One of the keystones of any operating system is a properly configured firewall for complete system security. A popular firewall system for Debian is a package called UFW (Uncomplicated Firewall). UFW is popular with its user-friendly and easy-to-use command line, making it great for beginners in Linux to the most advanced power users.
The following guide will show you how to install and set up a UFW firewall for Debian 10 codenamed Buster.
Table of Contents
- 1 UFW Prerequisites
- 2 UFW Install
- 3 UFW Status Check
- 4 UFW Enable
- 5 UFW Default Policies
- 6 UFW Application Profiles
- 7 UFW IPv6 Enable
- 8 UFW Allow SSH Connections
- 9 UFW Enable Ports
- 10 UFW Allow Port Ranges
- 11 UFW Allow Specific IP Address
- 12 UFW Allow Specific IP Address on Specific Port
- 13 UFW Allow Network Subnets
- 14 UFW Deny Connections
- 15 UFW Delete Rules
- 16 UFW Dry Run Rules
- 17 UFW Reset Firewall
- 18 Comments and Conclusion
You will need access to either root or a user with sudo privileges for Debian systems to install/configure the UFW firewall. In our guide, we will use the root to configure UFW.
Enter the root terminal with the following command. Note you will need to enter the root password:
The first step is to install UFW for Debian 10. We will first make sure our system is up to date then install it.
sudo apt update && sudo apt upgrade \ sudo apt install ufw
UFW Status Check
After you have installed the UFW firewall, check the status with the following command.
sudo ufw status verbose
It would be best if you got the following output:
You have found after the install that it is successful; however, the firewall is inactive. You can enable it by the following.
sudo ufw enable
Once enabled, you should see a new status if you re-type the verbose command.
If in future you need to disable it for whatever reason, you can do this with the following command.
sudo ufw disable
UFW Default Policies
The default policy of the UFW firewall is to deny all incoming connections and only allow outbound connections to the system. Typically the most secure default way with no one can reach your server unless you allow IP address/ranges, programs, ports or combinations of all. Your system, by default, can access the outside, which you should not adjust unless you have specific security requirements.
For reference, the default UFW firewall policies can be found in the location /etc/default/ufw file and can you adjust the rules by typing the following command:
sudo ufw default deny incoming && sudo ufw default allow outgoing
Suppose you would like to deny all incoming and outgoing connections and only allow approved IP addresses or ranges. You can, for example, type the following command to do this:
sudo ufw default deny incoming && sudo ufw default deny outgoing
Note, this isn’t recommended unless you have a highly secure requirement.
UFW Application Profiles
To show all application profiles, you can do so by typing the following.
sudo ufw app list
You will then see an output. Note that everyone will have different applications, but it will look similar to below.
Also, you can type the following command to find more information about an existing profile.
sudo ufw app info qBittorrent
The output should be the following:
Profile: qBittorrent Title: qBittorrent Description: qBittorrent BitTorrent client Ports: 6881/tcp
UFW IPv6 Enable
If your Debian system configured with IPv6, you need to make sure UFW is configured with IPv6 and IPv4 support. By default, this should be automatically enabled; however, you should check and, if need be, modify it. You can do this in the following.
Open default UFW firewall file:
sudo nano /etc/default/ufw
Adjust the following line to yes if not set:
Control+O to save, then Control+X to exit once complete. If you have changed settings, restart the firewall.
sudo systemctl restart ufw
UFW Allow SSH Connections
By default, UFW does not allow SSH connections. If you already enabled the firewall remotely, you would have noticed yourself locked out. To fix this, you need to set the following SSH configuration.
First, enable SSH application profile.
sudo ufw allow ssh
If you have set up a custom listening port for SSH connections other than the default port 22, port 3541, you will open the port on the UFW firewall by typing the following.
sudo ufw allow 3541/tcp
Note, if you want to block all SSH connections or change the port and block the old ones. Type the following commands to modify the ruleset.
