To enable UFW and have it start with the system use the following command:
sudo ufw enable
Obviously you will need to know the Root user’s password as ufw needs Root privileges to be configured.
Adding rules is very simple the basic syntax is as follows:
ufw allow/deny “port number”/“service”
So if we wanted to allow SSH access we would need to allow port 22:
ufw allow ssh
ufw allow 22
This is because ufw recognizes the common network protocols such as ssh (port 22), http (port 80) and ftp (port 21) etc, so these can be expressed by name as well as port number.
To check what rules already exist simply use:
The screen snippet below shows an example of using the status command and adding an allow rule:
The same syntax can be applied when you wish to deny a port number or service:
ufw deny 80
This would stop all http traffic using the standard port number and hence most traffic to internet webpages.
From the UFW man page we can also see the ordering of the rules is important and that the first rule that applies takes affect and hence no more rules are consulted or applied. As you can see from the screen snippet above rules are added to the bottom of the list and the rules are applied from the top downwards. So pre-planning is required to get the best and most efficient sequence of rules.
Lets look at the scenario where we want to allow ssh access to our machine and we also want to block all access from a given IP address of 192.168.1.3 we would use the following commands:
ufw allow 22
ufw deny from 192.168.1.3
A quick status check would look as follows:
So you think this would combine to deny the address 192.168.1.3 all access including ssh. However that is not the case as an attempted ssh connection from 192.168.1.3 would actually be granted, as the below screenshot will demonstrate.
This is because the ssh attempt matches the first rule in the list which is allowed so the connection is granted.
To get the desired effect you need put the deny rule first. All hosts that do not match the IP address skip over the deny then move onto the allow rule concerning ssh and are granted access. The way to acheive this would be to enter the rules in the reverse order ie*:
ufw deny from 1918.104.22.168
ufw allow ssh
So any future attempts from 192.168.1.3 to connect to any port would denied as follows:
*As the previous rules exist you must either delete the old rules or reset all the rules, before you try and re-order them.
To delete an existing rule you can do this with the following syntax:
ufw delete allow/deny “port number”/“service”
For example we can delete the deny rule for the IP address 192.168.1.3 using :
ufw delete deny from 192.168.1.3
We can also stop allowing ssh traffic using:
ufw delete allow 22
A better approach to allow/deny specific IP addresses access to specific port would be to combine rules such as:
ufw allow from 192.168.1.3 to any port 5900
In the case that a connections doesn’t match any of the rules defined by UFW then it is subjected to the default policy of either allow or deny. The default policy can be set with the following command:
ufw default deny
ufw default allow
In practice the most common case is to set the firewall default policy to deny and then explicitly add allow rules to grant access as required.