UP | HOME

Uncomplicated Firewall

1. Overview

The Uncomplicated Firewall (ufw) provides a simple mechanism for limiting access to a unix computer on the Internet. The standard configuration closes the computer to all incoming traffic but allows all outgoing traffic. Then particular ports are opened to enable desired services, such as ssh, http, ssl.

2. Checking the status of the ufw

On Ubuntu, ufw is typically already installed. You can check for it with 

> which ufw
  /usr/sbin/ufw

If it has been uninstalled, you can reinstall it with 

user$ sudo -s
root$ apt install ufw

To see if it is already configured and running, check with 

client$ sudo -s
root@client$ ufw status verbose

If it is running and configured to allow ssh, nfs, and ldap over both IPv4 and IPv6, you should see something like 

root@noether:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                   # ssh
389                        ALLOW IN    Anywhere                   # ldap
636                        ALLOW IN    Anywhere                   # ldaps
22/tcp (v6)                ALLOW IN    Anywhere (v6)              # ssh
389 (v6)                   ALLOW IN    Anywhere (v6)              # ldap
636 (v6)                   ALLOW IN    Anywhere (v6)              # ldaps

3. Setup

If ufw is not configured and enabled, here are the steps to fix that.

3.1. Enable IPv6

Edit the file /etc/default/ufw and make sure that the line referencing IPV6 reads 

IPV6=yes

3.2. Configure the firewall and enable it

root@client$ apt -y install ufw
root@client$ ufw default deny incoming
root@client$ ufw default allow outgoing
root@client$ ufw allow ssh comment ssh
root@client$ ufw allow ldap comment ldap
root@client$ ufw allow ldaps comment ldaps

Once the firewall has been configured, make sure that is enabled: 

root@client$ ufw enable
root@client$ ufw status verbose

You should see output like 

root@noether:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                   # ssh
389                        ALLOW IN    Anywhere                   # ldap
636                        ALLOW IN    Anywhere                   # ldaps
22/tcp (v6)                ALLOW IN    Anywhere (v6)              # ssh
389 (v6)                   ALLOW IN    Anywhere (v6)              # ldap
636 (v6)                   ALLOW IN    Anywhere (v6)              # ldaps

4. Further information

See this excellent introduction for more information on how to remove or modify rules.

Author: Peter N. Saeta

Created: 2022-09-16 Fri 21:18

Emacs 25.3.50.1 (Org mode 9.5.2)

Validate