See also: Securing an Ubuntu Server
UFW community documentation: https://help.ubuntu.com/community/UFW
UFW server documentation: https://help.ubuntu.com/10.04/serverguide/C/firewall.html
UFW page: https://wiki.ubuntu.com/UncomplicatedFirewall
Implementing a basic firewall on your Ubuntu server is simple.
UFW (Uncomplicated Firewall) is a simple configurator for Netfilter, the packet filtering system that is built into the Linux kernel. This will then filter IP packets that arrive at the server by port number. Port numbers are nothing magical, just an integer in the packet header that gets mapped to a service, like your web server. All the packets arriving with a certain port number are mapped to a service.
By default, when you turn on UFW, everything is filtered. Then, with very simple commands, you set rules to allow just the services you are providing. If you are just providing a web server, you would allow only the port needed for that.
Turning UFW on
By default, UFW is turned off. To turn it on:
sudo ufw enable
That is all there is to it. UFW is now running. When your system reboots, UFW will be started automatically.
Allowing SSH
By default, SSH uses port 22. Of course, you can configure OpenSSH to use a different port number…then open that port instead of 22.
sudo ufw allow 22
…or you can use the service name instead of the port number:
sudo ufw allow ssh
…or you can use the service application name instead of the port number:
sudo ufw allow OpenSSH
To get a list of service applications:
sudo ufw app list
The concept to retain is that rules can be set with a port number (22) or service name (ssh) or application name (OpenSSH).
Allowing Apache
By default, HTTP severs use port 80.
sudo ufw allow 80
…or you can use the service name instead of the port number:
sudo ufw allow http
…or you can use the service application name instead of the port number:
sudo ufw allow Apache
View status
To see the current status of UFW on your server:
sudo ufw status verbose
Example output:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere
A little more
The /etc/services (text) file is used to map service names to port numbers. This can be used to find out which ports are mapped to which services. The vast majority of the designations in this file are not implemented on a given system. This file’s main purpose is to allow service applications (programs) to get the port number to use for a service being provided.
Rules can be set with any of the following:
- port number
- service name
- application name
List names service names
cat /etc/services
List available application names
sudo ufw app list
List implemented services and assigned ports
sudo lsof -i -nP
List active network connections
sudo netstat -p
UFW Help
Enter:
sudo ufw help
Help output:
Usage: ufw COMMAND Commands: enable enables the firewall disable disables the firewall default ARG set default policy logging LEVEL set logging to LEVEL allow ARGS add allow rule deny ARGS add deny rule reject ARGS add reject rule limit ARGS add limit rule delete RULE|NUM delete RULE insert NUM RULE insert RULE at NUM reset reset firewall status show firewall status status numbered show firewall status as numbered list of RULES status verbose show verbose firewall status show ARG show firewall report version display version information Application profile commands: app list list application profiles app info PROFILE show information on PROFILE app update PROFILE update PROFILE app default ARG set default application policy
[...] previous post: Ubuntu UFW Uncomplicated Firewall Examples [...]
[...] see: Ubuntu UFW Uncomplicated Firewall Examples [...]
[...] wikipedia Ubuntu UFW Uncomplicated Firewall Examples community documentation server guide ufw manual project wiki nice [...]
[...] previous post: Ubuntu UFW Uncomplicated Firewall Examples [...]