UFW - Uncomplicated Firewall
Managing a firewall with UFW
What is UFW?
Uncomplicated Firewall or "ufw" for short is a simple command line driven tool that allows you to manipulate your firewall settings with a small subset of easy to learn commands. Ufw is generally available to Debian based Ubuntu systems.
Traditionally "iptables" is the command line tool that is used for manipulating your firewall settings. ufw is a front end to iptables. Graphical user interfaces are also available for "ufw".
The easy to use Graphical interface allows the configuring of your Ubuntu firewall. "gufw" allows for the easy management of common tasks such as allowing or blocking pre-configured services, common P2P, or individual IP/port(s).
"gufw" is available to download from your repositories by either using the command:
sudo apt-get install gufw
or by searching for gufw within the "Ubuntu Software centre". Once located, simply click on the install option.
More information regarding the graphical user interface for ufw can be found at the developers site: GUFW Developers Site
Basic Command Example
The following example is an indication of some of the commands that can be used to create a simple rule and check the current status of your firewall. The following commands would allow ssh access, enable logging, and display the status of the firewall:
john@booboo:~$ sudo ufw allow ssh/tcp john@booboo:~$ sudo ufw logging on john@booboo:~$ sudo ufw enable john@booboo:~$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere (v6)
"ufw" can be used to to carry out any functionality that "iptables" can do. This is achieved by using several sets of rule files.
/etc/default/ufw: High Level Configuration, Default Policies, IPv6 support and kernel modules to use.
/etc/ufw/before.rules: These rules are evaluated before any rules added via the ufw command.
/etc/ufw/after.rules: These rules are evaluated after any rules added via the ufw command.
/etc/ufw/sysctl.conf: kernel network tunables.
/var/lib/ufw/user.rules or /lib/ufw/user.rules (0.28 and later): These are rules added by the ufw command. This file should not be edited by hand.
/etc/ufw/ufw.conf: This sets whether or not "ufw" is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
After modifying any of the above files, activate the new settings by issuing the following commands:
$ sudo ufw disable $ sudo ufw enable
What Version of ufw?
john@booboo:~$ sudo ufw version ufw 0.31.1-1 Copyright 2008-2010 Canonical Ltd.
Check Status of Firewall
Command: sudo ufw status
john@booboo:~$ sudo ufw status [sudo] password for john: Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere (v6)
Block a Port with ufw
The following command will block port 80:
john@booboo:~$ sudo ufw deny 80/tcp Rule added Rule added (v6) john@booboo:~$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp DENY Anywhere 22/tcp ALLOW Anywhere (v6) 80/tcp DENY Anywhere (v6)
Delete a Rule
To delete a rule, simply add the word "delete" before the command that created the rule:
Command: sudo ufw delete deny 80/tcp
john@booboo:~$ sudo ufw delete deny 80/tcp Rule deleted Rule deleted (v6) john@booboo:~$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere (v6)
List Rules with a Line Number
It is often easier to refer to a rule by its line number. To find out what number is associated with a rule, we use the option "numbered" with the status command:
john@booboo:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp DENY IN Anywhere [ 3] 22/tcp ALLOW IN Anywhere (v6) [ 4] 80/tcp DENY IN Anywhere (v6)
Delete a Rule by its Line Number
To delete a rule using its line number, we simply pass "delete" followed by the line number:
john@booboo:~$ sudo ufw delete 4 Deleting: deny 80/tcp Proceed with operation (y|n)? y Rule deleted (v6)
List Applications with profiles
Some applications come with predefined ufw profiles. To view these available profiles on your system, simply issue the following command:
john@booboo:~$ sudo ufw app list Available applications: CUPS OpenSSH
Display Information about a profile
To view profile information, issue the "app info" option:
john@booboo:~$ sudo ufw app list Available applications: CUPS OpenSSH john@booboo:~$ sudo ufw app info OpenSSH Profile: OpenSSH Title: Secure shell server, an rshd replacement Description: OpenSSH is a free implementation of the Secure Shell protocol. Port: 22/tcp
Further help with ufw
To view all of the many options available to "ufw", simply issue the command "man ufw" from your terminal.
You may also issue "ufw --help for a quick command overview:
john@john-desktop:~$ ufw --help Usage: ufw COMMAND Commands: enable enables the firewall disable disables the firewall default ARG set default policy logging LEVEL set logging to LEVEL allow ARGS add allow rule deny ARGS add deny rule reject ARGS add reject rule limit ARGS add limit rule delete RULE|NUM delete RULE insert NUM RULE insert RULE at NUM reset reset firewall status show firewall status status numbered show firewall status as numbered list of RULES status verbose show verbose firewall status show ARG show firewall report version display version information Application profile commands: app list list application profiles app info PROFILE show information on PROFILE app update PROFILE update PROFILE app default ARG set default application policy