Firewall is very important for a system, especially for the connection of the server system is particularly important. Today we will introduce the firewall management software UFW.
The UFW (Simple Firewall) is a user-friendly front end for managing iptables firewall rules. Its main goal is to make iptables easier to manage.
This article describes how to set up a firewall on Debian 10 using UFW.
The premise condition
To use the UFW, you must be the Debian root account or have sudo permission to manage the UFW. In Debian, you are advised to use an account with sudo permission to operate the UFW.
Install the UFW
UFW firewall management software is not installed on Debian 10 by default. Therefore, you need to install the UFW software package first and then perform further operations.
The installation command is as follows:
sudo apt update
sudo apt install ufw
Copy the codeCheck the UFW status
After the UFW is installed, the firewall does not automatically activate the uFW to prevent access to the server from being restricted by the firewall. However, you can run the following command to check the UFW status.
sudo ufw status verbose
Copy the codeAfter the command is executed, the following information is displayed:
Status: inactive
Copy the codeIf the firewall is active, the output will be similar to the following:
Copy the codeDefault UFW policy
By default, the UFW blocks all inbound connections and allows all outbound connections. Unless you specifically open the port, anyone trying to access your server will not be able to connect, but applications and services running on the server will be able to access the outside world.
The default policy is defined in the /etc/default/ufw file and can be changed by running the sudo ufw default
command.
Application configuration
Most applications come with an application configuration file that describes the service and contains UFW Settings. During software package installation, a configuration file is automatically created in the /etc/uf/application. d directory.
If you want to list configuration files for all applications on your system, you can run the following command:
sudo ufw app list
Copy the codeBased on the software package, the output is similar to the following:
Available applications:
AIM
Bonjour
CIFS
CUPS
DNS
Deluge
IMAP
IMAPS
IPP
KTorrent
Kerberos Admin
...
Copy the codeTo find out more about a particular profile and the rules it contains, use the app info command, followed by the profile name. For example, to obtain information about the OpenSSH configuration file, use:
sudo ufw app info OpenSSH
Copy the codeThe output includes the configuration file name, title, description, and firewall rule. The output is similar to the following:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
Copy the codeAllow SSH Connections
Before enabling the UFW firewall, you need to allow incoming SSH connections.
If you want to connect to the server from a remote location and enable the UFW firewall before explicitly allowing incoming SSH connections, you will no longer be able to connect to the Debian server.
To configure the UFW firewall to accept SSH connections, run the following command:
sudo ufw allow OpenSSH
Copy the codeAfter the command is executed, the following information is displayed:
Rules updated
Rules updated (v6)
Copy the codeIf the SSH server is listening on a port other than the default port 22, enable this port.
For example, if your SSH server listens on port 2222, you would execute:
sudo ufw allow 2222/tcp
Copy the codeEnable the UFW
Now that the UFW firewall is configured to allow incoming SSH connections, we can start it by running the following command to enable it:
sudo ufw enable
Copy the codeAfter the command is executed, the following information is displayed:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Copy the codeEnter y and press Enter. A message indicating that the firewall is activated is displayed on the terminal, as follows:
Firewall is active and enabled on system startup
Copy the codeOpen ports
Depending on the application running on the server, you need to open the port where the service is running.
Here are some examples of how to allow incoming connections to some of the most common services:
Port 80 required for enabling the HTTP service:
sudo ufw allow http
Copy the codeYou can use port 80 instead of the HTTP configuration file:
sudo ufw allow 80/tcp
Copy the codePorts required to enable the HTTPS service:
sudo ufw allow https
Copy the codeYou can use port 443 instead of the HTTPS configuration file:
sudo ufw allow 443/tcp
Copy the codeEnable port 8080 for tomcat:
sudo ufw allow 8080/tcp
Copy the codeIn addition to enabling services and ports individually, you can also enable ports in a port range by running commands.
For example, to allow TCP/UDP access to ports 8090 to 9090, we can use the following command.
sudo ufw allow 8090:9090/tcp
sudo ufw allow 8090:9090/udp
Copy the codeAllow specific IP addresses
To allow all ports to be accessed from a specific IP address, run the ufw allow from command followed by the IP address. The command is as follows:
Sudo ufw allow from 115.127.62.61Copy the codeYou can also use the following command to allow specific IP addresses to access specific ports:
Sudo ufw allow from 115.127.62.61 to any port 22Copy the codeAllow the subnet
The command to allow connections from a subnet of an IP address is the same as when using a single IP address. The only difference is that you need to specify a network mask. For example, if you want to allow access from IP addresses 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL), you can use the following command:
Sudo ufw allow from 192.168.1.0/24 to any port 3306Copy the codeAllows connections to specific network interfaces
To allow access to a specific port, assuming only port 3360 is used to access a specific network interface eth2, use allow in on and the network interface name:
sudo ufw allow in on eth2 to any port 3306
Copy the codeConnection refused
The default policy for all incoming connections is set to reject, which means that the UFW will block all incoming connections unless you specifically open the connection.
Suppose you have ports 80 and 443 open and the server is under attack from the 23.24.25.0/24 network. To reject all connections from 23.24.25.0/24, use the following command:
Sudo Ufw deny from 23.24.25.0/24Copy the codeIf you only want to deny access to ports 80 and 443 from 23.24.25.0/24, use:
Sudo ufw deny from 23.24.25.0/24 to any port 80 sudo ufw deny from 23.24.25.0/24 to any port 443Copy the codeWriting a denial rule is the same as writing a permit rule. You only need to replace allow with deny.
Example Delete UFW rules
There are two methods to delete UFW rules: rule number and actual rule.
It is easy to delete UFW rules by rule number, especially if you are not familiar with UFW.
To first delete a rule by rule number, you need to find the rule number you want to delete. To do this, run the following command:
sudo ufw status numbered
Copy the codeThe output looks like this:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 8080/tcp ALLOW IN Anywhere
Copy the codeTo delete rule number 3 (the rule that allows connections to port 8080), use the following command:
sudo ufw delete 3
Copy the codeThe second method is to delete the rule by specifying the actual rule. For example, if you add a rule to open port 8069, you can remove it using the following command:
sudo ufw delete allow 8069
Copy the codeDisable the UFW
If you want to stop the UFW and disable all rules for any reason, run:
sudo ufw disable
Copy the codeLater, if you want to re-enable UTF and activate all rules, simply type:
sudo ufw enable
Copy the codeReset the UFW
Resetting the UFW will disable the UFW and delete all active rules. If you want to undo all your changes and start again, you can use the reset UFW command.
To reset the UFW, simply type the following command:
sudo ufw reset
Copy the codeThis section explains how to configure UFW on Debian 10.
Write in the last
With this tutorial, you’ve learned how to install and configure a UFW firewall on a Debian 10 machine. The firewall ensures that when the system is running properly, the connections that are allowed to access the system are allowed to access the system, and the connections that are not allowed to access the system are blocked, thus ensuring system security as far as possible.
If you have a different opinion, feel free to leave a comment.