UFW featured image

The Basics of UFW: Learning the Essential Firewall Commands 

Introduction

UFW stands for uncomplicated firewall. It is a frontend platform that enables you to easily manage your firewall functions and commands. You get UFW as a default option with your Ubuntu server. Maximizing the potential of the commands and functions of the firewall can be difficult if you are not already familiar with the tool.

Our goal is to provide you with an all-encompassing guide that you can use as a beginner. We will supplement the explanations with examples of various actions you can perform with UFW. Many of the rules will be very useful for everyday services and activities. Let’s get started!

Prerequisites

Before you read ahead, make sure that your UFW is set to the default ruleset. This means that the firewall allows outgoing traffic but blocks incoming traffic. The benefit of this default reset is that you can select which traffic to allow through the firewall. If you are unsure of the status of the current ruleset on your UFW, use this command to check: sudo ufw status. You can also use this command:

Apart from that, you are free to jump to whichever section is most relevant to what your requirements are. You do not necessarily have to use every single command provided in this guide. You can mix and match based on your personal needs.

How to Block an IP Address

Let’s begin with one of the most basic functions of any firewall: blocking IP addresses. There is a very simple command that you can use to block any network connections coming from a given IP address. Let’s say, for instance, that the specific IP address in our case is 15.15.15.51. You can substitute this value with the IP address you want to block through your UFW. This is the command you would use for this purpose:

Here, from 15.15.15.51 indicates the source IP address only, which is ‘15.15.15.51’. If there is a subnet that you want to specify instead, you can add it as follows: 15.15.15.0/24. The command will work just as well. You can specify this source IP address in any firewall rule you want, such as the allow rule.

  • Blocking Network Interface Connections

At times, the requirement may be to block network connections originating from a specific IP address to a specific network interface. If such is the case, we will have to specify the network interface along with the source IP address. For this example, consider the source IP address to be 15.15.15.51 and the network interface to be eth0:

Similar to the source IP address, you can specify the network interface in any firewall rule as well. The purpose of these specifications is to limit the given firewall rule to a particular network or connection only.

How to Allow SSH Connections

This section is relevant to you if you are using a cloud server. To be able to establish a connection to your cloud server, you need the firewall to allow incoming SSH connections. These SSH connections come through port 22. You can follow this tutorial to learn how to use SSH to connect to a remote server in Ubuntu.

By establishing SSH connections, you can successfully manage your cloud server using your local unit. Here, we will cover the various rules relevant to SSH associated firewall configuration:

  • Allowing SSH

Use the following command to allow all incoming SSH connections:

On the other hand, you can also execute the command by specifying the port number of the SSH service instead:

  • Allowing Incoming SSH From Specific IP Address

In case you only want to allow incoming SSH connections from a specific IP address or subnet, you have the ability to specify the source. For instance, let’s say the subnet you want to allow is 15.15.15.0/24. Here is the command you will need to run:

  • Allowing Incoming Rsync From Specific IP Address

Running on port 873, Rsync enables you to perform file transfer from one computer system to another. If you only want to allow the Rsync connection coming from a specific IP address or subnet (in this example, 15.15.15.0/24), you can do so using this command:

This means that the whole 15.15.15.0/24 subnet will be allowed to Rsync to your server. Here is also a comprehensive tutorial on how to utilize Rsync to sync local and remote directories on your server.

How to Configure Web Server Requests

Next, we will move on to the rules related to the Web Server service. Web servers like Apache and Nginx generally take requests for HTTP and HTTPS connections from two ports: port 80 and port 443. Port 80 caters to HTTP requests. Port 443 is responsible for the HTTPS requests.

As we discussed in the prerequisites, you are using the default ruleset for UFW. Based on this ruleset, the firewall blocks or denies all incoming traffic. Therefore, you will have to configure new rules that allow the server to take and read these incoming requests.

