UFW Cheat Sheet

Secure computer

Since the introduction by Ubuntu of UFW (Uncomplicated FireWall) back in 2008 it has been my tool of choice for simple firewall configuration. Whilst it may lack the depth and sophistication of an enterprise level product, its simplicity makes it straight-forward and quick to secure servers in simple use-cases.

Scenario

You have a newly spun up server/vps without any other local firewall products install. You want to install UFW and allow access to some common ports. For some time now, UFW also has ipv6 enabled out of the box.

Basic Usage

Installation

If you are using Ubuntu then UFW will be installed by default. If you are using Debian or a derivative, then you can install UFW by entering the following

root@host:~# apt-get install ufw

UFW is not available in CentOS, and although you can install it from source, that is outside the scope of this tutorial.

Checking status

When you check the status, UFW will either tell you that it is inactive,

root@host:~# ufw status
 Status: inactive

or it will tell you it is active and list the firewall rules.

root@host:~# ufw status
 Status: active
 To                         Action      From
 --                         ------      ----
 22/tcp                     ALLOW       Anywhere                  
 22/tcp (v6)                ALLOW       Anywhere (v6)

Rules can also be numbered, which is particularly useful when you wish to delete one.

root@host:~# ufw status numbered
 Status: active
  To                         Action      From  --                         ------      ----
 [ 1] WWW Full                   ALLOW IN    Anywhere                  
 [ 2] WWW Full (v6)              ALLOW IN    Anywhere (v6)

Not that if you have no rules enables, you will just be told it is active

root@host:~# ufw status
 Status: active

Enable and disable

Enabling and disabling are from the following commands. Warning; if you are working on a remote system, allow the SSH rule before you enable UFW or you risk losing your shell access.

root@host:~# ufw enable
 Firewall is active and enabled on system startup
root@host:~# ufw disable
 Firewall stopped and disabled on system startup

Deleting rules

The easiest way to delete a rule is to delete it by number, but you can also delete it by definition.

sroot@host:~# ufw status numbered
 Status: active
  To                         Action      From  --                         ------      ----
 [ 1] 22/tcp                     ALLOW IN    Anywhere                  
 [ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

Note that as there are 2 rules (ipv4 and ipv6) for every pre-defined service, delete will only remove the rule for one protocol.

root@host:~# ufw delete 2
 Deleting:
  allow 22/tcp
 Proceed with operation (y|n)? y
 Rule deleted (v6)

Logging

Logging is on by default, but can rapidly fill your log files with noise. Enable and disable thusly

root@host:~# ufw logging on
 Logging enabled
root@host:~# ufw logging off
 Logging disabled

You can also change the logging levels if necessary, but low is the default.

root@host:~# ufw logging medium
 Logging enabled

Pre-defined rules

One of the strengths for sysadmins who may only infrequently change firewall rules is the set of pre-defined rules that UFW ships with. These obviously assume that you are running services on default ports and will NOT work if you have tried to obfuscate by assigning non-default ports. They also assume you will be allowing ALL traffic to these port (see later for how to restrict traffic sources and destinations.

root@host:~# ufw app list
 Available applications:
   AIM
   Bonjour
   CIFS
   CUPS
   DNS
   Deluge
   IMAP
   IMAPS
   IPP
   KTorrent
   Kerberos Admin
   Kerberos Full
   Kerberos KDC
   Kerberos Password
   LDAP
   LDAPS
   LPD
   MSN
   MSN SSL
   Mail submission
   NFS
   POP3
   POP3S
   PeopleNearby
   SMTP
   SSH
   Socks
   Telnet
   Transmission
   Transparent Proxy
   VNC
   WWW
   WWW Cache
   WWW Full
   WWW Secure
   XMPP
   Yahoo
   qBittorrent
   svnserve

You can see a full list of these and their definitions in /etc/ufw/applications.d.

SSH

If you are running a remote server, you almost certainly want this rule enabled.

 root@host:~# ufw allow ssh
 Rule added
 Rule added (v6)
root@host:~# ufw status
 Status: active
 To                         Action      From
 --                         ------      ----
 22/tcp                     ALLOW       Anywhere                  
 22/tcp (v6)                ALLOW       Anywhere (v6)

http(s)

You can enable both port 80 (http) and 443 (https) in one go with the following command, but there are options to only enable one

root@host:~# ufw allow www\ full
 Rules updated
 Rules updated (v6)
root@host:~# ufw status
 [sudo] password for simon: 
 Status: active
 To                         Action      From
 --                         ------      ----
 WWW Full                   ALLOW       Anywhere                  
 WWW Full (v6)              ALLOW       Anywhere (v6) 

More complex usage

Port and protocol

root@host:~# ufw allow 45/tcp
 Rule added
 Rule added (v6)

Source and Destination

Allow only from an IP

root@host:~# ufw allow from 192.168.1.1 port 62
 Rule added
root@host:~# ufw status
 Status: active
 To                         Action      From
 --                         ------      ----
 Anywhere                   ALLOW       192.168.1.1 62

Allow only to a certain local interface

root@host:~# ufw allow to 127.0.0.2 port 62
 Rule added
root@host:~# ufw status
 Status: active
 To                         Action      From
 --                         ------      ----
 127.0.0.2 62               ALLOW       Anywhere

Protocol only

If you have followed my ipsec tutorial, you will need the firewall ports open to establish the key exchange – this is one of the few protolcols which do not require a port number.

root@host:~# ufw allow to 127.0.0.3 proto esp
 Rule added

root@host:~# ufw allow to 127.0.0.3 proto ah
 Rule added
root@host:~# ufw status
 Status: active
 To                         Action      From
 --                         ------      ----
 127.0.0.3/esp              ALLOW       Anywhere                  
 127.0.0.3/ah               ALLOW       Anywhere 

But note that you need a destination in this instance.