One of the keystones of any operating system is a properly configured firewall for complete system security. Debian uses IP tables; however, most users will opt to use software that works as a front end for it with UFW (Uncomplicated Firewall).
Some of the great benefits of UFW are its simplicity, user-friendly and easy-to-use command line, making it great for beginners in Linux to the most advanced power users.
In the following tutorial, you will learn to install and set up UFW Firewall on Debian 11 Bullseye.
- Recommended OS: Debian 11 Bullseye
- User account: A user account with sudo or root access.
Update Operating System
Update your Debian operating system to make sure all existing packages are up to date:
sudo apt update && sudo apt upgrade -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
Example output showing sudo status:
[joshua@debian~]$ sudo whoami root
To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Debian.
To use the root account, use the following command with the root password to log in.
The tutorial will utilize the terminal for the installation found in Activities > Show Applications > Terminal.
How to Enable, Install or Remove UFW
By default, UFW is not installed on Debian distributions but is available from its repositories. To install UFW, use the following command.
sudo apt install ufw -y
Once installed, enable the service.
sudo systemctl enable ufw --now
Next, verify the status of UFW to make sure it is active and without errors.
sudo systemctl status ufw
The next step in setting up a UFW firewall will be to enable the firewall itself.
sudo ufw enable
Firewall is active and enabled on system startup
By default, all incoming traffic is blocked automatically, and all outbound is allowed once the firewall is live. This instantly will protect your system by stopping anyone from connecting remotely to your system.
In the future, if you need to disable UFW for a temporary period, use the following command.
sudo ufw disable
To remove UFW altogether from your Debian system.
sudo apt remove ufw --purge
Do not remove UFW unless you have a solid option or know how to use IPTables, especially when running a server environment connected to the public. This will be disastrous.
How to Check UFW Status
Once UFW is enabled, view the status of firewall rules and what is active use the following.
sudo ufw status verbose
The above example used the verbose flag, and an alternative option is to list the rules in number sequence, which is far more manageable later on when deleting rules.
sudo ufw status numbered
You now have , [ 2] number labels on your UFW rules for identification as the above output has it.
How to set UFW Default Policies
The default policy of the UFW firewall is to deny all incoming connections and only allow outbound connections to the system. Typically the most secure default way with no one can reach your server unless you allow IP address/ranges, programs, ports, or combinations of all. Your system, by default, can access the outside, which you should not adjust unless you have specific security requirements.
The default UFW firewall policies can be found in the location /etc/default/ufw.
To adjust the rules by typing the following command:
To deny all incoming connections:
sudo ufw default deny incoming
To allow all outgoing connections:
sudo ufw default allow outgoing
When enabled, this is already set as the default rules, but you can use the same principle to change them around to suit your purpose.
For example, all incoming communication is blocked by default, but you want all outgoing blocked and allow only approved connections outbound, then use the following command.
To block all outgoing connections:
sudo ufw default deny outgoing
This is an extreme measure; blocking incoming connections is usually enough for the average server and desktop, but specific environments can benefit from the extra security precaution. The downside is you need to main all outgoing connections, which can be time-consuming, continually setting new rules.
How to view UFW Application Profiles
To show all application profiles, you can do so by typing the following.
sudo ufw app list
The above is just an example, and everyone will have different lists as no one will have the same applications installed.
A handy feature of applications profiles is finding out more about the service listed in the UFW application list.
To do this, type the following command to find more information about an existing profile.
sudo ufw app info qBittorrent
As above, the printout of the application’s general description and the port it uses. This is a handy feature when you investigate open ports and are unsure what applications they relate to and what the application does.
How to Enable IPv6 on UFW
If your Debian system is configured with IPv6, you need to ensure UFW is configured with IPv6 and IPv4 support. By default, this should be automatically enabled; however, you should check and, if need be, modify it. You can do this in the following.
Open default UFW firewall file.
sudo nano /etc/default/ufw
Adjust the following line to yes if not set.
CTRL+O to save the new changes to the file, then press CTRL+X to exit the file.
Now restart the UFW firewall service to make the changes active.
sudo systemctl restart ufw
How to Allow UFW SSH Connections
By default, UFW does not allow SSH connections. If you had already enabled the firewall remotely, you would have noticed yourself locked out.
To fix this, you need to set the following SSH configuration before enabling UFW firewall, especially if connected to a remote server.
First, enable SSH application profile.
sudo ufw allow ssh
If you have set up a custom listening port for SSH connections other than the default port 22, for example, port 3541, you will open the port on the UFW firewall by typing the following.
sudo ufw allow 3541/tcp
If you want to block all SSH connections or change the port and block the old ones.
To block all SSH connections (Make sure local access is possible), use the following command.
sudo ufw deny ssh/tcp
If changing the custom SSH port, open a new port and close the existing; tutorial example is port 3541.
sudo ufw deny 3541/tcp
How to Enable UFW Ports
With UFW, you can open specific ports in the firewall to allow connections specified for a particular application. You can set customized rules for the application. An excellent example of this rule is setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default.