  • Allowing All HTTP

If you want to allow all HTTP connections and requests coming from port 80, use the command:

You can also use the port number (port 80) to specify the HTTP service in the command:

  • Allowing All HTTPS

If you want to allow all HTTPS connections and requests coming from port 443, then run this command:

Similar to the previous command, you can replace the ‘https’ with the port number of the HTTPS service:

  • Allowing All HTTP and HTTPS

In case you want to allow both HTTP and HTTPS requests, you can use a collective rule for both of them. Through this singular command, you can allow traffic incoming from both port 80 as well as port 443:

The proto tcp command is necessary to use when you are specifying multiple ports at a time.

You can also follow these detailed guides on how to secure Nginx and Apache with Let’s Encrypt on Ubuntu.

How to Allow MySQL

MySQL connections come in through port 3306. You will have to use a rule to allow the incoming traffic if a client is using your MySQL database on a remote server. Follow our tutorial to learn the basics of MySQL and how to setup MySQL on a server.

  • Allowing MySQL From a Specific IP Address

As we have already seen in previous rules, you have to specify the source to allow the incoming MySQL connections. Your source can be a specific IP address or a subnet. In our example, we will use the whole 15.15.15.0/24 subnet to run the command:

  • Allowing MySQL to a Specific Network Interface

You will use a different command if you also need to specify the network interface to which you are allowing the MySQL connections. Let’s assume the network interface you are using is a private network interface called eth1. You can substitute this value with the name of your own network interface:

How to Allow PostgreSQL

The PostgreSQL connections come in through port 5432. Similar to the MySQL connections, if a client is using the PostgreSQL database on a remote server, you need to allow the incoming traffic. You can do this using the commands that follow.

  • Allowing PostgreSQL From a Specific IP Address

If you know the PostgreSQL connections are coming from a specific subnet or IP address, you have to specify the source. Here, we will use the example of the 15.15.15.0/24 subnet once again:

In case your OUTPUT policy is not set to  ACCEPT, you will have to run a second command. This command allows the outgoing traffic of already established PostgreSQL connections.

  • Allowing PostgreSQL to a Specific Network Interface

Similar to the previous rule, we will allow the PostgreSQL connections to a specific network interface. In our case it is eth1:

In case your OUTPUT policy is not set to  ACCEPT, you will have to run a second command. This command allows the outgoing traffic of already established PostgreSQL connections. You can learn how to set up PostgreSQL on Ubuntu by following our detailed tutorial.

How to Configure Mail Servers

You may also be using mail servers like Sendmail and Postfix on your system. These servers are open to several ports. The ports they listen to depend on the protocols that are set for mail delivery. That is why you will first have to determine which protocols you are running in your mail delivery system. You will subsequently allow the relevant types of traffic based on this information.

  • Blocking Outgoing SMTP Mail

Before we move on to the commands that allow incoming traffic for your mail servers, let’s see how you can block outgoing SMTP mail. You can use this command if you do not want your server to send any outgoing mail. SMTP mail uses port 25. Use this command to block this traffic:

As a result of running this command, your firewall will drop all the outgoing traffic on port 25. If you want to block another port, simply replace port ‘25’ with the appropriate port number.

  • Allowing Incoming SMTP

Now that you know how to block outgoing traffic, allowing incoming traffic will seem just as simple. Use this command to allow the server to receive SMTP connection on port 25:

  • Allowing Incoming IMAP

If you want to allow the server to establish IMAP connection on port 143, use the following command:

  • Allowing Incoming IMAPS

Use this command to allow the server to respond to IMAPS connections on port 993:

  • Allowing Incoming POP3

This command enables your server to respond to all POP3 connections through port 110:

  • Allowing Incoming POP3S

Finally, you can allow your server to receive requests from port 995 for POP3S connections using this command:

Conclusion

This guide will help you familiarize yourself with the basic UFW functions. We have covered the essential commands you need to be acquainted with to be able to configure your firewall. You can choose the commands that best suit your specific requirements to create a personalized firewall solution. The flexible nature of the UFW allows for such customization. Experiment around to figure out what works best for you.

Happy Computing!