How to Setup and Configure UFW Firewall on Ubuntu 20.04

One of the keystones of any operating system is a properly configured firewall for complete system security. UFW (Uncomplicated Firewall) is installed on Ubuntu operating systems default; however, it is not enabled. One of the great benefits of UFW is its simplicity, user-friendly and easy-to-use command line, making it great for beginners in Linux to the most advanced power users.

In the following tutorial, you will learn to install and set up UFW Firewall on either Ubuntu 20.04 LTS Focal Fossa Desktop or Server using the command terminal.

Prerequisites

  • Recommended OS: Ubuntu 20.04
  • User account: A user account with sudo or root access.

Update Operating System

Update your Ubuntu operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@ubuntu ~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on Ubuntu.

To use the root account, use the following command with the root password to log in.

su
Advertisement

How to Enable, Install or Remove UFW

The first step in setting up a UFW firewall will be to enable the firewall.

sudo ufw enable

Example output:

Firewall is active and enabled on system startup

By default, all incoming traffic is blocked automatically, and all outbound is allowed once the firewall is live. This instantly will protect your system by stopping anyone from connecting remotely to your system.

If UFW was removed previously, and you would like to reinstall the firewall using the following command.

sudo apt install ufw -y

Next, verify the status of UFW to make sure it is active and without errors.

sudo systemctl status ufw

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

In the future, if you need to disable UFW for a temporary period of time, use the following command.

sudo ufw disable

To remove UFW altogether from your Ubuntu system.

sudo apt autoremove ufw --purge

Do not remove UFW unless you have a solid option or know how to use IPTables, especially when running a server environment connected to the public. This will be disastrous.

How to Check UFW Status

Once UFW is enabled, view the status of firewall rules and what is active use the following.

sudo ufw status verbose

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

The above example used the verbose flag, and an alternative option is to list the rules in number sequence, which is far more manageable later on when deleting rules.

sudo ufw status numbered

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

You now have [ 1], [ 2] number labels on your UFW rules for identification as the above output has it.

Advertisement

How to set UFW Default Policies

The default policy of the UFW firewall is to deny all incoming connections and only allow outbound connections to the system. Typically the most secure default way with no one can reach your server unless you allow IP address/ranges, programs, ports, or combinations of all. Your system, by default, can access the outside, which you should not adjust unless you have specific security requirements.

For reference, the default UFW firewall policies can be found in the location /etc/default/ufw.

To adjust the rules by typing the following command:

To deny all incoming connections:

sudo ufw default deny incoming

To allow all outgoing connections:

sudo ufw default allow outgoing

This is already set as the default rules when enabled, but you can use the same principle to change them around to suit your purpose.

For example, all incoming communication is blocked by default, but you want all outgoing blocked and allow only approved connections outbound, then use the following command.

To block all outgoing connections:

sudo ufw default deny outgoing

This is an extreme measure; blocking incoming connections is usually enough for the average server and desktop, but specific environments can benefit from the extra security precaution. The downside is you need to main all outgoing connections, which can be time-consuming, continually setting new rules.

How to view UFW Application Profiles

To show all application profiles, you can do so by typing the following.

sudo ufw app list

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

The above is just an example, and everyone will have different lists as no one will have the same applications installed.

A handy feature of applications profiles is finding out more about the service listed in the UFW application list.

To do this, type the following command to find more information about an existing profile.

sudo ufw app info CUPS

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

As above, the printout of the application’s general description and the port it uses. This is a handy feature when you are investigating open ports and not sure what applications they relate to and what the application does.

Advertisement

How to Enable IPv6 on UFW

If your Ubuntu system is configured with IPv6, you need to ensure UFW is configured with IPv6 and IPv4 support. By default, this should be automatically enabled; however, you should check and, if need be, modify it. You can do this in the following.

Open default UFW firewall file.

sudo nano /etc/default/ufw

Adjust the following line to yes if not set.

IPV6=yes

CTRL+O to save the new changes to the file, then press CTRL+X to exit the file.

Now restart the UFW firewall service to make the changes active.

sudo systemctl restart ufw

How to Allow UFW SSH Connections

By default, UFW does not allow SSH connections. If you had already enabled the firewall remotely, you would have noticed yourself locked out.

To fix this, you need to set the following SSH configuration before enabling UFW firewall, especially if connected to a remote server.

First, enable SSH application profile.

sudo ufw allow ssh

If you have set up a custom listening port for SSH connections other than the default port 22, for example, port 3541, you will open the port on the UFW firewall by typing the following.

sudo ufw allow 3541/tcp

If you want to block all SSH connections or change the port and block the old ones.

To block all SSH connections (Make sure local access is possible), use the following command.

sudo ufw deny ssh/tcp

If changing the custom SSH port, open a new port and close the existing; tutorial example is port 3541.

sudo ufw deny 3541/tcp 
Advertisement

How to Enable UFW Ports

With UFW, you can open specific ports in the firewall to allow connections specified for a particular application. You can set customized rules for the application. An excellent example of this rule is setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default.

Allow HTTP Port 80

Allow by application profile:

sudo ufw allow 'Nginx HTTP'

Allow by service name:

sudo ufw allow http

Allow by port number:

sudo ufw allow 80/tcp

Allow HTTPS Port 443

Allow by application profile:

sudo ufw allow 'Nginx HTTPS'

Allow by service name:

sudo ufw allow https

Allow by port number:

sudo ufw allow 443/tcp

Note, you can enable all of the rules together by default by using the following command.

sudo ufw allow 'Nginx Full'

UFW Allow Port Ranges

UFW can allow access to port ranges. Note, when opening a port range, you must identify the port protocol.

