ufw – uncomplicated fire wall

Updated 28-Jun-2024

ufw is known as a Debian (and Ubuntu) firewall, which is disabled by default but easy to use. There are some GUI front-ends which make it popular for Linux on the desktop. Coming from a CentOS background (RHEL/Amazon Linux AMI), ufw is not as common (as, say firewalld, or simply iptables, to which both ufw and firewalld are more or less interfaces).

Recall that netfilter is where the actual firewalling takes place, with iptables an interface on top of that, and ufw/firewalld as interfaces on top of iptables. Given this, there is no reason why ufw or firewalld cannot be run on any Linux, provided packages (or compiling) are available.

Install and configure ufw

An example installation and configuration script:

sudo modprobe ip6table_filter
sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow syncthing
sudo ufw allow syncthing-gui
sudo ufw allow http
sudo ufw allow https
sudo ufw allow Samba
sudo ufw allow CUPS
sudo ufw enable
sudo ufw reload

Note to only allow those protocols / ports which are necessary for functionality.

One can enable or disable routes and ports using port numbers, as well as config line numbers. Some basic commands:

sudo ufw status numbered
sudo ufw delete (number)
sudo ufw delete allow (app)

One can allow or disallow from ip addresses, as well as protocol (tcp/udp) and ranges. For example allow full access from a specific IP address or network:

sudo ufw allow in on eth0 from 192.168.0.0/24

Default ufw configuration

sudo nano /etc/default/ufw

Make sure IPV6=yes, and the standard defaults of DROP and ACCEPT and DROP for INPUT, OUTPUT, and FORWARD respectively. FORWARD needs to be ACCEPT for using something like OpenVPN.

Resources