Raspberry PI - Linux UFW Uncomplicated Firewall Tutorial







UFW Firewall and how to use it!


So today we will talk about UFW (Uncomplicated Firewall) which is the most commonly used firewall and is shipped with most distros or can easily be downloaded from their repositories….

We will discuss each step so you can setup and secure your computers and be able to check its operation and learn to block unwanted intruders into your system.

When your dealing with firewalls the base premise is that you want to block all ports to your computer/network and only open a port when required…. Leaving any ports open which are not needed is largely irresponsible and highly unadvised…..

Step One (Lets get it)

To Install UFW in linux is very simple. I use Fedora but I guarantee any other distribution you use will also have UFW in their repositories or is already installed on your system

Sudo dnf install ufw

Step 2 (lets reset it)

Always reset your firewall before beginning a new configuration

Sudo ufw reset

Now ufw will be returned to its installed default state.
The default settings for UFW is to allow all outgoing connections and block all incoming connections.

Step 3 (lets check its status)


To check status. We will use this a lot

Sudo ufw status.

If this is a fresh install more than likely you will get returned that the firewall is disabled… if it is running you will get a small report on the rules of what ports are open and what is being denied.

Step 4 (let’s fire this thing up)

The firewall once installed does not automatically turn itself on…. You  have to do this. Once you enable the firewall though it will remain active after subsequent reboots….

To enable the firewall type:

Sudo ufw enable

Step 5 (so how do we disable it.)


The firewall can be disables at any time by typing :

Sudo ufw disable

Discuss verbose for status

Step 6 (add some rules and start blocking or allowing traffic through the firewall.)


The whole point of UFW is to be simple and theoretically firewalls in general are straight forward. Their point is to simply open or close a port. Sometimes you want to be  able to configure ports, ip addresses, or entire subnets to have rules which will allow some traffic in but not all from everywhere… Think of it as a security guy at the entrance of a military compound…. Not everyone can go in… unless they have the correct paperwok to say they can.

I will discuss the several ways that UFW lets you build and customise the firewall/

Firstly is the most simplest way and that is just to block a service by name…. This makes it easier if you can't remember or don’t know what port numbers a service uses….

FIrst lets see what services we can add a rule for …..

-Type : sudo ufw app list

This should return a list of services….

To actually open or close the ports we use the terminology ALLOW or DENY

So I would like to let people to have access to ssh on my computer….
Type : sudo ufw allow ssh

Or on the other hand we don’t want anyone connecting with ssh
Type: sudo deny ssh

Ports
On the other hand you may know or want to block a specific port….. Again this is extremely simple in UFW….

Type in : sudo ufw allow (port number)
And to deny type: sudo ufw deny (port number)

So that is simple……

Your next question I suppose will be how to block a range of port numbers
-Again simple enough just type:
-sudo ufw allow 6000:6007/tcp
-sudo ufw allow 6000:6007/udp
Now this has opened 8 ports (6000 - 6700) on tcp and udp protocols
Now lets block an IP address

-sudo ufw allow from 12.12.1.20

You could also extend to say this IP on this port…..

To do this you type sudo ufw allow from 192.168.0.33 to any port 22

Another option UFW allows are subnets…. So if you wanted to allow a range of IP addresses on a subnet you could type this:

Sudo ufw allow sudo ufw allow from 192.168.0.0/24

Interface

If you have multiple network interfaces, than you will probably want different rules for them. We want want eth0 to have port 80 open.
sudo ufw allow in on eth0 to any port 80

In and Out

We can allow or deny certain connections based on whether or not they are incoming or outgoing. The following will allow incoming connections on port 80.
-sudo ufw allow in 3389
And we could also block outgoing connections on port 3389.
-sudo ufw deny out 3389


Okay so we pretty much know about allowing and denying rules for the firewall….

So now lets discuss maintenance:

Step 7 (maintenance and administration)


Whenever you make a change to your firewall you are going to have to reload it to initiate the changes you have made….

To do this type: sudo ufw reload

Deleting rules will be pretty important to know as well….

The simple way is to type: sudo ufw delete allow 80

Or another way is to get UFW to print a list of rules which are numbered and then you can delete the rule with its corresponding number….

Eg: sudo ufw status numbered (this will show your firewall rules and give them a number
And then to delete the rule type: sudo ufw delete 3

Logging is always important…. It gives you at least something to work with when things go wrong…. To enable loggin in UFW type: sudo ufw logging on

Reject

Some times we want to explicitly reject a connection. This will let the sender know they are being rejected.
-sudo ufw reject 666

Comment

Commenting your code is always a good idea. After the command add comment and then a string in quotes.
-sudo ufw allow 22 comment 'SSH port'

Now when we run:
sudo ufw status
We get our little comment helper.
Status: active
To                         Action From
--                         ------ ----
OpenSSH                    DENY Anywhere          
8080                       ALLOW Anywhere          
2020                       ALLOW Anywhere          
22                         ALLOW Anywhere # for my SSH
80                         REJECT Anywhere

Comments

Post a Comment

Popular posts from this blog

Remote Desktop Sharing with X11VNC (mint edition)

Image
Hi guys its Unleashed Code and today I want to show you how to setup a remote connection to your desktop using a piece of software called VNC. (Virtual Network Connection) The steps to follow are very simple and shall allow you to connect remotely to your desktop “from the login screen” and so you can utilise your computer wherever you are in the house or office or even remotely. Please be warned in advance that this is not over a secure port but maybe later I will do another video showing you how this can be secured y using ssh on port 22 and how to tunnel the port 5900 (used by x11vnc). Throughout this video I will be using Linux Mint (Debian based) so if your distribution is different you may need slightly different commands to get the software from your repositories. Right with the disclaimers out of the way…. Let us begin, Firstly you need to download the software X11VNC. This software is the server that you can connect to. To get it open a terminal and type : “sudo apt-get i...
Read more