How to Configure UFW on Ubuntu: A Guide for DevOps and Webmasters

Uncomplicated Firewall (UFW) is a user-friendly front-end for managing iptables, which simplifies the process of configuring and managing a firewall on Ubuntu systems.

UFW is ideal for DevOps professionals and webmasters who need to secure their servers with minimal effort while maintaining flexibility and control.

What Does UFW do?

To make it short, UFW provides a simple way to manage the Netfilter firewall built into the Linux kernel. It’s designed to be easy to use for everyday users but powerful enough for more complex configurations, making it a popular choice for both beginners and experienced sysadmins.

Key Features of UFW

• Simplicity: UFW abstracts the complexity of iptables, providing an intuitive command structure.
• IPv4 and IPv6 Support: UFW fully supports both IPv4 and IPv6, ensuring modern network compatibility.
• Pre-configured Application Profiles: UFW comes with pre-defined profiles for common services like HTTP, HTTPS, SSH, and FTP.
• Logging: UFW can log all blocked traffic, helping to monitor and troubleshoot firewall activity.
• Integration with GUFW: UFW can be managed through GUFW, a graphical interface, for those who prefer a GUI.
• Rate Limiting: UFW supports rate limiting to help prevent brute-force attacks on services like SSH.
• Custom Rules: Users can define custom rules, making UFW flexible for various use cases.
• Extensive Rule Management: UFW allows fine-grained control over inbound and outbound traffic with options to allow, deny, reject, or limit connections.

Step-by-Step Guide to Configuring UFW on Ubuntu

Installing UFW

If UFW is not installed by default, you can install it with the following commands:

sudo apt update
sudo apt install ufw

Check the current status of UFW:

sudo ufw status

Enable UFW if it’s inactive:

sudo ufw enable

Basic UFW Configuration

Ensure SSH access remains open, especially if you are configuring UFW remotely:

sudo ufw allow ssh

For custom SSH ports:

sudo ufw allow 2222/tcp

Allowing HTTP and HTTPS Traffic

For web servers, allow HTTP and HTTPS traffic:

sudo ufw allow http
sudo ufw allow https

You can also use predefined service profiles:

sudo ufw allow 'Apache Full'

Configuring FTP Access

To enable FTP, open the necessary ports:

sudo ufw allow 21/tcp
sudo ufw allow 20/tcp

For Passive FTP, open a range of ports:

sudo ufw allow 40000:50000/tcp

Allowing MySQL Access

If your MySQL server requires remote access:

sudo ufw allow mysql

Or manually specify the port:

sudo ufw allow 3306/tcp

Allowing Other Services

To allow other services, specify their ports or service names. For instance, to enable SMTP:

sudo ufw allow smtp

Or for custom ports:

sudo ufw allow 2525/tcp

Denying Unwanted Traffic

To block specific traffic, you can use:

sudo ufw deny from 192.168.1.100

For a more restrictive setup, block all incoming traffic except for allowed services:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Checking and Managing UFW Rules

View your active UFW rules:

sudo ufw status verbose

To remove a rule:

sudo ufw delete allow 21/tcp

Disabling UFW

To disable UFW temporarily or permanently:

sudo ufw disable

Final Note

Configuring UFW on Ubuntu provides a robust layer of security for your server, with an easy-to-manage interface suitable for both DevOps professionals and webmasters.

This guide has covered the essential steps and provided practical examples for managing access to common services like SSH, FTP, MySQL, and web traffic.