Security is very important thing to consider when you run your own server. The UFW (uncomplicated firewall) is a frontend for managing firewall rules and it is easy to use for host-based firewalls. UFW is used through the command line interface and aims to make firewall configuration easy.
Iptables is one of the most popular firewall tool used by system administrators. It is used to manage and secure incoming and outgoing connections in the server, but iptables runs in console mode and it is very complex to manage and configure. The ufw is an application firewall used to manage an iptables based firewall on Ubuntu that gives a framework for managing netfilter rules, as well as providing a command-line interface for controlling the firewall rules.
You can allow and block various services by port, network interface and source IP address using the UFW firewall. If you are beginner and are looking to get started securing your network, then the UFW is right choice for you.
In this tutorial, we will learn the UFW commands with different options to secure various services on Ubuntu 16.04.
Ubuntu-16.04 installed on your system
A non-root user account with sudo privilege set up on your system
In Ubuntu 16.04, UFW is installed by default. If not, you can easily install it by running the following command:
sudo apt-get install ufw
You can also check the status of UFW by running the following command:
sudo ufw status
You should see the following output:
If you see above output, it means it's not active. You can enable it by just running the following command:
sudo ufw enable
You should see the following output:
Firewall is active and enabled on system startup
To disable it, run the following command:
sudo ufw disable
List Out the Current UFW Rules
You can list the default firewall rules by using the following command:
sudo ufw status verbose
You should see the following output:
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
You should see that by default every incoming connection is denied.
Allow Incoming Connections
If you want to access your system from remote machine then you will need to allow SSH connections.
You can allow SSH by running the following command:
You can list out application profiles available on your local system. To do so, run the following command:
sudo ufw app list
To list out information about a profile and its included rules, run the following command:
sudo ufw app info "App Name"
For example, if you want to know information of Apache profile, run the following command:
sudo ufw app info Apache
Title: Web Server
Description: Apache v2 is the next generation of the omnipresent Apache web
Allow Access from Specific IP Addresses
You can also allow access to specific port from specific IP address. For example, if you want to allow IP 192.168.0.10 to access only port 22 then run the following command:
sudo ufw allow from 192.168.0.10 to any port 22
Deleting UFW Rules
You can also delete specific ufw rules. First, you will need to list ufw rules then you can remove it.
Run the following command to list out ufw rules:
sudo ufw status numbered
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 80/tcp DENY IN Anywhere
[ 4] 2200:2300/tcp ALLOW IN Anywhere
[ 5] 22 ALLOW IN 192.168.0.15
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 80/tcp (v6) DENY IN Anywhere (v6)
[ 9] 2200:2300/tcp (v6) ALLOW IN Anywhere (v6)
Now, to remove any of these rules, you will need to use these numbers.
sudo ufw delete [number]
For example, if you want to remove third number rule then run the following command:
sudo ufw delete 
If you need to go back to default settings, simply type in the following command. This will revert any of your changes.
sudo ufw reset
Logging UFW Firewall Events
Firewall logs are necessary for troubleshooting your firewall rules, and notifying unusual activity on your network. So you must add logging rules in your firewall.
The ufw log file will be located at /var/log/ufw.log
You can turn on logging by running the following command:
sudo ufw logging on
You can turn off logging by running the following command:
sudo ufw logging off
UFW supports multiple logging levels low, medium and high. The default ufw loglevel is low.
You can set different loglevels by running the following command:
sudo ufw logging low|medium|high
Low log blocked all packets not matching the default policy as well as packets matching logged rules.
Medium log blocked low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections.
High log blocked medium plus all packets with rate limiting.
UFW Graphical Interface
GUFW is a graphical interface for ufw. By default, Ubuntu-16.04 does not come with GUFW. You can install GUFW from Ubuntu repository.
You can install it by simply running the following command:
sudo apt-get install gufw
Advanced UFW Rules
You can do everything with ufw that iptables can do. You can add only simple rules using the command line. If you want to add more advance rules, then you can accomplish this by editing several ufw config files.
/etc/default/ufw : This is main ufw config file for default policy and kernel modules.
/etc/ufw/before.rules : Rules in these files are calculate before any rules added via the ufw command.
/etc/ufw/after.rules : Rules in these files are calculate after any rules added via the ufw command.
By default UFW allows DHCP, ping and loopback. You can disallow this by editing the before.rules file.
sudo nano /etc/ufw/before.rules
Comment out the following lines:
#-A ufw-before-input -i lo -j ACCEPT
#-A ufw-before-output -o lo -j ACCEPT
Save the file, disable and re-enable ufw to apply the changes:
sudo ufw disable && sudo ufw enable
To list out all available switches of ufw, run the following command:
sudo ufw -h
Usage: ufw COMMAND
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
Now you have enough knowledge to install and configure UFW firewall on your server. UFW is a very flexible tool so you can use it in production environment with different options to match your specific needs if they aren't covered here.
If you find your cPanel disk space filling up, or an email address has hit its disk space quota, cPanel has a helpful built in Email Disk Usage tool. This will provide you with a simple to understand breakdown of how much disk space each folder for a particular email...
Although WHM will normally automatically keep itself up to date, you may want to manually check for server updates / push through an update that is pending, or it may be that you have automatic updates switched off on your cPanel server. In this guide we will show you how...
You may sometimes need to manually adjust the PHP settings on your cPanel server – for example if a site is hitting the PHP memory, or file size upload limit. WHM allows you to quickly change the settings of any PHP version installed on the server when needed, using the...