UFW, or Uncomplicated FireWall, is a firewall frontend package available for most LInux distributions (tested personally on Debian derivatives and Gentoo).
Installation:
- Debian, or anything based on Debian:
sudo apt install ufw - Gentoo:
echo "net-firewall/ufw ipv6" | sudo tee /etc/portage/package.use/ufw sudo emerge -a net-firewall/ufw
Enabling
sudo ufw enableTa-da!
Lock-out warning
If you’re enabling this on a server which you only have SSH access to, make sure you allow SSH connections before enabling UFW, otherwise you may get locked out!
To undo this, simply sudo ufw disable.
Checking status
There are three ways to check status of UFW rules:
sudo ufw status- Basic “what’s enabled” rule list
sudo ufw status verbose- More detailed list, including port numbers for named app profiles. Useful for debugging network problems.
sudo ufw status numbered- Assigns every rule a number. Useful for deleting rules.
Adding Firewall Rules
In the most basic case to just expose a port or service to the outside world:
sudo ufw allow SSH # for named services
sudo ufw allow 2375 # for any portNamed profile list
You can see what named services are available with
sudo ufw app list.
If you want to limit only TCP/UDP access:
sudo ufw allow 2375/tcp
sudo ufw allow 55655/udpIf you want to restrict where a port can be reached from:
sudo ufw allow from 192.168.37.0/24 to 192.168.37.1 port 2375This only allows traffic originating from the 192.168.37.0/24 subnet and with a destination of 192.168.37.1 to reach port 2375. Useful if you want to only allow a port over a VPN connection whose interface is homed to 192.168.37.1.
See also
- Find and add UFW rule for forwarding traffic (from PiVPN, usually)
Deleting rules
To delete a rule, take a two-step approach:
- Figure out which rule you want to delete
sudo ufw status numbered - Delete the rule
sudo ufw delete <n>