Uncomplicated Firewall (UFW)
Published: September 1st 2017
In round 2 of the "things I should probably write down that I do" here's one on setting up some simple
access control rules in the linux firewall.
UFW is a simple frontend for Linux systems for quick and easy control over inbound and outbound firewall rules. It's designed for making your firewall control a little easier to manage.
Now, a few warnings - you CAN lock yourself out of your remote system if you get the rules wrong. You CAN allow the wrong level of access to your systems easily. Get yourself a pad and a pen and work out what you want to do before you start applying rules.
Okay, so I'm assuming Debian here ( because, well, hell, that's one of the primary systems I have in place ).
Setting your first rules
Most likely you're going to want to default set deny rules to your box. This is a "catch-all" when your system can't find any other rules. It's best to set a deny on incoming for your defaults to make sure that you're not implicitly saying "yeah, come and visit every door on my computer".
To set a default allow of all outbound traffic ( which is most likely ) and default deny incoming, the two following commands can get you started with your firewall configuration.
$ ufw default deny incoming
At this point, your box is not contactable. You've effectively denied implicitly access TO this machine. To solve this
you need to start telling your firewall which rules you want to apply for the accepted incoming traffic.
What you provide access to depends on what your system is designed to do, so this will be up to your own requirements. In my case here I'm going to say SSH ( on port 22 ) and HTTPS ( on 443 ) are allowed on the way in.
$ ufw allow 443/tcp
What have I added so far?
To see your current rules use the status command:
This will provide you with a table of the current rules and whether or not your firewall rules are active or inactive.
Oops I made a mistake
If you've added a rule you didn't mean to you can remove the rules thus:
Raise the shields, Mr Sulu
To activate your new firewall settings simply enable your firewall:
This will leave your firewall rules running and enabled on reboot. The disable command will turn your rules off.
Pesky Intruders & Denying connections
For some more advanced controls ( example - blocking all that bothersome inbound h4x0r traffic from spam bots ) you can use more granular control over incoming requests:
$ ufw deny from 192.168.2.1 to any port 22 proto tcp
There is plenty of scope on control depending on how granular your requirements are.
So there you have it, yet another brain-dump from things that are just part of the automagic background build processes I find myself undertaking when creating new systems. Check out my previous article in this series for some of the other functions and features I regularly utilise.
KS2 Computer Club
Proton Pack Build