Introduction
In Linux system management, security is a constant priority. One of the most critical aspects is the protection of network traffic through a firewall. In Ubuntu, the most accessible tool for this purpose isUFW(Uncomplicated Firewall), which offers a simple interface over the complexiptables. This article will guide you from installation to advanced UFW configuration, allowing you to protect your server or desktop effectively and without complications.
What is UFW?
UFW is an abstraction layer designed to simplify the management of firewall rules in Debian and Ubuntu-based systems. Instead of writing long chains ofiptables, UFW allows to define policies with intuitive commands such asallow, denyandreject. Although its objective is simplicity, UFW retains all the power ofiptablesunder the hood, which makes it an ideal option for both beginners and experienced administrators looking for speed and clarity.
Basic installation and activation
In most Ubuntu facilities, UFW comes pre-installed. If it is not present, you can install it with:
sudo apt update
sudo apt install ufw
Once installed, the firewall is disabled by default to avoid accidental blockages during configuration. To activate it, run:
sudo ufw enable
To verify your status, use:
sudo ufw status verbose
This command will show if UFW is active, the default rules and any exceptions you have defined.
Predetermined rules
Before creating exceptions, it is useful to define the default behavior. The most common policies are:
- Deny all incoming traffic:
sudo ufw default deny incoming - Allow all outgoing traffic:
sudo ufw default allow outgoing
With these bases, you will only explicitly allow the services you need, following the principle of less privilege.
Allow and deny specific services
UFW allows easy opening or closing of ports. For example, to enable SSH access (port 22):
sudo ufw allow 22
If you prefer to specify the protocol:
sudo ufw allow 22/tcp
To refuse HTTP traffic (port 80):
sudo ufw deny 80
You can also allow port ranges, useful for applications using multiple ports:
sudo ufw allow 6000:6007/tcp
Application profiles
Many Ubuntu packages include predefined profiles for UFW, which further simplifies the configuration. To list the available profiles:
sudo ufw app list
To allow a full profile, for exampleApache:
sudo ufw allow 'Apache Full'
The profiles usually include several rules (port 80 and 443 in the case of Apache), preventing you from having to specify each port manually.
Registration and monitoring
UFW can record blocked connection attempts, which is valuable for detecting wrong attacks or configurations. To activate the record:
sudo ufw logging on
The level of registration can be adjusted withlow, mediumorhigh. Logs are written in/var/log/ufw.logand can be reviewed with tools likegreporjournalctl.
Advanced examples
Suppose you want to allow access to a MySQL database only from a specific IP:
sudo ufw allow from 203.0.113.10 to any port 3306
To limit SSH traffic to a range of internal addresses:
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp
If you need to remove a rule, first list the numbered rules:
sudo ufw status numbered
Then delete rule number, for example 3:
sudo ufw delete 3
Common problem solution
If you lose the SSH connection after you activate UFW, you are likely to have blocked port 22 without noticing. In that case, access your cloud supplier's console or a local terminal and re-establish access:
sudo ufw allow 22/tcp
sudo ufw reload
Another common situation is that an application is not working because its port is not allowed. Verify the active rules withsudo ufw statusand adds the necessary exception.
Conclusion
UFW represents an ideal balance between power and simplicity for the management of firewalls in Ubuntu. Its clear syntax, the availability of application profiles and the ability to register make it an indispensable tool for any administrator who seeks to protect their systems without wasting time in complex configurations ofiptables. Following the steps and examples of this article, you can define a robust security policy that is adapted to the needs of your environment, keeping your server or desktop safe from unauthorized access.
