How to Install & Configure UFW Firewall on Arch Linux

One of the keystones of any operating system is a properly configured firewall for complete system security. Arch Linux uses IP tables; however, most users will use software that works as a front end with UFW (Uncomplicated Firewall).

Some of the great benefits of UFW are its simplicity, user-friendly and easy-to-use command line, making it great for beginners in Linux to the most advanced power users.

In the following tutorial, you will learn to install and set up UFW Firewall on Arch Linux desktop or server using the command line terminal and some basic examples of using UFW. Please note that the tutorial covers some points that are commonly used. UFW can achieve much more and be integrated into software such as ModSecurity and Fail2Ban, to name a few. Still, for the majority, this tutorial is a great start.

Update Arch Linux

Before you begin, run a quick update to ensure your system packages are up-to-date to avoid conflicts.

sudo pacman -Syu

Install/Enable UFW Firewall

By default, UFW is not natively installed but is available from Arch Linux’s official repository.

sudo pacman -Sy ufw --noconfirm

The –noconfirm is answering yes to the default choices, which you can remove to set up manually for users that prefer to have control.

Once installed, enable ufw.

sudo systemctl enable ufw --now

Next, verify the status of UFW to make sure it is active and without errors.

systemctl status ufw

Example output:

How to Install & Configure UFW Firewall on Arch Linux

The next step in setting up a UFW firewall will be to enable the firewall itself.

sudo ufw enable

Example output:

Firewall is active and enabled on system startup

By default, all incoming traffic is blocked automatically, and all outbound is allowed once the firewall is live. This instantly will protect your system by stopping anyone from connecting remotely to your system.

In the future, if you need to disable UFW for a temporary period, use the following command.

sudo ufw disable

For users that want to remove UFW altogether from your system (Not Recommended).

sudo pacman -R ufw

Do not remove UFW unless you have a solid option or know how to use IPTables or install a similar firewall, especially when running a server environment connected to the public. This will be disastrous.

How to Check UFW Status

Once UFW is enabled, view the status of firewall rules and what is active use the following.

sudo ufw status verbose

Example output:

How to Install & Configure UFW Firewall on Arch Linux

The above example used the verbose flag, and an alternative option is to list the rules in number sequence, which is far more manageable later on when deleting rules.

sudo ufw status numbered

Example output:

How to Install & Configure UFW Firewall on Arch Linux

You now have [1] and [2] number labels on your UFW rules for identification, as the above output has it.

How to Set/Configure UFW Default Policies

The default policy of the UFW firewall is to deny all incoming connections and only allow outbound connections to the system. Typically the most secure default way with no one can reach your server unless you allow IP address/ranges, programs, ports, or combinations. Your system, by default, can access the outside, which you should not adjust unless you have specific security requirements.

The default UFW firewall policies can be found in the location /etc/default/ufw.

To adjust the rules by typing the following command:

Deny all incoming connections:

sudo ufw default deny incoming

Allow all outgoing connections:

sudo ufw default allow outgoing

When enabled, this is already set as the default rules, but you can use the same principle to change them around to suit your purpose.

For example, if all incoming communication is blocked by default, use the following command if you want all outgoing blocked and allow only approved connections outbound.

Block all outgoing connections:

sudo ufw default deny outgoing

This is an extreme measure; blocking incoming connections is usually enough for the average server and desktop, but specific environments can benefit from the extra security precaution. The downside is you need to main all outgoing connections, which can be time-consuming, continually setting new rules.

How to View UFW Application Profiles

To show all application profiles, you can do so by typing the following.

sudo ufw app list

Example output:

How to Install & Configure UFW Firewall on Arch Linux

The above is just an example, and everyone will have different lists as no one will have the same applications installed.

A handy feature of applications profiles is finding out more about the service listed in the UFW application list.

To do this, type the following command to find more information about an existing profile.

sudo ufw app info 'qBittorrent'

Example output:

How to Install & Configure UFW Firewall on Arch Linux

As above, the printout of the application’s general description and the port it uses. This is a handy feature when you investigate open ports and are unsure what applications they relate to and what they do.

