Introduction
One of the first lines of defense in securing our cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionalit uilt into these utilities, iptales eing the most popular nowadas, ut the require a decent effort on ehalf of the user to learn and understand them. Firewall rules are not something ou want ourself second-guessing.
To this end, UFW is a consideral easier-to-use alternative.
What is UFW?
UFW, or Uncomplicated Firewall, is a front-end to iptales. Its main goal is to make managing our firewall drop-dead simple and to provide an eas-to-use interface. It’s well-supported and popular in the Linux communit—even installed default in a lot of distros. As such, it’s a great wa to get started securing our sever.
efore We Get tarted
First, oviousl, ou want to make sure UFW is installed. It should e installed default in Uuntu, ut if for some reason it’s not, ou can install the package using aptitude or apt-get using the following commands:
sudo aptitude install ufw
or
sudo apt‐get install ufw
Check the tatus
You can check the status of UFW tping:
sudo ufw status
Right now, it will proal tell ou it is inactive. Whenever ufw is active, ou’ll get a listing of the current rules that looks similar to this:
Status: active
To Action From
‐‐ ‐‐‐‐‐‐ ‐‐‐‐
22 ALLOW Anywhere
Using IPv6 with UFW
If our VP is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure oth our IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:
sudo vi /etc/default/ufw
Then make sure “IPV6” is set to “es”, like so:
IPV6=yes
ave and quit. Then restart our firewall with the following commands:
sudo ufw disable sudo ufw enable
Now UFW will configure the firewall for oth IPv4 and IPv6, when appropriate. CROLL TO TOP
et Up Defaults
One of the things that will make setting up an firewall easier is to define some default rules for allowing and dening connections. UFW’s defaults are to den all incoming connections and allow all outgoing connections. This means anone tring to reach our cloud server would not e ale to connect, while an application within the server would e ale to reach the outside world. To set the defaults used UFW, ou would use the following commands:
sudo ufw default deny incoming
and
sudo ufw default allow outgoing
Note: if ou want to e a little it more restrictive, ou can also den all outgoing requests as well. The necessit of this is deatale, ut if ou have a pulic-facing cloud server, it could help prevent against an kind of remote shell connections. It does make our firewall more cumersome to manage ecause ou’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:
sudo ufw default deny outgoing
Allow Connections
The sntax is prett simple. You change the firewall rules issuing commands in the terminal. If we turned on our firewall now, it would den all incoming connections. If ou’re connected over H to our cloud server, that would e a prolem ecause ou would e locked out of our server. Let’s enale H connections to our server to prevent that from happening:
sudo ufw allow ssh
As ou can see, the sntax for adding services is prett simple. UFW comes with some defaults for common uses. Our H command aove is one example. It’s asicall just shorthand for:
sudo ufw allow 22/tcp
This command allows a connection on port 22 using the TCP protocol. If our H server is running on port 2222, we could enale connections with the following command:
sudo ufw allow 2222/tcp
Other Connections We Might Need
Now is a good time to allow some other connections we might need. If we’re securing a we server with FTP access, we might need these commands:
sudo ufw allow www or sudo ufw allow 80/tcp sudo ufw allow ftp or sudo ufw allow 21/tcp
You mileage will var on what ports and services ou need to open. There will proal e a it of testing necessar. In addition, ou want to make sure ou leave our H connection allowed.
Port Ranges
CROLL TO TOP You can also specif port ranges with UFW. To allow ports 1000 through 2000, use the command:
sudo ufw allow 1000:2000/tcp If ou want UDP:
sudo ufw allow 1000:2000/udp
IP Addresses
You can also specif IP addresses. For example, if I wanted to allow connections from a specific IP address (sa m work or home address), I’d use this command:
sudo ufw allow from 192.168.255.255
Dening Connections
Our default set up is to den all incoming connections. This makes the firewall rules easier to administer since we are onl selectivel allowing certain ports and IP addresses through. However, if ou want to flip it and open up all our server’s ports (not recommended), ou could allow all connections and then restrictivel den ports ou didn’t want to give access to replacing “allow” with “den” in the commands aove. For example:
sudo ufw allow 80/tcp
would allow access to port 80 while:
sudo ufw deny 80/tcp
would den access to port 80.
Deleting Rules
There are two options to delete rules. The most straightforward one is to use the following sntax:
sudo ufw delete allow ssh
As ou can see, we use the command “delete” and input the rules ou want to eliminate after that. Other examples include:
sudo ufw delete allow 80/tcp
or
sudo ufw delete allow 1000:2000/tcp
This can get trick when ou have rules that are long and complex.
A simpler, two-step alternative is to tpe:
CROLL TO TOP sudo ufw status numbered
which will have UFW list out all the current rules in a numered list. Then, we issue the command:
sudo ufw delete [number]
where “[numer]” is the line numer from the previous command.
Turn It On
After we’ve gotten UFW to where we want it, we can turn it on using this command (rememer: if ou’re connecting via H, make sure ou’ve set our H port, commonl port 22, to e allowed to receive connections):
sudo ufw enable
You should see the command prompt again if it all went well. You can check the status of our rules now tping:
sudo ufw status
or
sudo ufw status verbose
for the most thorough displa.
To turn UFW off, use the following command:
sudo ufw disable
Reset verthing
If, for whatever reason, ou need to reset our cloud server’s rules to their default settings, ou can do this tping this command:
sudo ufw reset
Conclusion
You should now have a cloud server that is configured properl to restrict access to a suset of ports or IP addresses.