How to easily install and configure UFW firewall on your server

When managing a server, the first thing that must be configured to reduce its security is to configure the firewall. Fortunately, Linux includes a default setting called Iptables, and many people find this firewall difficult to configure and manage. a little complicated. There are simpler alternatives available, such as UFW.

UFW is actually a CLI or command line interface containing Iptables Firewall for Linux, which provides us with an easier way to manage and configure Iptables. For UFW, there is even a GUI or graphical interface called GUFW that we can use on our desktop PC or laptop to manage and configure the firewall.

Install UFW on the server

To install ithow to view firewall in linux, just write the command to the terminal -

linuxidc@linuxidc:~/$sudoapt-getinstallufw

By default, UFW is disabled after installation How to view the firewall in linux, so we can use the command to view its status -

linuxidc@linuxidc:~/$sudoufwstatusverbose

Status: Inactive

Basic configuration of UFW

Some basic configurations we can use in UFW to secure our servers.

Default rules:

As the name suggests, check what kind of system Linux is. The default rules are a series of standard rules that are easy to configure the firewall. This type of rules allows us to specify whether to allow or deny incoming traffic or outgoing traffic, as well as some other rules.

In fact a particularly good configuration to use GUFW is almost never installed on a PC, it is to deny all incoming traffic and allow outgoing traffic.

We can adjust it using the following command:

linuxidc@linuxidc:~/$sudoufwdefaultdenyincoming

The default incoming policy is changed to "deny"

(Please update your firewall rules accordingly)

Deny all incoming traffic.

linuxidc@linuxidc:~/$sudoufwdefaultallowoutgoing

The default outgoing policy is changed to "allow"

(Please update your firewall rules accordingly)

With these two configurations, the PC can be well protected, and if we want to improve security, we can also deny outgoing traffic to obtain higher security. In fact, the disadvantage is what you must know The application requires an outbound traffic rule to function properly.

Allow connections:

Suppose we configure a firewall on the server and deny all incoming traffic. How do we connect to it remotely via SSH? We need to apply a rule that allows us to connect to port 22.

So we use the option allow and specify the ports we want to allow incoming traffic and the TCP contract they use:

linuxidc@linuxidc:~/$sudoufwallow22/tcp

Firewall rules updated

Rules updated (v6)

UFW comes with some preset rules that we can use by their name, for example, the previous command attempts to open port 22 which is known to be used as a port for SSH connections, this rule can also be enabled using the following command:

linuxidc@linuxidc:~/$sudoufwallowssh

Skip adding already existing rules

Skip adding already existing rules (v6)

In the same way, we can use other pre-built rules to handle known services, such as HTTP using port 80, HTTPS using port 443, etc.

Port range:

You may also want to allow not only incoming traffic to a port, but allow a range of incoming traffic within it, for example, a Mosh application may require a port range from port 60000 to the contracted 61000. Open udp.

We can apply it by entering the following command:

linuxidc@linuxidc:~/$sudoufwallow60000:61000/udp

Firewall rules updated

Rules updated (v6)

Connection refused:

In the same way we allow incoming connections, we can deny such connections.

Suppose we have a default rule that allows all incoming traffic (not recommended), but we only want to deny incoming traffic for a certain port, we can apply a configuration like this:

linuxidc@linuxidc:~/$sudoufwdeny22/tcp

Firewall rules updated

Rules updated (v6)

In the same way, we can deny a port range.

linuxidc@linuxidc:~/$sudoufwdeny60000:61000/udp

Firewall rules updated

Rules updated (v6)

Delete rules:

Assuming that we have configured the SSH server to use port 2222 instead of the originally opened port 22, we should delete the original rule that allows port 22. This can be done using the following command:

sudoufwdeleteallow22/tcp

In a similar form, if it were a series of ports, we could do this:

sudoufwdeleteallow60000:61000/udp

For example, if we have a set of rules perfected with UFW and we want to remove them but don't know how to perform the removal, since it is some kind of complex rules, we can enumerate them with the command:

linuxidc@linuxidc:~/$sudoufwstatusnumbered

Status:Activated

To action from

-----

[1]22/tcpDENYINAanywhere

[2]60000:61000/udpDENYINAnywhere

[3]22/tcp(v6)DENYINAnywhere(v6)

[4]60000:61000/udp(v6)DENYINAnywhere(v6)

Which will give us a set of numbering rules like this:

ufw rule status

As mentioned above, the rules are numbered so we can use that number to remove a specific rule:

linuxidc@linuxidc:~/$sudoufwdelete4

Soon to be deleted:

deny60000:61000/udp

Do you want to continue (y|n)? y

The rules have been deleted (v6)

Activate and deactivate UFW:

Once all the rules are configured and everything is correct, we will proceed to activate the firewall using the following command:

linuxidc@linuxidc:~/$sudoufwenable

With this, we will make UFW active and secure the connection using our specified rules.

If you want to disable UFW, please type the following command:

linuxidc@linuxidc:~/$sudoufwdisable

If for some reason you request to cancel all applicable rules-

linuxidc@linuxidc:~/$sudoufwreset

Summary

This is just some basic configuration of UFW through which we can add a good layer of security to our PCs and servers. There are also mid-level configurations that can be used to further increase security or perform certain tasks.

更多Linux指令相關資訊請見Linux指令大全專題頁面

Linux公社的RSS地址：

The above is the detailed content of How to easily install and configure UFW firewall on your server. For more information, please follow other related articles on the PHP Chinese website!