Ubuntu

Installing and Setting Up UFW in Ubuntu 20.04 LTS

Installing and Setting Up UFW in Ubuntu 20.04 LTS
UFW, or Uncomplicated Firewall, is a user-friendly frontend to Linux iptables. UFW is written in Python (supports Python 3.5 and above) and is the current de facto firewall management utility in Ubuntu systems. This utility is very user-friendly and acts as a great host-based firewall.

This article shows you how to install and use UFW on your Ubuntu 20.04 LTS system.

Installation

UFW comes pre-installed on most Ubuntu systems. If your build does not have this program already installed, you can install it using either the snap or the apt package managers.$ sudo snap install ufw

$ sudo apt install ufw

I personally prefer using the apt package manager to do this because snap is less popular and I don't want to have this extra complexity. At the time of this writing, the version published for UFW is 0.36 for the 20.04 release.

Incoming vs. Outgoing traffic

If you are a beginner in the world of networking, the first thing you need to clarify is the difference between incoming and outgoing traffic.

When you install updates using apt-get, browse the internet, or check your email, what you are doing is sending “outgoing” requests to servers, such as Ubuntu, Google, etc. To access these services, you do not even need a public IP. Usually, a single public IP address is allocated for, say, a home broadband connection, and every device gets its own private IP. The router then handles the traffic using something known as NAT, or Network Address Translation.

The details of NAT and private IP addresses are beyond the scope of this article, but the video linked above is an excellent starting point. Coming back to UFW, by default, UFW will allow all regular outgoing web traffic. Your browsers, package managers, and other programs pick a random port number - usually a number above 3000 - and that is how each application can keep track of its connection(s).

When you are running servers in the cloud, they usually come with a public IP address and the above rules of allowing outgoing traffic still hold. Because you will still use utilities, like package managers, that talk to the rest of the world as a 'client,' UFW allows this by default.

The fun begins with incoming traffic. Applications, like the OpenSSH server that you use to login to your VM, listen on specific ports (like 22) for incoming requests, as do other applications. Web servers need access to ports 80 and 443.

It is part of the job of a firewall to allow specific applications to listen in on certain incoming traffic while blocking all the unnecessary ones. You may have a database server installed on your VM, but it usually does not need to listen for incoming requests on the interface with a public IP. Usually, it just listens in on the loopback interface for requests.

There are many bots out in the Web, which constantly bombard servers with bogus requests to brute force their way in, or to do a simple Denial of Service attack. A well-configured firewall should be able to block most of these shenanigans with the help of third-party plugins like Fail2ban.

But, for now, we will focus on a very basic setup.

Basic Usage

Now that you have UFW installed on your system, we will look at some basic uses for this program. Since firewall rules are applied system-wide, the below commands are run as the root user. If you prefer, you can use sudo with proper privileges for this procedure.

# ufw status
Status: inactive

By default, UFW is in an inactive state, which is a good thing. You do not want to block all incoming traffic on port 22, which is the default SSH port. If you are logged into a remote server via SSH and you block port 22, you will be locked out of the server.

UFW makes it easy for us to poke a hole just for OpenSSH. Run the below command:

[email protected]:~# ufw app list
Available applications:
OpenSSH

Notice that I have still not enabled the firewall. We will now add OpenSSH to our list of allowed apps and then enable the firewall. To do so, enter the following commands:

# ufw allow OpenSSH
Rules updated
Rules updated (v6)
# ufw enable

The command may disrupt existing SSH connections. Proceed with operation (y|n)? y.

The firewall is now active and enabled on system startup.

Congratulations, UFW is now active and running. UFW now allows only OpenSSH to listen in on incoming requests at port 22. To check the status of your firewall at any time, run the following code:

# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)

As you can see, OpenSSH can now receive requests from anywhere on the Internet, provided it reaches it on port 22. The v6 line indicates that the rules are applied for IPv6, as well.

You can, of course, ban particular ranges of IP, or allow only a particular range of IPs, depending on the security constraints you are working within.

Adding Applications

For the most popular applications, the ufw app list command automatically updates its list of policies upon installation. For example, upon installation of the Nginx web server, you will see the following new options appear:

# apt install nginx
# ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH

Go ahead and try experimenting with these rules. Note that you can simply allow port numbers, rather than waiting for an application's profile to show up. For example, to allow port 443 for HTTPS traffic, simply use the following command:

# ufw allow 443
# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
443 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

Conclusion

Now that you have the basics of UFW sorted, you can explore other powerful firewall capabilities, starting from allowing and blocking ranges of IP. Having clear and secure firewall policies will keep your systems safe and protected.

How to Show FPS Counter in Linux Games
Linux gaming got a major push when Valve announced Linux support for Steam client and their games in 2012. Since then, many AAA and indie games have m...
How to download and Play Sid Meier's Civilization VI on Linux
Introduction to the game Civilization 6 is a modern take on the classic concept introduced in the series of the Age of Empires games. The idea was fai...
How to Install and Play Doom on Linux
Introduction to Doom The Doom Series originated in the 90s after the release of the original Doom. It was an instant hit and from that time onwards th...