How to set up a firewall with UFW on Debian 10

A properly configured firewall is one of the most important aspects of overall system security.

UFW (Uncomplicated Firewall) is a convenient interface for managing iptables firewall rules. Its main purpose is to make managing iptables easier or, as the name suggests, uncomplicated.

This article describes how to set up a firewall with UFW on Debian 10.

Prerequisites

Only root or a user with sudo privileges can manage the system firewall.

Installing UFW

Enter the following command to install the ufw package:

sudo apt update
sudo apt install ufw

Checking UFW Status

The installation does not automatically activate the firewall to avoid blocking from the server. You can check the status of UFW by typing:

sudo ufw status verbose

The output will look like this:

Status: inactive

If UFW is enabled, the output will look something like this:

UFW Standard Policy

By default, UFW blocks all inbound connections and allows all outbound connections. This means that anyone trying to access your server will not be able to connect unless you specifically open the port. Applications and services running on the server will be able to access the outside world.

The default policies are defined in the / etc / default / ufw file and can be changed using the sudo ufw default command.

Firewall policies are the basis for creating more detailed and user-defined rules. Typically, the original UFW default policies are a good starting point.

Application profiles

Most applications come with an application profile that describes the service and contains the UFW settings. The profile is automatically created in the /etc/ufw/applications.d directory during package installation.

To view a list of all application profiles available on your system, follow these steps.

sudo ufw utf --help

Depending on the packages installed on your system, the output will look something like this:

Available applications:
  DNS
  IMAP
  IMAPS
  OpenSSH
  POP3
  POP3S
  Postfix
  Postfix SMTPS
  Postfix Submission
  ...

To find more information about a specific profile and the rules included, use the app info command followed by the profile name. For example, to get information about the OpenSSH profile you are using:

sudo ufw app info OpenSSH

Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
  22/tcp

The output includes the profile name, title, description, and firewall rules.

Allow SSH connections

Before you enable UFW firewall, you need to allow incoming SSH connections.

If you connect to your server from a remote location and enable the UFW firewall before explicitly allowing incoming SSH connections, you will no longer be able to connect to your Debian server.

To configure the UFW firewall to accept SSH connections, run the following command:

sudo ufw allow OpenSSH

Rules updated
Rules updated (v6)

If the SSH server is listening on a port other than the default port 22, you need to open that port.

For example, your ssh server is listening on port 7722, you should run:

sudo ufw allow 7722/tcp

Enable UFW

Now that the UFW firewall is configured to allow incoming SSH connections, enable it by running:

sudo ufw enable

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You will be warned that turning on the firewall can break existing SSH connections. Enter “y” and press “Enter”.

Port opening

Depending on the applications that are running on your server, you will need to open the ports on which the services are running.

Below are a few examples of how to allow incoming connections to some of the more common services:

Open port 80 – HTTP

Allow HTTP connections:

sudo ufw allow http

Instead of the http profile, you can use port number 80:

sudo ufw allow 80/tcp

Open port 443 – HTTPS

Allow HTTPS connections:

sudo ufw allow https

You can also use port number 443:

sudo ufw allow 443/tcp

Open port 8080

If you are running Tomcat or any other application that is listening on a port, open port 8080 with:

sudo ufw allow 8080/tcp

Port opening

With UFW, you can also allow access to port ranges. When opening a range, you must specify the port protocol.

For example, to allow ports 7100 to 7200 on both tcp and udp, run the following command:

sudo ufw allow 7100:7200/tcpsudo ufw allow 7100:7200/udp

Allowing specific IP addresses

To allow access to all ports from a specific IP address, use the ufw allow from command followed by the IP address:

sudo ufw allow from 64.63.62.61

Allowing Specific IP Addresses on Specific Port

To allow access to a specific port, say port 22 of your work machine with IP address 64.63.62.61, use the following command:

sudo ufw allow from 64.63.62.61 to any port 22

Subnetting Resolution

The command to allow connections from a subnet of IP addresses is the same as using a single IP address. The only difference is that you need to specify the netmask. For example, if you want to allow access for IP addresses in the range 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL), you can use this command:

sudo ufw allow from 192.168.1.0/24 to any port 3306

Allow connections to a specific network interface

To allow access to a specific port, say port 3360 only for a specific network interface eth2, use allow in on and the name of the network interface:

sudo ufw allow in on eth2 to any port 3306

Deny connections

The default policy for all incoming connections is set to deny, which means that UFW will block all incoming connections unless you specifically open the connection.

Let’s say you open ports 80 and 443 and your server is attacked from the 23.24.25.0/24 network. To deny all connections on 23.24.25.0/24, use the following command:

sudo ufw deny from 23.24.25.0/24

If you want to deny access to ports 80 and 443 from 23.24.25.0/24, use:

sudo ufw deny from 23.24.25.0/24 to any port 80sudo ufw deny from 23.24.25.0/24 to any port 443

Writing deny rules is the same as writing permissive rules. You only need to replace allow with deny.

Remove UFW rules

There are two different ways to remove UFW rules. By rule number and indication of the actual rule.

Deleting UFW rules by rule number is easier, especially if you’re new to UFW.

To remove a rule by its number first, you need to find the number of the rule you want to remove. To do this, run the following command:

sudo ufw status numbered

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 8080/tcp                   ALLOW IN    Anywhere

To remove rule # 3, which allows connections on port 8080, you can use the following command:

sudo ufw delete 3

The second way is to remove the rule by specifying the actual rule. For example, if you added a rule to open port 8069, you can remove it with:

sudo ufw delete allow 8069

Disable UFW

If for any reason you want to stop UFW and deactivate all rules, run:

sudo ufw disable

Later, if you want to re-enable UTF and activate all rules, just type:

sudo ufw enable

Reset UFW

Resetting UFW will disable UFW and remove all active rules. This is useful if you want to undo all your changes and start over.

To reset UFW just enter the following command:

sudo ufw reset

Output

You learned how to install and configure the UFW firewall on your Debian 10 machine. Be sure to allow all incoming connections that are necessary for your system to function properly, while limiting all unnecessary connections.

If you have any questions, do not hesitate to leave comments below.

Sidebar