Simplify your firewall setup
Fine Tuning
Ufw stores all the rules and enables them automatically after a system reboot. The IPv4 rules are stored in the /etc/ufw/user.rules
file, and the IPv6 counterparts in /etc/ufw/user6.rules
. After creating new rules, you should reload these files for safety purposes by typing:
sudo ufw reload
Based on the default rules, ufw allows all outgoing connections. To specifically deny a service access to the network, use deny
instead of allow
. In addition, use out
at the end of the line to indicate that the rule applies to outgoing connections. For example, to prohibit outgoing traffic on port 22, use:
sudo ufw deny out ssh
After issuing this command, the system can no longer contact another host via SSH. Rules for incoming connections are tagged in the same way with in
. In all the previous examples where this keyword is missing, ufw automatically assumes that the rule applies to incoming connections.
In addition to allow
and deny
, reject
signifies that the firewall does not simply ignore access attempts but also notifies the sender of the attempts. Also, comment
lets you attach a note to all rules (Listing 2, first line). Each rule always applies to all network interfaces. To restrict a rule to one interface, specify its name after in
or out
(Listing 2, second line).
Listing 2
Comments and Interfaces
$ sudo ufw reject out ssh comment 'no ssh access allowed' $ sudo ufw allow in on enp0s3 ssh
Bouncer
Access via SSH should only be allowed for defined hosts. To do this, first deny SSH access globally with
sudo ufw deny ssh
Since this is also the default setting, you can alternatively remove the rule
sudo ufw delete allow ssh
which deletes the allow ssh
rule. If you can't remember the rules, call
sudo ufw status verbose
In addition, each rule is internally given a sequential number, which can be displayed with:
sudo ufw status numbered
You can use these numbers to delete specific rules. For example, to remove the rule assigned the number 2, use:
sudo ufw delete 2
Now that access via SSH is generally blocked, the command shown in Listing 3 exclusively allows SSH access for the computer with the IP address 192.168.1.101. If you omit to any port 22
, the IP address is allowed to access all services. Similarly, you can use deny
to block specific requests from an IP address.
Listing 3
Unblocking
$ sudo ufw allow from 192.168.1.101 to any port 22
Numerous requests within a short time indicate an attack and can also overload the affected service. If so desired, ufw can detect this kind of access attempt and then block it specifically. Currently, however, this useful function only works with IPv4 connections. For example, the firewall monitors the SSH service with the command
sudo ufw limit ssh
and blocks access if there are too many requests in a short time.
Chatterbox
If you get tangled up in too many rules, use the following command to start over:
sudo ufw reset
When creating new rules, you can use various reports for help. Use
sudo ufw show listening
to return all services that are currently listening on any port. This helps you find applications that you didn't know were running or that shouldn't be running at all (Figure 3).
If you are familiar with iptables, you can take an in-depth look into the firewall's current configuration with:
sudo ufw show raw
Ufw stores detailed information about its work in a log, which you can enable with
sudo ufw logging on
and then view in /var/log/ufw.log
.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.