Block SSH in full:
sudo ufw deny ssh/tcp
Block SSH custom port:
sudo ufw deny 3541/tcp
UFW Enable Ports
With UFW, you can open specific ports in the firewall to allow connections specified for a particular application. An excellent example of this rule is setting up a web server that listens on port 80 (HTTP) and 443 HTTPS) by default. You can set customized rules for the application.
Allow HTTP Port 80
Allow by application profile:
sudo ufw allow 'Apache'
Allow by service name:
sudo ufw allow http
Allow by port number:
sudo ufw allow 80/tcp
Allow HTTPS Port 443
Allow by application profile:
sudo ufw allow 'Apache Secure'
Allow by service name:
sudo ufw allow https
Allow by port number:
sudo ufw allow 443/tcp
Note, you can enable all of the rules together by default by using the following command.
sudo ufw allow 'Apache Full'
UFW Allow Port Ranges
UFW can allow access to port ranges. Note, when opening a port range, you must identify the port protocol.
Allow port range with TCP & UDP:
sudo ufw allow 6500:6800/tcp && sudo ufw allow 6500:6800/udp
UFW Allow Specific IP Address
To allow for specified IP addresses, for example, you are on an internal network. You want to enable specific systems to communicate together inbound/outbound, and then you can specify to allow with the following command.
Internal IP Example, 192.168.55.X:
sudo ufw allow from 192.168.55.131
UFW Allow Specific IP Address on Specific Port
To enable an IP to connect to your system on a defined port (example port “3900”), type the following.
sudo ufw allow from 192.168.55.131 to any port 3900
UFW Allow Network Subnets
Allow Subnet Connections to a Specified Port
If you require a whole range of connections from an IP range subnet to a particular port, you can enable this by creating the following rule.
sudo ufw allow from 192.168.1.0/24 to any port 3900
This will allow all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.
Allow Specific Network Interface
For example, allow connections to a particular network interface, “eth2” to a specified port 3900. You can achieve this by creating the following rule.
sudo ufw allow in on eth2 to any port 3900
UFW Deny Connections
As per the default setup policy of UFW, when installed, all incoming connections are set to “deny”. This rejects all incoming traffic unless you create a rule to allow the connections to come through.
However, you have noticed in your logs a particular IP address that keeps attacking you. Block it with the following.
sudo ufw deny from 220.127.116.11
A hacker is using multiple IP addresses from the same subnet attempting to hack you. Create the following to block.
sudo ufw deny from 18.104.22.168/24
You can create specific rules if you want to deny access to particular ports. Type the following example.
sudo ufw deny from 22.214.171.124/24 to any port 80 \ sudo ufw deny from 126.96.36.199/24 to any port 443
UFW Delete Rules
You have created and deny rules, but you need to delete some rules as you no longer need them. This can be achieved in two different ways.
First, to delete a UFW rule using the rule number, you need to list the rule numbers by typing the following.
sudo ufw status numbered
To Action From -- ------ ----[ 1] Anywhere DENY IN 188.8.131.52 [ 2] Anywhere DENY IN 184.108.40.206 [ 3] 23/tcp ALLOW IN Anywhere
You want to delete the first rule for IP Address 220.127.116.11, type the following.
sudo ufw delete 1
Secondly, you can delete a UFW rule by using the actual rule itself.
sudo ufw delete allow 23/tcp
UFW Dry Run Rules
Highly critical systems, a good option when playing around with the firewall settings, can add the –dry-run flag. This allows seeing an example of the changes that would have happened but not processing it.
sudo ufw --dry-run enable
UFW Reset Firewall
If, for any reason, you need to reset your firewall back to its original state with all incoming blocked and outgoing set to allow, type the following to reset.
sudo ufw reset
Confirm reset, enter the following:
sudo ufw status
The output should be:
With the UFW firewall reset, you can reconfigure your rules and settings as per the start of our guide.
Comments and Conclusion
The guide has successfully shown you how to install and configure UFW for Debian 10. Using UFW is highly recommended as it’s a simple firewall system to use for Debian compared to other options that may be too confusing for non-power users. Given the rise of cybercrime and hacking, it’s a sure quick way to safeguard your system.