How to Allow/Enable IPv6 on UFW

If your system is configured with IPv6, you need to ensure UFW is configured with IPv6 and IPv4 support. By default, this should be automatically enabled; however, you should check and, if need be, modify it. You can do this in the following.

Open default UFW firewall file.

sudo nano /etc/default/ufw

If nano is not installed, use VIM/VI or install nano.

sudo pacman -Sy nano --noconfirm

The –noconfirm is answering yes to the default choices, which you can remove to set up manually for users that prefer to have control.

Adjust the following line to yes if not set.

IPV6=yes

CTRL+O to save the new changes to the file, then press CTRL+X to exit the file.

Now restart the UFW firewall service to make the changes active.

sudo systemctl restart ufw

How to Allow/Enable UFW SSH Connections

By default, UFW does not allow SSH connections. If you had already enabled the firewall remotely, you would have noticed yourself locked out.

To fix this, you need to set the following SSH configuration before enabling UFW firewall, especially if connected to a remote server.

First, enable the SSH application profile.

sudo ufw allow ssh

If you have set up a custom listening port for SSH connections other than the default port 22, for example, port 3541, you will open the port on the UFW firewall by typing the following.

sudo ufw allow 3541/tcp

If you want to block all SSH connections or change the port and block the old ones.

To block all SSH connections (Make sure local access is possible), use the following command.

sudo ufw deny ssh/tcp

If changing the custom SSH port, open a new port and close the existing one; the tutorial example is port 3541.

sudo ufw deny 3541/tcp 

How to Allow/Enable UFW Ports

With UFW, you can open specific ports in the firewall to allow connections specified for a particular application. You can set customized rules for the application. An excellent example of this rule is setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default.

Allow HTTP Port 80

Allow by application profile:

sudo ufw allow 'Nginx HTTP'

Allow by service name:

sudo ufw allow http

Allow by port number:

sudo ufw allow 80/tcp

Allow HTTPS Port 443

Allow by application profile:

sudo ufw allow 'Nginx HTTPS'

Allow by service name:

sudo ufw allow https

Allow by port number:

sudo ufw allow 443/tcp

Note that you can enable all of the rules by default by using the following command; the same method applies to any web service that utilizes a web application such as Apache or Nginx.

sudo ufw allow 'Nginx Full'

UFW Allow Port Ranges

UFW can allow access to port ranges. When opening a port range, you must identify the port protocol.

Allow port range with TCP & UDP:

sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udp

How to Allow/Enable Remote Connections on UFW

UFW Allow Specific IP Address

For example, to allow for specified IP addresses, use the following command if you are on an internal network and require the systems to communicate together.

sudo ufw allow from 192.168.55.131

UFW Allow Specific IP Address on Specific Port

Type the following: enable an IP to connect to your system on a defined port (example, port “3900”).

sudo ufw allow from 192.168.55.131 to any port 3900

Allow Subnet Connections to a Specified Port

If you require a whole range of connections from an IP range subnet to a particular port, you can enable this by creating the following rule.

sudo ufw allow from 192.168.1.0/24 to any port 3900

This will allow all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.

Allow Specific Network Interface

For example, allow connections to a particular network interface, “eth2,” to a specified port 3900. You can achieve this by creating the following rule.

sudo ufw allow in on eth2 to any port 3900

How to Deny/Block Remote Connections on UFW

As per the default setup policy of UFW, when installed, all incoming connections are set to “deny.” This rejects all incoming traffic unless you create a rule to allow the connections to come through.