Allow HTTP Port 80
Allow by application profile:
sudo ufw allow 'Nginx HTTP'
Allow by service name:
sudo ufw allow http
Allow by port number:
sudo ufw allow 80/tcp
Allow HTTPS Port 443
Allow by application profile:
sudo ufw allow 'Nginx HTTPS'
Allow by service name:
sudo ufw allow https
Allow by port number:
sudo ufw allow 443/tcp
Note that you can enable all of the rules by default by using the following command.
sudo ufw allow 'Nginx Full'
UFW Allow Port Ranges
UFW can allow access to port ranges. When opening a port range, you must identify the port protocol.
Allow port range with TCP & UDP:
sudo ufw allow 6500:6800/tcp sudo ufw allow 6500:6800/udp
Alternatively, you can allow multiple ports in one hit, but allow ranging may be more accessible as above.
sudo ufw allow 6500, 6501, 6505, 6509/tcp sudo ufw allow 6500, 6501, 6505, 6509/udp
How to Allow Remote Connections on UFW
UFW Allow Specific IP Address
For example, to allow for specified IP addresses, you are on an internal network and require the systems to communicate together, use the following command.
sudo ufw allow from 192.168.55.131
UFW Allow Specific IP Address on Specific Port
To enable an IP to connect to your system on a defined port (example port “3900”), type the following.
sudo ufw allow from 192.168.55.131 to any port 3900
Allow Subnet Connections to a Specified Port
If you require a whole range of connections from an IP range subnet to a particular port, you can enable this by creating the following rule.
sudo ufw allow from 192.168.1.0/24 to any port 3900
This will allow all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.
Allow Specific Network Interface
For example, allow connections to a particular network interface, “eth2” to a specified port 3900. You can achieve this by creating the following rule.
sudo ufw allow in on eth2 to any port 3900
How to Deny Remote Connections on UFW
As per the default setup policy of UFW, when installed, all incoming connections are set to “deny.” This rejects all incoming traffic unless you create a rule to allow the connections to come through.
However, you have noticed a particular IP address that keeps attacking you in your logs. Block it with the following.
sudo ufw deny from 188.8.131.52
A hacker uses multiple IP addresses from the same subnet attempting to hack you. Create the following to block.
sudo ufw deny from 184.108.40.206/24
You can create specific rules if you want to deny access to particular ports. Type the following example.
sudo ufw deny from 220.127.116.11/24 to any port 80 sudo ufw deny from 18.104.22.168/24 to any port 443
How to Delete UFW Rules
You have created and deny rules, but you need to delete them as you no longer need them. This can be achieved in two different ways.
First, to delete a UFW rule using the rule number, you must list the rule numbers by typing the following.
sudo ufw status numbered
The example will delete the third rule for IP Address 22.214.171.124, highlighted above.
Type the following in your terminal.
sudo ufw delete 3
How to Access and View UFW Logs
By default, UFW logging is set to low, which is fine for most desktop systems. And however, servers may require a higher level of logging.
To set UFW logging to low(Default):
sudo ufw logging low
To set UFW logging to medium:
sudo ufw logging medium
To set UFW logging to high:
sudo ufw logging high
The last option is to disable logging altogether, be sure you are happy with this and will not require log checking.
sudo ufw logging off
To view UFW logs, they are kept in the default location of /var/log/ufw.log.
An easy, quick way to view live logs is to use the tail command.
sudo ufw tail -f /var/log/ufw.log
Alternatively, you can print out many recent lines with the -n <number flags>.
sudo ufw tail /var/log/ufw.log -n 30
This will print out the last 30 lines of the log. You can further fine-tune with GREP and other sorting commands.
How to Test UFW Rules
Highly critical systems, a good option when playing around with the firewall settings, can add the –dry-run flag. This allows seeing an example of the changes that would have happened but not processing it.
sudo ufw --dry-run enable
To disable the –dry-run flag, use the following command.
sudo ufw --dry-run disable
How to Reset UFW Rules
To reset your firewall back to its original state with all incoming blocked and outgoing set to allow, type the following to reset.
sudo ufw reset
Confirm reset, enter the following:
sudo ufw status
The output should be:
With the UFW firewall reset, you will now need to re-enable the firewall and start the entire process of adding rules. The reset command should be used sparingly if possible.
How to find All Open Ports (Security Check)
Most systems do not realize that they can have ports open. In the age of every IP address on the Internet being scanned daily, it is crucial to watch what is happening behind the scenes.
The best option is to install Nmap, then, using this famous application, list the opened ports.
sudo apt install nmap -y
Next, find the internal IP address of the system.
Now use the following Nmap command with the server’s IP address.
sudo nmap 192.168.50.45
As above, all ports are closed. However, if you find ports open before you close or block them, investigate first what they are if you are unsure as this may break services or, worse case, lock you out of a server.
From this point, you can create custom UFW rules that you have learned in the tutorial to close or restrict the open ports.
Comments and Conclusion
The tutorial has successfully shown you how to set up and configure UFW for desktop or server on Debian 11 Bullseye.
UFW is highly recommended as it’s a simple firewall system compared to other options that may be too confusing for non-power users. Given the rise of cybercrime and hacking, it’s a sure quick way to safeguard your system.
The one area UFW will start lacking is major rule sets and IP blacklists, where you may have hundreds of thousands if not millions of IP being blocked. Other alternatives may be needed, but this won’t affect most users as those servers typically have a good option ready.