Configuring ufw

On Ubuntu 18.04 and later, the ufw systems service is already enabled by default, but is isn't activated. In other words, the system's service is running, but it isn't enforcing any firewall rules yet. (I'll show you how to activate it in just a bit, after we go over how to open the ports that you need to open.) On other Linux distros, such as the older Ubuntu 16.04, you might find that ufw is disabled by default. If that's the case, you'll need to enable it, like so:

sudo systemctl enable --now ufw

The first thing we want to do is open port 22 to allow it to connect to the machine via Secure Shell, like so:

sudo ufw allow 22/tcp

By using sudo iptables -L, you'll see that the new rule shows up in the ufw-user-input chain:

Chain ufw-user-input (1 references)
 target prot opt source destination
 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

You'll also see that the total output of this command is quite lengthy because so much of what we had to do with iptables has already been done for us with ufw. In fact, there's even more here than what we did with iptables. For example, with ufw, we already have rate limiting rules that help protect us against DoS attacks, and we also have rules that record log messages about packets that have been blocked. It's almost the no fuss, no muss way of setting up a firewall. (I'll get to that almost part in a bit.)

In the preceding sudo ufw allow 22/tcp command, we had to specify the TCP protocol because TCP is all we need for Secure Shell. We can also open a port for both TCP and UDP just by not specifying a protocol. For example, if you're setting up a DNS server, you'll want to have port 53 open for both protocols (you'll see the entries for port 53 listed as domain ports):

 sudo ufw allow 53

 Chain ufw-user-input (1 references)
 target prot opt source destination
 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
 ACCEPT udp -- anywhere anywhere udp dpt:domain

If you use sudo ip6tables -L, you'll see that a rule for IPv6 was also added for both of the two preceding examples. And, again, you'll see that most of what we had to do with the ip6tables commands has already been taken care of. (It's especially nice that we don't have to mess around with setting up all of those pesky ICMP rules.)

Now that we've opened the desired ports, we'll activate ufw so that it will actually enforce these rules:

sudo ufw enable

To see just a quick summary of your firewall configuration, use the status option. The output should look something like this:

donnie@ubuntu-ufw:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
53                         LIMIT       Anywhere                 
22/tcp (v6)                LIMIT       Anywhere (v6)             
53 (v6)                    LIMIT       Anywhere (v6)             
          
donnie@ubuntu-ufw:~$

Next, we will look at the ufw firewall files.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.247.196