Fine Tuning

Ufw stores all the rules and enables them automatically after a system reboot. The IPv4 rules are stored in the /etc/ufw/user.rules file, and the IPv6 counterparts in /etc/ufw/user6.rules. After creating new rules, you should reload these files for safety purposes by typing:

sudo ufw reload

Based on the default rules, ufw allows all outgoing connections. To specifically deny a service access to the network, use deny instead of allow. In addition, use out at the end of the line to indicate that the rule applies to outgoing connections. For example, to prohibit outgoing traffic on port 22, use:

sudo ufw deny out ssh

After issuing this command, the system can no longer contact another host via SSH. Rules for incoming connections are tagged in the same way with in. In all the previous examples where this keyword is missing, ufw automatically assumes that the rule applies to incoming connections.

In addition to allow and deny, reject signifies that the firewall does not simply ignore access attempts but also notifies the sender of the attempts. Also, comment lets you attach a note to all rules (Listing 2, first line). Each rule always applies to all network interfaces. To restrict a rule to one interface, specify its name after in or out (Listing 2, second line).

$ sudo ufw reject out ssh comment 'no ssh access allowed'
$ sudo ufw allow in on enp0s3 ssh

Bouncer

Access via SSH should only be allowed for defined hosts. To do this, first deny SSH access globally with

sudo ufw deny ssh

Since this is also the default setting, you can alternatively remove the rule

sudo ufw delete allow ssh

which deletes the allow ssh rule. If you can't remember the rules, call

sudo ufw status verbose

In addition, each rule is internally given a sequential number, which can be displayed with:

sudo ufw status numbered

You can use these numbers to delete specific rules. For example, to remove the rule assigned the number 2, use:

sudo ufw delete 2

Now that access via SSH is generally blocked, the command shown in Listing 3 exclusively allows SSH access for the computer with the IP address 192.168.1.101. If you omit to any port 22, the IP address is allowed to access all services. Similarly, you can use deny to block specific requests from an IP address.

$ sudo ufw allow from 192.168.1.101 to any port 22

Numerous requests within a short time indicate an attack and can also overload the affected service. If so desired, ufw can detect this kind of access attempt and then block it specifically. Currently, however, this useful function only works with IPv4 connections. For example, the firewall monitors the SSH service with the command

sudo ufw limit ssh

and blocks access if there are too many requests in a short time.

Chatterbox

If you get tangled up in too many rules, use the following command to start over:

sudo ufw reset

When creating new rules, you can use various reports for help. Use

sudo ufw show listening

to return all services that are currently listening on any port. This helps you find applications that you didn't know were running or that shouldn't be running at all (Figure 3).

Figure 3: Besides CUPS, the Avahi daemon and NetworkManager also are listening on the network interfaces.

If you are familiar with iptables, you can take an in-depth look into the firewall's current configuration with:

sudo ufw show raw

Ufw stores detailed information about its work in a log, which you can enable with

sudo ufw logging on

and then view in /var/log/ufw.log.