UFW Essentials in Linux: Key Commands and Configurations
The Uncomplicated Firewall (UFW) is a key part of a server admin’s toolbox. This guide is designed to cover everything you need to know to get started with, including what it is, how to enable it, and common commands.
What is UFW?
As its full name suggests, UFW is a firewall tool. But what exactly does that mean? A firewall is used to monitor incoming and outgoing traffic on your network, allowing or blocking traffic based on a set of rules you define. You can think of it as a security filter between your device and the internet.
UFW vs IP tables
There is some confusion surrounding the difference between UFW and IPtables and which you should be using. The main thing to understand is that UFW is built on IPtables – it’s essentially a simpler IPtables interface. The answer to which you should use is, therefore, easy: IPtables if you’re an advanced user, and UFW for everything else.
Getting Started with UFW
Let’s start with the basic management of UFW: enabling it, disabling it, restarting it, and checking its status.
Checking UFW Status
You can check the status of UFW to see if it is enabled using:
ufw status
The command will return either ufw status inactive
or ufw status active
.
How to Enable UFW
If your firewall is inactive, you can enable it with a simple command. However, bear in mind that enabling this on a server without first allowing traffic through port 22 for SSH will cause you to lose your SSH connection and be unable to easily regain it.
sudo ufw enable
Disabling and Restarting UFW
If you run into issues with your firewall, you may need to temporarily disable ufw:
sudo ufw disable
There is no restart UFW command, so you will have to use the disable command above followed by `sudo ufw enable` to do. Alternatively, if you just need to reload the firewall rules, you can use:
sudo ufw reload
Configuring UFW Rules
There are three main ways to configure a firewall rule: based on IP address, a port, or an application.
Managing Ports
The most common reason to use UFW is for opening and closing ports. Opening a port allows traffic to flow through it to and from your server. Different applications and services use different ports. For example:
- SSH uses port 22 by default (though we recommend changing this for security
- Port 443 is used for HTTPS traffic
- Port 80 is used for HTTP traffic
- FTP uses ports 20 and 21
Ideally, you should only be opening ports that you have a good to reason to. Every open port represents a potential avenue of attack. That said, you can use UFW to open a port with this command:
sudo ufw allow port/protocol
So, for example, to open the SSH port we would use:
Sudo ufw allow 22/tcp
Allowing and Blocking IP Addresses
If you need to be more specific, UFW allows you to allow or block traffic from a specific IP address.
UFW block IP command
The command to block and IP with UFW is:
Sudo ufw deny your.ip.address
You can expand this by blocking an entire subnet if necessary:
sudo ufw deny from ip.address/subnet
For example:
sudo ufw deny from 123.3.234.0/24
Bear in mind that it is simple to change IP address. VPNs are easily accessible, and even users on home networks tend to have their IP rotated regularly by their ISP. This is more useful if you want to limit traffic from a specific website or service with a static IP address.
Allowing an IP address with UFW
Allowing traffic from an IP address works in much the same way:
sudo ufw allow from ip.address
You can also block subnets with:
sudo ufw allow from 129.0.0.0/24
Applications
Most applications that require use of the network to function correctly will include a UFW profile when they are installed. This creates a way for you to implement all of the required UFW rules without needing to manually research them.
Working with UFW application profiles
A good place to start is by seeing which application profiles are available to you. You can use this command to list UFW app profiles:
sudo ufw app list
It should return an output that looks something like this:
Available applications:
ApplicationName
Enabling an application profile is then as simple as running:
sudo ufw allow "ApplicationName"
The command to remove an application profile is:
sudo ufw delete allow "ApplicationName"
Managing rules
It's important to regularly review and manage your firewall rules to ensure there are no ports open that do not need to be. The first step in that process is using UFW to list rules that are currently active:
sudo ufw status
This will give an output such as:
Status:active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80/tcp ALLOW Anywhere
Delete UFW Rules
Removing rules that you previously enabled is quite intuitive: just type ufw delete
, followed by whatever command you used to add it.
For example, ufw delete "OpenSSH"
would remove the OpenSSH application rule. However, if you wanted to delete a UFW rule that allows connections from a specific port, you would run:
ufw delete allow 80/tcp
Or traffic from a specific IP address would be:
ufw delete allow from 127.1.1.0
UFW Logs and Monitoring
Knowing which packets are being blocked and which aren't gives you an idea of whether your firewall rules have been effective, helps to investigate attacks, etc.
