Debian 9: Firewall with UFW

This article will describe UFW.

1 Install UFW

Install ufw package.

$ sudo apt install -y ufw
$ sudo systemctl enable ufw
$ sudo systemctl restart ufw

2 Logging

Enabling logging will output log to /var/log/ufw.log.

$ sudo ufw logging on

Disabling logging is the following.

$ sudo ufw logging off

3 Add rule

The "ufw allow" allows port.

$ sudo ufw allow 22/tcp

Service name in /etc/services can be used.

$ sudo ufw allow ssh

Some package provides the configuration file for UFW rule. Because there are packages which uses multiple port like samba, the configuration file for UFW rule is useful.

The configuration files for UFW rule are in /etc/ufw/applications.d.

$ ls /etc/ufw/applications.d/
cups  openssh-server  samba
$ cat /etc/ufw/applications.d/openssh-server
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell
protocol.
ports=22/tcp

"ufw app list" shows list.

$ sudo ufw app list
Available applications:
  CUPS
  OpenSSH
  Samb

Use Available applications name for "ufw allow".

$ sudo ufw allow OpenSSH

Use "ufw deny" to deny port.

$ sudo ufw deny <port>

4 Show rule list

"ufw status" shows list of allowed and denied ports.

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

5 Delete rule

"ufw delete" deletes allowed and denied ports.

$ sudo ufw delete allow <port>
$ sudo ufw delete deny <port>

6 Enable UFW

Enabling UFW will deny all ports except for allowed ports. If OpenSSH is not allowed, next SSH session will be denied.

$ yes | sudo ufw enable

This article uses yes command for accepting the following message.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

7 Firewall via GUI with gufw

The gufw provides GUI interface for ufw.

$ sudo apt install -y gufw

Run gufw with sudo. Because ufw is already enabled, Status is ON.

$ sudo gufw

0001_gufw.png

Add rule with clicking "+" button at the Rules tab. Select application rule at the Preconfigured tab. SAMBA will allow 137,138/udp and 139,445/tcp. At the Simple tab, you can select port number to be allowed.

0002_AddRule.png