Understanding UFW – Hacker Noon

I have always been scared of IP tables. If you want to know the reason check out the man page for the same. Though I have heard from many people that IPtables are more robust and secure, I have never used them because it has always been daunting. I personally feel that if I am not comfortable with something like IPtables and still use it I might add more security holes while not leveraging the benefits it provides. So I have stuck to using ufw for now. It is for the same reason that I prerfer Ubuntu over other flavors. Familiarity breeds confidence and I know that I will make less blunders. Donot consider this as a promotion of Ubuntu over other more secure flavors, because it is not. It is just my personal preference.

Side note : Did you know that “Ubuntu” is generally translated as “I am because we are,”

Before getting started

Keep these things in mind before getting started.

  1. Use some form of firewall. If not ufw you can use iptables directly.
  2. If you are using ufw, make sure that your ufw service is started on reboot.
  3. Understand the defaults of ufw well.
  4. Blacklist all and whitelist what is required is always a better option.
  5. Set up a monitoring tool like zabbix that gives you a trigger when ufw is down.

Installing ufw

sudo apt install ufw

Check status

# ufw status
Status: inactive

We will enable ufw after adding the relevant rules.

Whitelist ssh

Make sure allow ssh before enabling ufw so that you can access your server from anywhere using ssh.

#sudo ufw allow ssh
Rules updated
Rules updated (v6)

Checking added rules

You cannot check the added rules using ufw status when ufw is not active. Instead you can use ufw show added. You can use this even after enabling the ufw.

# ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp

Enable ufw

Enabling ufw without adding rule for ssh might lock you out of your server. So be careful before enabling ufw. I have not tried it though, so I can’t be sure. 😛

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Check status

ufw status gives you the status of ufw and also lists all the enabled rules.

# ufw status
Status: active
To                         Action      From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)

ufw status can be problematic as it doesn’t give all the details. Checkout next section.

UFW Defaults

Not knowing the defaults cost me a couple of hours the other day.

Since defaults were not displayed and details under Action was not clear enough, I had assumed a few things which cost me dearly. So go through the default options before actually setting up the relevant rules for your applications.

You can get those details using ufw status verbose

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To                         Action      From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)

As you can see from the output now

  1. Defaults are deny (incoming) : This will make sure that no outside systems can connect to your machine until you add an overriding rule for the same.
  2. Defaults are allow (outgoing) : This means that all outgoing request are enabled. While this setting helps you run commands like apt-install , wget and ping without any issues. But if you want to keep your server secure it is better to make defaults as block outgoing and then allow specific IPs/domains that you need.
  3. Default are disabled (routed) This means that all routing is disabled and forwarding is blocked. This is a good default provided you are not using your machine as a router.
  4. As you can see in Action columns it is “ALLOW IN”. Which means there is also “ALLOW OUT”. You need to add such a rule if you make the default as deny (outgoing).

Changing Defaults

The defaults we see above are equivalent of the following rules.

sudo ufw default deny incoming
sudo ufw default allow outgoing

If you want to change the default to deny outgoing you can run

#sudo ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)

If you set the above default you will need to manually add rules for accessing outside systems. It can be a cumbersome process but much safer.

For example let us say you want to allow outgoing traffic on port 10060 then you can run

ufw allow out 10060

Instead of keeping the outgoing default as is, I think it is better to deny outgoing. Whenever you want to perform some upgrades or install software you can add rule like temporarily and then delete it once you are done.

Also if you want to open only specific ports so that you can use apt you can use the following rules that I borrowed from this answer.

ufw default deny incoming
ufw default deny outgoing
ufw limit ssh
ufw allow svn
ufw allow git
ufw allow out http
ufw allow in http
ufw allow out https
ufw allow in https
ufw allow out 53
ufw logging on
ufw enable

Show rules

You can use ufw show added to show all the added rules.

# ufw show added
ufw allow 22/tcp
ufw allow from x.x.x.x to any port 27017
ufw allow from x.x.x.x to any port 27017
ufw allow from x.x.x.x to any port 10050
ufw allow from x.x.x.x to any port 10050

Earlier I was using the command ufw status numbered but now I use ufw show added and then use the rules from there to delete like following.

ufw delete allow 22/tcp

Thumb Rules

  1. Make sure ufw is started on boot.
  2. Change the defaults to make then more restrictive based on your comfort.
  3. Deny by default and enabled only what is required.
  4. Keep your rules as specific as possible. Example sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp
  5. Add a monitoring tool like Zabbix which check the status of ufw as well any rules that are very critical.

Further Reading

If you want more details and more query options checkout https://help.ubuntu.com/community/UFW

I had created done blunders without knowing the ufw clearly. I hope this article can stop you from committing such blunders.

read original article here