Uncomplicated Firewall (UFW)

In round 2 of the "things I should probably write down that I do" here's one on setting up some simple access control rules in the linux firewall.
UFW is a simple frontend for Linux systems for quick and easy control over inbound and outbound firewall rules. It's designed for making your firewall control a little easier to manage.

Now, a few warnings - you CAN lock yourself out of your remote system if you get the rules wrong. You CAN allow the wrong level of access to your systems easily. Get yourself a pad and a pen and work out what you want to do before you start applying rules.

Install UFW

Okay, so I'm assuming Debian here ( because, well, hell, that's one of the primary systems I have in place ).

$ apt-get install ufw

Setting your first rules

Most likely you're going to want to default set deny rules to your box. This is a "catch-all" when your system can't find any other rules. It's best to set a deny on incoming for your defaults to make sure that you're not implicitly saying "yeah, come and visit every door on my computer".

To set a default allow of all outbound traffic ( which is most likely ) and default deny incoming, the two following commands can get you started with your firewall configuration.

$ ufw default allow outgoing
$ ufw default deny incoming

At this point, your box is not contactable. You've effectively denied implicitly access TO this machine. To solve this you need to start telling your firewall which rules you want to apply for the accepted incoming traffic.
What you provide access to depends on what your system is designed to do, so this will be up to your own requirements. In my case here I'm going to say SSH ( on port 22 ) and HTTPS ( on 443 ) are allowed on the way in.

$ ufw allow 22/tcp
$ ufw allow 443/tcp

What have I added so far?

To see your current rules use the status command:

$ ufw status

This will provide you with a table of the current rules and whether or not your firewall rules are active or inactive.

Oops I made a mistake

If you've added a rule you didn't mean to you can remove the rules thus:

$ ufw delete allow 22

Raise the shields, Mr Sulu

To activate your new firewall settings simply enable your firewall:

$ ufw enable

This will leave your firewall rules running and enabled on reboot. The disable command will turn your rules off.

Pesky Intruders & Denying connections

For some more advanced controls ( example - blocking all that bothersome inbound h4x0r traffic from spam bots ) you can use more granular control over incoming requests:

$ ufw deny from
$ ufw deny from to any port 22 proto tcp

There is plenty of scope on control depending on how granular your requirements are.

So there you have it, yet another brain-dump from things that are just part of the automagic background build processes I find myself undertaking when creating new systems. Check out my previous article in this series for some of the other functions and features I regularly utilise.

Happy hacking!

Next Item.. KS2 Computer Club

Previous Item.. Proton Pack Build