However, you have noticed a particular IP address that keeps attacking you in your logs. Block it with the following.

sudo ufw deny from 203.13.56.121

A hacker uses multiple IP addresses from the same subnet to hack you. Create the following to block.

sudo ufw deny from 203.13.56.121/24

You can create specific rules to deny access to particular ports. Type the following example.

sudo ufw deny from 203.13.56.121/24 to any port 80
sudo ufw deny from 203.13.56.121/24 to any port 443

How to Delete/Remove UFW Rules

To delete a UFW rule using the rule number, you must list the rule numbers by typing the following.

sudo ufw status numbered

Example output:

How to Install & Configure UFW Firewall on Arch Linux

The example will delete the second rule for IP Address 151.193.50.1, highlighted above.

Type the following in your terminal.

sudo ufw delete 2

Example output:

How to Install & Configure UFW Firewall on Arch Linux

Type Y, then press the ENTER KEY to proceed with the removal of the rule number.

How to Access and View UFW Logs

UFW logging is set to low by default, which is fine for most desktop systems. And however, servers may require a higher level of logging.

To set UFW logging to low(Default):

sudo ufw logging low

To set UFW logging to medium monitoring:

sudo ufw logging medium

To set UFW logging to high:

sudo ufw logging high

The last option is to disable logging altogether, be sure you are happy with this and will not require log checking.

sudo ufw logging off

To view UFW logs, they are kept in the default location of /var/log/ufw.log.

An easy, quick way to view live logs is to use the tail command.

sudo ufw tail -f /var/log/ufw.log

Alternatively, you can print out many recent lines with the -n <number flags>.

ufw tail /var/log/ufw.log -n 30

This will print out the last 30 lines of the log. You can further fine-tune with GREP and other sorting commands.

How to Test UFW Rules

Highly critical systems, a good option when playing around with the firewall settings, can add the –dry-run flag. This allows seeing an example of the changes that would have happened but not processing it.

sudo ufw --dry-run enable

To disable the –dry-run flag, use the following command.

sudo ufw --dry-run disable

How to Reset UFW Rules

To reset your firewall back to its original state with all incoming blocked and outgoing set to allow, type the following to reset.

sudo ufw reset

Example output:

How to Install & Configure UFW Firewall on Arch Linux

Confirm reset, enter the following:

sudo ufw status

The output should be.

Status: inactive

With the UFW firewall reset, you will now need to re-enable the firewall and start the entire process of adding rules. The reset command should be used sparingly if possible.

Find/Search All Open Ports (Security Check)

Most systems do not realize that they can have ports open. In the age of every IP address on the Internet is scanned daily, it is crucial to watch what is happening behind the scenes.

The best option is to install Nmap, then, using this famous application, list the opened ports.

sudo pacman -Sy nmap --noconfirm

Also, install the net-tools package, which can be helpful for IP address information and other things that you will undoubtedly need when operating a headless version of Arch Linux.

sudo pacman -Sy net-tools --noconfirm

The –noconfirm is answering yes to the default choices, which you can remove to set up manually for users that prefer to have control.

Next, find the internal IP address of the system.

ifconfig

Example output:

How to Install & Configure UFW Firewall on Arch Linux

As the above example, the IP address is located on the second line inet 192.168.254.131. Alternatively, the IPV6 is listed on the second line.

Now use the following Nmap command with the server’s IP address.

nmap 192.168.254.131

Example output:

How to Install & Configure UFW Firewall on Arch Linux

As above, all ports are closed except for port 3306 MYSQL, which is a big problem for security. As demonstrated, this is how easy using Nmap can be in finding those little things you may have overlooked; even the best sysadmin can miss something; we are, after all, human.

However, if you find ports open before you close or block them, investigate first what they are if you are unsure as this may break services or, worse case, lock you out of a server.

From this point, you can create custom UFW rules that you have learned in the tutorial to close or restrict the open ports.

Comments and Conclusion

UFW is highly recommended as it’s a simple firewall system compared to other options that may confuse non-power users. Given the rise of cybercrime and hacking, it’s a sure quick way to safeguard your system.

The one area UFW will start lacking is major rule sets and IP blacklists, where you may have hundreds of thousands if not millions of IP being blocked. Other alternatives may be needed, but this won’t affect most users as those servers typically have a good option ready.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!