UFW, the uncomplicated firewall, makes managing firewall rules on a host fairly easy. In this video, explore adding and removing basic rules using ufw at the command line.
- [Instructor] Ubuntu comes with a package called UFW, short for uncomplicated firewall. UFW makes it easy to write and manage basic firewall rules without having to deal with writing iptables rules directly. UFW uses iptables in the background. It generates its own set of chains and rules to let the du what it needs to do. To enable and disable UFW, we can use the UFW enable and disable commands. When UFW is off, the system's firewall is still active with whatever rules were defined in standard iptables chains.
Out of the box, so to speak, the system's firewall doesn't have any rules so it's effectively fully open. UFW inserts itself in to the rule chain when it's enabled and then pulls all of its rules out of the chains when it's disabled. So while practically speaking, turning UFW off doesn't mean you have no firewall, it just means you won't have whatever rules you set up in UFW when it's disabled. It also means you'll need to look a little bit more carefully to find rules on an existing system, or to look for conflicts.
But if you're getting started with a fresh Ubuntu install and therefore a pretty clean slate firewall-wise, it's easy to use UFW to manage your host firewall settings. Before I enable UFW here on my machine, I want to pause and ask you to think about what will happen to a remote connection when we turn on the set of firewall rules that doesn't have an entry for an SSH connection. It'll get cut off unless we have another rule specified manually in iptables. So to prevent that from happening, we can add a rule before UFW starts up.
To ensure that a remote connection doesn't get interrupted when the shields go up. When UFW starts up, it adds a bunch of its own rules to iptables and changes the default policy for the standard chains. Among other things, it sets the default policy on the input chain from accept to drop. And that's what's doing most of the work in keeping most traffic out. Only once packets start matching rules that are defined will they be allowed in. So I'll add a rule with ufw allow ssh, and then I'll start up UFW, with ufw enable, and now our firewall is blocking traffic.
I can see what rules are active with ufw status. Here's the result of adding the rule for SSH. UFW has knowledge of some common services that it can use to configure access. This SSH rule has allowed access to TCP port 22 on the system coming from anywhere. We can also set ports and protocols explicitly. Let's say we have a web server running on this system on port 443 and we want to allow access to it.
To add access through TCP, I would write ufw allow 443/tcp. And to leave the protocol off, allowing other protocols like UDP, I'd just write ufw allow 443. And once the rule is added, it's active. I can run ufw status again to see that it's listed. UFW keeps a log of its own activity, so let's take a look at that.
I'll start tailing the UFW log here with tail - /var/log/ufw.log. I'll switch over to my client machine and try to connect to a port that's blocked with telnet 10.0.29 on port 2000. I'll give that a moment. Looks like it's not going to work. Good.
I'll switch back over to the other system. Here are connection attempts that are being blocked. I see the action, the input interface, the source and destination IPs, some other details, and the destination port. So this can be helpful information if you're trying to connect and need to reverse engineer a rule to allow access. Or you can just take a look at all of the work that UFW is doing for you, preventing access from the world at large.
We can delete rules from UFW in two ways. By number or by rule declaration. Let's get rid of the rule for port 443. When we allowed access to a port, it created a rule for both IPv4 and IPv6 traffic. So deleting a rule by using the same creation declaration will also get rid of both of them. All right, ufw delete allow 443.
Then I'll check again and see that both of them are gone. I can also delete by number, so I'll get rid of this IPv6 rule with ufw delete 2 because it's the second item on the list. And then I'm left with just the one rule for port 22 via IPv4. That's a really quick look at UFW and if you're interested in exploring more about how to use it, check out the main page or our other courses on Linux firewalls and networking.
Note: Because this is an ongoing series, viewers will not receive a certificate of completion.