Enabling and configuring UFW logs
UFW logging is usually enabled by default, but you can check this with:
sudo ufw status verbose
Your output should look like this:
Status: active
Logging: on
...
There are four different levels of logging:
- Low: Shows all blocked or allowed packets by your rules
- Medium: All logged or blocked packets by rules plus those that don't match any rules
- High: All logs for packets with and without rate limiting
- Full: All packets without rate limiting
If your logging is set to off, you can turn it on with:
sudo ufw logging on
You can change your logging level using:
sudo ufw logging low/medium/high/full
If you'd like to monitor a specific service, you can add a logging rule. For example, we could monitor the SSH port with:
sudo ufw allow log 22/tcp
Viewing and interpreting UFW logs
UFW logs are saved primarily to /var/log/ufw/
. You can either view them live with tail
or not live using grep
. The command to view UFW logs live is:
tail -f /var/log/ufw.log
Or you can view your UFW history like so:
grep -i ufw /var/log/syslog
Understanding UFW logs
Regardless of the command you use to view your UFW logs, they'll look something like this:
Dec 4 08:25:00 656d86415f075dfaa371d8bf kernel: [ 1659.916118] [UFW BLOCK] IN=eth0 OUT= MAC=8a:aa:4b:ec:de:a3:f8:c0:01:c3:00:01:06:00 SRC=184.91.129.123 DST=172.86.75.134 LEN=52 TOS=0x0A PREC=0x20 TTL=54 ID=59521 DF PROTO=TCP SPT=60562 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0
Admittedly, this can be very confusing at first glance. However, if we break it down you'll see it's not nearly as complicated as it looks:
Dec 2 08:25:00 656d86415f075dfaa371d8bf kernel: [ 1659.916118]
: This is one is quite self-explanatory: the date and time of the server followed by the hostname and the kernel time since boot.[UFW BLOCK/ALLOW]
: Will indicate whether the log pertains to a packet that has been allowed through the firewall or blocked by it.IN=eth0
: The interface the packet arrived on, in our case ethernet 0.OUT=
: Any outgoing events will be noted after this value. Most of the time it will be blank.MAC=8a:aa:4b:ec:de:a3:f8:c0:01:c3:00:01:06:00
: The MAC address of the source of the traffic combined with the mac address of the destination.SRC=184.91.129.123
: The IP address of the machine the packet is coming from.DST=172.86.75.134
: The IP address of the packet's destination.LEN=52
: The length of the packet in bytes.TOS=0x0A
: Stands for "type of service", as found in the TCP header. Examples can be found here. You can mostly ignore this is you are not an advanced user.PREC=0x20
: The precedence (priority level) section of the type of service.TTL=54
: The packet's "time to live", a common networking term that denotes how long the packet will remain valid before it is discarded.ID=59521
: A unique ID applied the IP datagram, shared by fragments of the same packet. This is unlikely to be particularly useful to you, so you can disregard it during normal usage.DF
: Shows the presence of a "don't fragment" bit, which asks that packet is not fragmented when sent.PROTO=TCP
: The protocol used to transmit the packet, in this case TCP.SPT=60562
: The port the packet was sent from (the source).DPT=22
The port the packet was received on (the destination).WINDOW=64240
: The TCP window size, which indicates the amount of data a computer can accept without sending an acknowledgment.RES=0x00
: The resvered bits.CWR
: Indicates that the sender of the packet has reduced its congestion window.SYN
: A request to make a new connection. If it is followed byURGP=0
, it means the connection was not established. Potential SYN flood DDoS attacks will be marked bySYN-FLOOD
.ACK:
The existence of the acknowledgment flag, which is used to show a sender that the packet was successfully received by the host.
That's a lot of information. However, most of it you can ignore on the first pass. Just looking at the date and time, destination port (DPT), BLOCK/ALLOW, and source IP address (SRC) will give you a lot of useful information about your firewall.
Closing words
The uncomplicated firewall (UFW) is still an intimidating tool for beginners. This guide should be enough to get you started in securing your server. For more information, you can read the manual for your distribution. If you have a specific question and are a BitLaunch customer, our 24/7 support team may be able to help.
Not a BiLaunch customer? Sign up here and talk to our support for some free credit.