Allow port range with TCP & UDP:

sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udp

Alternatively, you can allow multiple ports in one hit, but allow ranging may be more accessible as above.

sudo ufw allow 6500, 6501, 6505, 6509/tcp
sudo ufw allow 6500, 6501, 6505, 6509/udp

How to Allow Remote Connections on UFW

UFW Allow Specific IP Address

For example, to allow for specified IP addresses, you are on an internal network and require the systems to communicate together, use the following command.

sudo ufw allow from 192.168.55.131

UFW Allow Specific IP Address on Specific Port

To enable an IP to connect to your system on a defined port (example port “3900”), type the following.

sudo ufw allow from 192.168.55.131 to any port 3900

Allow Subnet Connections to a Specified Port

If you require a whole range of connections from an IP range subnet to a particular port, you can enable this by creating the following rule.

sudo ufw allow from 192.168.1.0/24 to any port 3900

This will allow all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.

Allow Specific Network Interface

For example, allow connections to a particular network interface, “eth2” to a specified port 3900. You can achieve this by creating the following rule.

sudo ufw allow in on eth2 to any port 3900
Advertisement

How to Deny Remote Connections on UFW

As per the default setup policy of UFW, when installed, all incoming connections are set to “deny.” This rejects all incoming traffic unless you create a rule to allow the connections to come through.

However, you have noticed in your logs a particular IP address that keeps attacking you. Block it with the following.

sudo ufw deny from 203.13.56.121

A hacker is using multiple IP addresses from the same subnet attempting to hack you. Create the following to block.

sudo ufw deny from 203.13.56.121/24

You can create specific rules if you want to deny access to particular ports. Type the following example.

sudo ufw deny from 203.13.56.121/24 to any port 80
sudo ufw deny from 203.13.56.121/24 to any port 443

How to Delete UFW Rules

You have created and deny rules, but you need to delete them as you no longer need them. This can be achieved in two different ways.

First, to delete a UFW rule using the rule number, you must list the rule numbers by typing the following.

sudo ufw status numbered

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

The example will delete the fourth rule for IP Address 1.1.1.1 which is highlighted above.

Type the following in your terminal.

sudo ufw delete 1

Secondly, you can delete a UFW rule by using the actual rule itself.

sudo ufw delete allow 80/tcp

When rules are deleted and successful, you will get the following output.

Rule deleted
Rule deleted (v6)
Advertisement

How to Access and View UFW Logs

By default, UFW logging is set to low. This is fine for most desktop systems. However, servers may require a higher level of logging.

To set UFW logging to low(Default):

sudo ufw logging low

To set UFW logging to medium:

sudo ufw logging medium

To set UFW logging to high:

sudo ufw logging high

The last option is to disable logging altogether, be sure you are happy with this and will not require log checking.

sudo ufw logging off

To view UFW logs, they are kept in the default location of /var/log/ufw.log.

An easy, quick way to view live logs is to use the tail command.

sudo ufw tail -f /var/log/ufw.log

Alternatively, you can print out a set amount of recent lines with the -n <number flags>.

sudo ufw tail /var/log/ufw.log -n 30

This will print out the last 30 lines of the log. You can further fine-tune with GREP and other sorting commands.

How to Test UFW Rules

Highly critical systems, a good option when playing around with the firewall settings, can add the –dry-run flag. This allows seeing an example of the changes that would have happened but not processing it.

sudo ufw --dry-run enable

To disable the –dry-run flag, use the following command.

sudo ufw --dry-run disable
Advertisement

How to Reset UFW Rules

To reset your firewall back to its original state with all incoming blocked and outgoing set to allow, type the following to reset.

sudo ufw reset

Confirm reset, enter the following:

sudo ufw status

The output should be:

Status: inactive 

With the UFW firewall reset, you will now need to re-enable the firewall and start the entire process of adding rules. The reset command should be used sparingly if possible.

How to find All Open Ports (Security Check)

Most systems do not realize that they can have ports open. In the age of every IP address on the Internet is scanned daily, it is crucial to watch what is happening behind the scenes.

The best option is to install Nmap, then, using this famous application, list the opened ports.

sudo apt install nmap

Next, find the internal IP address of the system.

hostname -I

Example output:

192.168.50.45

Now use the following Nmap command with the server’s IP address.

sudo nmap 192.168.50.45

Example output:

How to Setup and Configure UFW Firewall on Ubuntu 20.04

As above, the port 9090 and 80 are open. Before you block ports, investigate first what they are if you are unsure.

From this point, you can create custom UFW rules that you have learned in the tutorial to close or restrict the open ports.

Advertisement

Comments and Conclusion

The tutorial has successfully shown you how to set up and configure UFW for desktop or server on Ubuntu 20.04 LTS Focal Fossa.

Overall, using UFW is highly recommended as it’s a simple firewall system to use compared to other options that may be too confusing for non-power users. Given the rise of cybercrime and hacking, it’s a sure quick way to safeguard your system.

The one area UFW will start lacking is major rule sets and IP blacklists, where you may have hundreds of thousands if not millions of IP blocked. Other alternatives may be needed, but this won’t affect most users as those servers typically have a good option ready.

Subscribe
Notify of
1 Comment
Inline Feedbacks
View all comments

ufw is obsolete and it can only use the iptrables interface. All the cool kids use firewalld now, which also interfaces with nftables which replace iptables.

1
0
Would love your thoughts, please comment.x