# UFW: Uncomplicated Firewall — Cheat Sheet ## Installation If you are using Ubuntu then UFW will be installed by default. If you are using Debian or a derivative, then you can install UFW by entering the following ``` root@host:~# apt-get install ufw ``` UFW is not available in CentOS, and although you can install it from source, that is outside the scope of this tutorial. ## Checking status When you check the status, UFW will either tell you that it is inactive, ``` root@host:~# ufw status Status: inactive ``` or it will tell you it is active and list the firewall rules. ``` root@host:~# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) ``` Rules can also be numbered, which is particularly useful when you wish to delete one. ``` root@host:~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] WWW Full ALLOW IN Anywhere [ 2] WWW Full (v6) ALLOW IN Anywhere (v6) ``` Not that if you have no rules enables, you will just be told it is active ``` root@host:~# ufw status Status: active ``` ## Enable and disable Enabling and disabling are from the following commands. Warning; if you are working on a remote system, allow the SSH rule before you enable UFW or you risk losing your shell access. ``` root@host:~# ufw enable Firewall is active and enabled on system startup root@host:~# ufw disable Firewall stopped and disabled on system startup ``` ## Deleting rules The easiest way to delete a rule is to delete it by number, but you can also delete it by definition. ``` root@host:~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 22/tcp (v6) ALLOW IN Anywhere (v6) ``` Note that as there are 2 rules (ipv4 and ipv6) for every pre-defined service, delete will only remove the rule for one protocol. ``` root@host:~# ufw delete 2 Deleting: allow 22/tcp Proceed with operation (y|n)? y Rule deleted (v6) ``` ## Logging Logging is on by default, but can rapidly fill your log files with noise. Enable and disable thusly ``` root@host:~# ufw logging on Logging enabled root@host:~# ufw logging off Logging disabled ``` You can also change the logging levels if necessary, but low is the default. ``` root@host:~# ufw logging medium Logging enabled Pre-defined rules ``` One of the strengths for sysadmins who may only infrequently change firewall rules is the set of pre-defined rules that UFW ships with. These obviously assume that you are running services on default ports and will NOT work if you have tried to obfuscate by assigning non-default ports. They also assume you will be allowing ALL traffic to these port (see later for how to restrict traffic sources and destinations. ``` root@host:~# ufw app list Available applications: AIM Bonjour CIFS CUPS DNS Deluge IMAP IMAPS IPP KTorrent Kerberos Admin Kerberos Full Kerberos KDC Kerberos Password LDAP LDAPS LPD MSN MSN SSL Mail submission NFS POP3 POP3S PeopleNearby SMTP SSH Socks Telnet Transmission Transparent Proxy VNC WWW WWW Cache WWW Full WWW Secure XMPP Yahoo qBittorrent svnserve ``` You can see a full list of these and their definitions in /etc/ufw/applications.d. ## SSH If you are running a remote server, you almost certainly want this rule enabled. ``` root@host:~# ufw allow ssh Rule added Rule added (v6) root@host:~# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) http(s) ``` You can enable both port 80 (http) and 443 (https) in one go with the following command, but there are options to only enable one ``` root@host:~# ufw allow www\ full Rules updated Rules updated (v6) root@host:~# ufw status [sudo] password for simon: Status: active To Action From -- ------ ---- WWW Full ALLOW Anywhere WWW Full (v6) ALLOW Anywhere (v6) ``` ## More complex usage Port and protocol ``` root@host:~# ufw allow 45/tcp Rule added Rule added (v6) ``` ### Source and Destination Allow only from an IP ``` root@host:~# ufw allow from 192.168.1.1 port 62 Rule added root@host:~# ufw status Status: active To Action From -- ------ ---- Anywhere ALLOW 192.168.1.1 62 ``` Allow only to a certain local interface ``` root@host:~# ufw allow to 127.0.0.2 port 62 Rule added root@host:~# ufw status Status: active To Action From -- ------ ---- 127.0.0.2 62 ALLOW Anywhere ``` ### Protocol only If you have followed my ipsec tutorial, you will need the firewall ports open to establish the key exchange – this is one of the few protolcols which do not require a port number. ``` root@host:~# ufw allow to 127.0.0.3 proto esp Rule added root@host:~# ufw allow to 127.0.0.3 proto ah Rule added root@host:~# ufw status Status: active To Action From -- ------ ---- 127.0.0.3/esp ALLOW Anywhere 127.0.0.3/ah ALLOW Anywhere ``` Note that you need a destination in this instance.