firewall again you simply need to send the following command:
sudo service ufw start
To stop your Ubuntu firewall:
sudo service ufw stop
Allow Connections
When you want to allow connections you simply typesudo ufw allow
, followed with the port OR program you wish to allow. An example of this is SSH.
sudo ufw allow ssh/tcp
Or you can allow it using the port.
sudo ufw allow 22/tcp
Below you can find a list of the most common ports, the source is utilizewindow.
Port | Service name | Transport protocol |
---|---|---|
20, 21 | File Transfer Protocol (FTP) | TCP |
22 | Secure Shell (SSH) | TCP and UDP |
23 | Telnet | TCP |
25 | Simple Mail Transfer Protocol (SMTP) | TCP |
50, 51 | IPSec | |
53 | Domain Name System (DNS) | TCP and UDP |
67, 68 | Dynamic Host Configuration Protocol (DHCP) | UDP |
69 | Trivial File Transfer Protocol (TFTP) | UDP |
80 | HyperText Transfer Protocol (HTTP) | TCP |
110 | Post Office Protocol (POP3) | TCP |
119 | Network News Transport Protocol (NNTP) | TCP |
123 | Network Time Protocol (NTP) | UDP |
135-139 | NetBIOS | TCP and UDP |
143 | Internet Message Access Protocol (IMAP4) | TCP and UDP |
161, 162 | Simple Network Management Protocol (SNMP) | TCP and UDP |
389 | Lightweight Directory Access Protocol | TCP and UDP |
443 | HTTPs Secure Sockets Layer (SSL) | TCP and UDP |
3389 | Remote Desktop Protocol | TCP and UDP |
So let us say we want to enable HTTP. We can see in the list above that port 80 has protocol name HTTP. To allow this we need to do the same thing as we did above. Example:
sudo ufw allow HTTP/tcp
OR
sudo ufw allow 80/tcp
A general equation for this would be sudo ufw allow (SERVICENAME/PORT)/(TRANSPORT PROTOCOL)
. You can also find what transport protocol you should use in the list above.
Block Connections
When you want to block connections you simply typesudo ufw deny
, followed with the port or program you wish to block, just as shown above.
If you want to block a specific IP:
sudo ufw deny from 88.88.88.88
Just remember to replace 88.88.88.88
With the IP address of your choice. You can also block a whole subnet:
sudo ufw deny from 88.88.88.0/24
Rate limiting with UFW
Another good feature to include is rate limiting. This would make it so if an IP address has attempted to initiate >6 connections within the last 30 seconds it would be blocked temporarily. This can be very useful for SSH as it makes brute-forcing almost impossible.
ufw limit ssh
Or limiting by port:
ufw limit 22
You can change the service ssh or 22 to the service you want to limit.
Setting up the Host Firewall to Protect Against Internal Threats
If you are not behind a properly setup hardware firewall, you may solve this by software configurations by setting the default_output_policy=drop to control all box i/o.
This assumes you’re on a 10.x.x.x network and during setup, you only need yourself to be able to access the box via ssh. Change 10.x.x.x to suit your config as shown below.
Open the configuration file by running:
sudo nano /etc/default/ufw
Make sure that Your default output policy is set to drop, like this: DEFAULT_OUTPUT_POLICY="DROP"
Save by pressing
Back at the terminal run the following commands:
sudo ufw allow proto tcp from 10.x.x.x to any port 22
sudo ufw enable
sudo service ufw start
sudo ufw logging medium
Make sure to change 10.x.x.x
to your own IP address or domain name.
If you don’t already have a VPS, or want to reward us for hard work and ad free experience you can buy a VPS from us. We would really appreciate it as we don’t have any donation buttons and this is our only source of income. Our VPSes are located in Stockholm, and we even have a Swedish branded site if you’re from Sweden.