1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
+++
date = 2021-01-07
title = "Secure Your Network with the Uncomplicated Firewall (ufw)"
description = ""
draft = false
+++
# Uncomplicated Firewall
Uncomplicated Firewall, also known as ufw, is a convenient and beginner-friendly
way to enforce OS-level firewall rules. For those who are hosting servers or any
device that is accessible to the world (i.e., by public IP or domain name),
it's critical that a firewall is properly implemented and active.
Ufw is available by default in all Ubuntu installations after 8.04 LTS. For
other distributions, you can look to install ufw or check if there are
alternative firewalls installed already. There are usually alternatives
available, such as Fedora's `firewall` and the package available on most
distributions: `iptables`. Ufw is considered a beginner-friendly front-end to
iptables.
[Gufw](https://gufw.org) is available as a graphical user interface (GUI)
application for users who are uncomfortable setting up a firewall through a
terminal.
# Getting Help
If you need help figuring out commands, remember that you can run the `--help`
flag to get a list of options.
```sh
sudo ufw --help
```
# Set Default State
The proper way to run a firewall is to set a strict default state and slowly
open up ports that you want to allow. This helps prevent anything malicious from
slipping through the cracks. The following command prevents all incoming traffic
(other than the rules we specify later), but you can also set this for outgoing
connections, if necessary.
```sh
sudo ufw default deny incoming
```
You should also allow outgoing traffic if you want to allow the device to
communicate back to you or other parties. For example, media servers like Plex
need to be able to send out data related to streaming the media.
```sh
sudo ufw default allow outgoing
```
# Adding Port Rules
Now that we've disabled all incoming traffic by default, we need to open up
some ports (or else no traffic would be able to come in). If you need to be able
to `ssh` into the machine, you'll need to open up port 22.
```sh
sudo ufw allow 22
```
You can also issue more restrictive rules. The following rule will allow `ssh`
connections only from machines on the local subnet.
```sh
sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22
```
If you need to set a rule that isn't tcp, just append your connection type to
the end of the rule.
```sh
sudo ufw allow 1900/udp
```
# Enable ufw
Now that the firewall is configured and ready to go, you can enable the
firewall.
```sh
sudo ufw enable
```
A restart may be required for the firewall to begin operating.
```sh
sudo reboot now
```
# Checking Status
Now that the firewall is enabled, let's check and see what the rules look like.
```sh
sudo ufw status numbered
```
``` txt
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 22 (v6) ALLOW IN Anywhere (v6)
```
# Deleting Rules
If you need to delete a rule, you need to know the number associated with that
rule. Let's delete the first rule in the table above. You'll be asked to
confirm the deletion as part of this process.
```sh
sudo ufw delete 1
```
# Managing App Rules
Luckily, there's a convenient way for installed applications to create files
that ufw can easily implement so that you don't have to search and find which
ports your application requires. To see if your device has any applications with
pre-installed ufw rules, execute the following command:
```sh
sudo ufw app list
```
The results should look something like this:
``` txt
Available applications:
OpenSSH
Samba
plexmediaserver
plexmediaserver-all
plexmediaserver-dlna
```
If you want to get more information on a specific app rule, use the `info`
command.
```sh
sudo ufw app info plexmediaserver-dlna
```
You'll get a blurb of info back like this:
``` txt
Profile: plexmediaserver-dlna
Title: Plex Media Server (DLNA)
Description: The Plex Media Server (additional DLNA capability only)
Ports:
1900/udp
32469/tcp
```
You can add or delete app rules the same way that you'd add or delete specific
port rules.
```sh
sudo ufw allow plexmediaserver-dlna
```
```sh
sudo ufw delete RULE|NUM
```
# Creating App Rules
If you'd like to create you own app rule, you'll need to create a file in the
`/etc/ufw/applications.d` directory. Within the file you create, you need to
make sure the content is properly formatted.
For example, here are the contents my `plexmediaserver` file, which creates
three distinct app rules for ufw:
``` config
[plexmediaserver]
title=Plex Media Server (Standard)
description=The Plex Media Server
ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp
[plexmediaserver-dlna]
title=Plex Media Server (DLNA)
description=The Plex Media Server (additional DLNA capability only)
ports=1900/udp|32469/tcp
[plexmediaserver-all]
title=Plex Media Server (Standard + DLNA)
description=The Plex Media Server (with additional DLNA capability)
ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp|1900/udp|32469/tcp
```
So, if I wanted to create a custom app rule called "mycustomrule," I'd create
a file and add my content like this:
```sh
sudo nano /etc/ufw/applications.d/mycustomrule
```
``` config
[mycustomrule]
title=My Custom Rule
description=This is a temporary ufw app rule.
ports=88/tcp|9100/udp
```
Then, I would just enable this rule in ufw.
```sh
sudo ufw allow mycustomrule
```
|
