This is not a comprehensive guide to the UFW application.
It is a basic orientation for the UFW application. This should provide insights you’re probably not aware of, but many might assume you already know.
The UFW application:
- Is a wrapper that sits on top of IPTables. This means you can use IPTables directly without the UFW application.
- Will explicitly block everything by default. It assumes a security by default configuration. Note: If you enable it you might lock yourself out unintentionally and you might kill traffic (especially if a web server).
- It comes installed on the latest distros (earlier distro’s require you to install), but disabled by default. You must take the action to enable it if you want to protect your system.
I like that, by default, it distrusts the world – blocking everything. Instead of worrying what needs to be closed, it makes you focus on what you need to open.
A Practical Application – Working with a Web Server
If you’re configuring a web server, you might want to consider the following configurations:
- Traffic needs to reach the Apache application (port 80 / 443)
- You need to be able to connect using secure transfers mediums like SSH / SFTP (port 22)
- Consider if you want to send or receive mail (port 25)
UFW was introduced to simplify the process of using IPTables. Keep this in mind and you’ll better appreciate it’s application and the associated syntax.
In the above example, working a web server, this is how you would make sure each application works.
One approach might be to open the ports themselves, independent of the application:
# ufw allow 80/tcp
# ufw allow 443/tcp
# ufw allow 22
# ufw 25
Alternatively, you could use basic language like this to open the ports associated with an application:
# ufw allow ‘Apache Full’ # ufw allow ssh
# ufw allow http
# ufw allow https
In each instance, the common name will open the associated ports with Apache and SSH.
Enabling and disabling is straight forward. When you have your configuration set, enable UFW and check the status of your configurations.
# ufw enable
# ufw status
The status command will give you a good list of what you’ve configured.
A great resource to dive deeper into the possible configurations can be found on DigitalOcean’s UFW Essentials: Common Firewall Rules and Commands.