How to Set Up a Firewall with UFW on Ubuntu
In this comprehensive tutorial, users are guided through the process of setting up a robust firewall using the Uncomplicated Firewall (UFW) on Ubuntu. UFW provides an intuitive interface for managing netfilter firewall rules, offering an accessible solution for securing Ubuntu systems effectively.
Introduction to UFW Copy link
UFW, or Uncomplicated Firewall, is a user-friendly interface for managing iptables, the standard firewall management tool for Linux systems. It simplifies the process of creating and managing firewall rules, making it accessible even to users with limited networking knowledge.
Understanding Firewall Basics Copy link
Before diving into the configuration process, it's essential to understand some fundamental concepts related to firewalls and how they operate.
What is a Firewall? Copy link
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet.
On Hostman, you can set up a cloud firewall that provides cutting-edge defense tailored for businesses of all sizes.
Types of Firewalls Copy link
There are several types of firewalls, including packet-filtering firewalls, stateful inspection firewalls, proxy firewalls, and application layer firewalls. Each type operates differently but serves the common purpose of protecting networks and systems from unauthorized access and malicious activity.
Creating Account and Server on Hostman Copy link
To kick off the process, prospective server hosts are encouraged to visit the official Hostman website. Sign up for a new account by providing essential details and create a strong password. Following this, check your email for a verification link, click on it, and swiftly log in to your Hostman account.
Within the Hostman control panel, the user-friendly interface offers to start a new server. By navigating to the Create button, users can initiate the server creation process. Select the parameters you need, including software (for the purposes of this guide, we need a server with the Ubuntu operating system), configuration, geographical region, and backups, choose the project for this server, then click Order to create your server.
The server will be installed in a couple of minutes and you will see the server's dashboard. Later on, to find your server you can go directly to Cloud servers or to the project the server is added to.
Click on your server, start it by the play button and scroll down to see the SSH command and root password for your Ubuntu server.
Accessing Your Server Copy link
Access the server through the web-based terminal provided by Hostman or use preferred SSH client. For this tutorial accessing through SSH is used.
Updating System Packages Copy link
The following code is to be written in terminal to update system packages of Ubuntu:
sudo apt-get update
sudo apt-get upgradeType “y” and hit Enter.
After the upgrade, the following screen may appear. (If there is nothing to upgrade on your server, i/e. you already had the latest versions of the installed packages, you will not see this window and can proceed to the next step.)
In this popup, you are prompted to select which services should be restarted after the installation process. The services listed are part of the systemd system and are related to various system functionalities.
Here's a brief explanation of the options:
-
systemd-journald.service: The journal service, which handles system logs. -
systemd-logind.service: The login service, which manages user logins. -
systemd-manager: The service manager for the system. -
systemd-networkd.service: The network service, responsible for network configuration. -
systemd-resolved.service: The DNS resolver service. -
systemd-timesyncd.service: The time synchronization service. -
unattended-upgrades.service: A service for automatically applying package updates. -
user@0.service: A user-specific service (user 0 refers to the root user).
Given the importance of network-related services for firewall functionality, it is recommended to restart the following services after the upgrade:
systemd-networkd.service: This service is responsible for network configuration. Restarting it ensures that any changes made during the upgrade, particularly those related to networking or firewall rules, take effect.-
systemd-resolved.service: The DNS resolver service handles DNS resolution. Restarting it is advisable if there were changes to DNS configurations or updates to the DNS resolver service, which could impact firewall rules that rely on domain name resolution. -
systemd-timesyncd.service: The time synchronization service ensures accurate timekeeping on the system. Proper time synchronization is crucial for security measures such as certificate validation and timestamping of firewall logs.
These services are crucial for maintaining system functionality and security, especially in the context of firewall configuration.
Installing UFW on Ubuntu Copy link
Before starting the firewall configuration, it's essential to ensure that UFW is installed on your Ubuntu system. Here's how to do it:
Checking UFW Installation Status Copy link
Open the terminal and run the following command to check if UFW is installed:
sudo ufw statusYou should see the status Active (running). If the status is inactive, start the service using the command:
sudo ufw enableIf UFW is not installed, the terminal will output the message Command ‘ufw’ not found. Follow the instruction below to install it.
Installing UFW Copy link
Install UFW by executing the following commands in the terminal:
sudo apt update
sudo apt install ufwAfter completing the installation, recheck the status by typing:
sudo ufw statusBasic Firewall Configuration with UFW Copy link
Once UFW is installed, it's time to configure the basic firewall settings. Here's how to get started:
Enabling UFW Copy link
Activate UFW by running the following command in the terminal:
sudo ufw enableYou will receive a confirmation message indicating that the firewall is now operational.
Allowing SSH Access Copy link
If SSH access is not permitted by default, allow SSH connections using the command:
sudo ufw allow sshPermitting Specific Ports Copy link
To enable specific ports for various services such as web servers or database servers, use the command:
sudo ufw allow <port_number>Replace <port_number> with the designated port number you wish to allow.
