How To Configure Firewall with UFW on Ubuntu 22.04
Introduction
When it comes to configuring firewall on Ubuntu server, you have two primary options: ufw (Uncomplicated Firewall) and iptables. Both tools provide firewall functionality but differ in terms of ease of use and complexity.
UFW vs IPTables
UFW (Uncomplicated Firewall) is a front-end for iptables that aims to simplify the process of configuring a firewall. It provides a user-friendly command-line interface and allows you to manage firewall rules using human-readable syntax. UfW provides a set of default rules that are easy to understand and configure. If you create your rules with ufw, you'll see them when you run iptables -L -n -v.
IPTables provides granular control over network traffic by allowing you to define rules based on various criteria such as IP addresses, ports, protocols, and more. iptables has a more complex syntax compared to ufw but offers greater flexibility and advanced features.
IPTables gives you more flexibility, but it's also slightly more complicated to configure. So use whichever one you're most happy with. If you use iptables, remember that it only affects IPv4 - you need to also use ip6tables if your server has IPv6.
In this article, we will see how to configure and manage the UFW firewall on Ubuntu 22.04.
How to Configure and Manage the UFW Firewall
1. Checking UFW Status
To check the current status of UFW, run the following command:
$ sudo ufw status
This will show you if UFW is active or inactive, the default input and output policies, and any rules that have been created.
A fresh Ubuntu 22.04 installation will have UFW inactive by default.
2. Allowing Incoming Connections
To allow incoming connections on a specific port, you need to allow that port using UFW. For example, to allow HTTP traffic on port 80, run:
$ sudo ufw allow 80/tcp
This will allow all incoming TCP connections on port 80. You can also specify the IP address to allow only for a specific host:
$ sudo ufw allow from 192.168.1.100 to any port 80
To allow both TCP and UDP protocols on port 123, run:
$ sudo ufw allow 123/tcp $ sudo ufw allow 123/udp
3. Allow HTTP/HTTPS Traffic
It is a common requirement to allow incoming HTTP and HTTPS traffic. You can do that with:
$ sudo ufw allow 'Apache Full'
This will allow HTTP traffic on port 80 and HTTPS traffic on port 443.
4. Allow Specific Ports
To allow multiple ports at once, specify the starting and ending ports:
$ sudo ufw allow 2000:2100/tcp
This will allow all ports from 2000 to 2100. You can also specify ports in a comma-separated list:
$ sudo ufw allow 80,443,8080/tcp $ sudo ufw allow 22,25,110/tcp
5. Allow SSH Connections
To allow incoming SSH connections on port 22, run:
$ sudo ufw allow 22/tcp
This is required to manage your Ubuntu server remotely using SSH.
6. Allow DNS Traffic
DNS uses UDP protocol on port 53. To allow incoming DNS queries, run:
$ sudo ufw allow 53/udp
7. Allow VNC Connections
To allow incoming VNC connections (usually port 5900 ), run:
$ sudo ufw allow 5900/tcp
8. Block Unwanted Connections
To block specific ports or protocols, use deny instead of allow. For example, to block incoming SMTP traffic:
$ sudo ufw deny 25/tcp
You can also block all incoming connections on a specific port:
$ sudo ufw deny 8080/tcp
9. Setting Default Policies
By default, the UFW incoming policy is set to deny, which means all incoming traffic is blocked. You can change this policy using:
$ sudo ufw default deny incoming # To deny all incoming traffic $ sudo ufw default allow incoming # To allow all incoming traffic
Similarly, you can set the default outgoing policy using:
$ sudo ufw default deny outgoing $ sudo ufw default allow outgoing
It is recommended to keep the default incoming policy as deny for security.
10. Checking UFW Logs
You can enable logging with the command:
$ sudo ufw logging on
Log levels can be set by running sudo ufw logging low|medium|high, selecting either low, medium, or high from the list. The default setting is low.
UFW keeps logs of denied connections in /var/log/ufw.log. You can view the log file using:
$ sudo less /var/log/ufw.log
To enable verbose logging, run:
$ sudo ufw logging verbose
Then UFW will log all allowed and denied connections.
11. Deleting UFW Rules
The syntax is as follows to list all of the current rules in a numbered list format:
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere # accept Apache
[ 3] 443/tcp ALLOW IN Anywhere # accept HTTPS connections
[ 4] 1194/udp ALLOW IN Anywhere # OpenVPN server
[ 5] 3000:4000/tcp ALLOW IN Anywhere
[ 6] 3000:4000/udp ALLOW IN AnywhereTo delete 6th rule type the command:
$ sudo ufw delete 6
You can also delete rules for a specific port:
$ sudo ufw delete allow 80
To flush all UFW rules and restore the default policy, run:
$ sudo ufw reset
12. Restoring UFW Default Rules
If you have changed UFW rules and want to restore the default rules, run:
$ sudo ufw disable $ sudo ufw reset $ sudo ufw enable
This will:
- Disable UFW
- Flush existing rules
- Re-enable UFW with the default configuration
This ensures UFW works with the default settings again.
13. Enabling and Disabling UFW
To enable UFW and start enforcing the firewall rules, run:
$ sudo ufw enable
To temporarily disable UFW, run:
$ sudo ufw disable
14. Enabling IPv6 support
Make sure the directive IPV6=yes do exists in /etc/default/ufw file. For instance:
$ cat /etc/default/ufw
Conclusion
UFW is a powerful tool that can greatly improve the security of your servers when properly configured. This reference guide covers some common UFW rules that are often used to configure a firewall on Ubuntu. Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while limiting any unnecessary connections, so your server will be functional and secure.
I hope this helps you configure and manage UFW firewall on Ubuntu 22.04. Let me know if you have any other questions!