Advanced UFW Configuration Copy link
For advanced users looking to customize their firewall settings, UFW offers a range of configuration options:
Denying Incoming Connections Copy link
For enhanced security, deny all incoming connections by default and allow only designated ones:
sudo ufw default deny incomingAllowing Outgoing Connections Copy link
Allow all outgoing connections by default:
sudo ufw default allow outgoingImplementing Custom Rules Copy link
Define custom rules based on specific requirements:
sudo ufw <rule>Below are examples of configuring custom rules in UFW for various scenarios, including allowing SSH, HTTP/HTTPS, specifying port ranges, and denying access based on IP addresses or subnets:
Allowing SSH Connections Copy link
To allow SSH connections, you can use the service name or specify the port number:
sudo ufw allow sshOr:
sudo ufw allow 22Allowing HTTP and HTTPS Connections Copy link
To allow HTTP and HTTPS traffic, use the respective service names or port numbers:
sudo ufw allow http
sudo ufw allow httpsOr:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpAllowing Access to a Specific Port Range Copy link
To allow access to a range of ports, specify the port range:
sudo ufw allow 8000:9000/tcpAllowing Access from Specific IP Addresses or Subnets Copy link
To allow access from specific IP addresses or subnets, specify the IP address or subnet:
sudo ufw allow from 192.168.1.100
sudo ufw allow from 192.168.0.0/16Denying Access to a Specific Port Copy link
To deny access to a specific port, use the deny command:
sudo ufw deny 1234Denying Access from Specific IP Addresses or Subnets Copy link
To deny access from specific IP addresses or subnets, use the deny command:
sudo ufw deny from 10.0.0.1
sudo ufw deny from 172.16.0.0/24Denying All Incoming Connections (Except Allowed Ones) Copy link
To deny all incoming connections by default and allow only specific ones, use the default deny command:
sudo ufw default deny incomingAllowing All Outgoing Connections Copy link
To allow all outgoing connections by default, use the default allow command:
sudo ufw default allow outgoingThese examples demonstrate how to configure custom rules in UFW for different scenarios, including allowing or denying access based on services, ports, IP addresses, and subnets. Customise these rules according to your specific requirements to enhance the security and control of your firewall configuration.
A Brief Guide for Requirements for Custom Rules Copy link
Following is a brief elaboration on which requirements may necessitate specific customizations in firewall rules to enhance security and control:
-
Requirement: Secure Remote Access
Allowing SSH access (port 22) for remote administration while restricting access from specific IP addresses or subnets to prevent unauthorised access.
-
Requirement: Hosting Web Services
Allowing HTTP (port 80) and HTTPS (port 443) traffic to host web services, while potentially restricting access to specific IP addresses or subnets to limit exposure to the public internet.
-
Requirement: Application with Specific Port Range
Allowing access to a range of ports required by a specific application (e.g., ports 8000-9000) while denying access to all other ports to reduce attack surface.
-
Requirement: Network Segmentation
Defining rules to allow communication between different segments of the network while denying access from external networks to sensitive segments to enforce network segmentation and control.
-
Requirement: Denial of Service (DoS) Protection
Implementing rate-limiting rules to mitigate DoS attacks by limiting the number of incoming connections per second from specific IP addresses or subnets.
-
Requirement: Compliance with Regulatory Standards
Implementing firewall rules to enforce compliance with regulatory standards (e.g., PCI DSS, HIPAA) by restricting access to sensitive data and ensuring secure communication channels.
-
Requirement: Log Monitoring and Analysis
Enabling logging for specific firewall rules to monitor and analyze network traffic for security incidents, compliance audits, and troubleshooting purposes.
-
Requirement: Application-Specific Rules
Defining application-specific rules based on the requirements of the deployed applications, such as allowing access to database ports only from application servers.
-
Requirement: BYOD (Bring Your Own Device) Policies
Implementing rules to allow access for authorised devices while restricting access for unauthorised devices based on device attributes or user credentials.
-
Requirement: High Availability and Failover
Configuring redundant firewall rules across multiple firewall instances to ensure high availability and failover in case of hardware or network failures.
These customizations align with best practices and address specific requirements to enhance security, control, and compliance in firewall configurations without technical errors or inaccuracies.
Testing Firewall Configuration Copy link
After configuring the firewall, it's essential to verify that the rules are applied correctly and test connectivity:
Verifying Firewall Rules Copy link
Ensure the correct application of firewall rules:
sudo ufw status verboseTesting Connectivity Copy link
Conduct connectivity tests to verify that permitted connections function as intended. Users can do this by attempting to establish connections to services running on the system from both local and remote hosts.
Monitoring and Managing UFW Copy link
Once the firewall is configured, it's important to monitor and manage UFW to ensure optimal security.
Checking UFW Status Copy link
Monitor the status of UFW at any time:
sudo ufw statusDisabling UFW Copy link
Temporarily disable UFW when necessary:
sudo ufw disableLogging Firewall Activity Copy link
Enable logging to monitor firewall activity and identify potential security threats:
sudo ufw logging onConclusion Copy link
Implementing a firewall using UFW on Ubuntu is crucial for enhancing system security and safeguarding against potential threats. By following the steps outlined in this tutorial, users can effectively configure and manage their firewall settings, ensuring the protection of their Ubuntu systems. With UFW's user-friendly interface and powerful capabilities, users can easily create and enforce firewall rules to control network traffic and prevent unauthorized access. By understanding the basics of firewalls and utilizing the advanced configuration options provided by UFW, users can create a robust defense against cyber threats.
By the way, with Hostman, you can run your workloads on an efficient Amsterdam VPS that support low latency for EU-based users. Check this out, we have plenty of budget VPS hosting options for your projects.