How to Setup a Firewall with UFW on Debian 9 Linux

Nowadays, a Firewall is an essential utility and property of any system for security; by default Debian Operating system having a firewall configuration tool named UFW (Uncomplicated Firewall). UFW is a user-friendly front-end tool to manage iptables firewall rules. It provides you more straightforward methods to manage iptables as the name of this tool start from Uncomplicated.

Prerequisites

Before starting this tutorial, you make sure you have Debian 9 Linux installed server and having user access with sudo privileges to execute an administrative command without any issue.

Install UFW Utility

The Uncomplicated Firewall (UFW) should be preinstalled in your Debian 9 server. Still, if it is not available in your system, you can install the UFW package by using the following command:

$ sudo apt install ufw

Check UFW Status

After completion of UFW installation you can check the status of UFW using the following command:

$ sudo ufw status verbose

By default UFW is disabled. If you have never activated UFW, the output will look like the below screen:

Output:
Status: inactive

If UFW is activated, the output will be similar to the below screen:

UFW Default Policies

By default, UFW allows all outbound connections and block all incoming connections to the system. It means your system can access any other system, but others can’t unless you allow access to your system by open the port.

The default policies are defined in the file /etc/default/ufw, and we can change these policies using the below command:

$ sudo  ufw  default  <policy>  <chain>

Application Profiles

There are some predefined application profiles for creating rules on UFW. When installing the UFW package with the apt command, those application profiles will be added in the /etc/ufw/applications.d directory. These profiles contain firewall settings and describe the services for the application.

You can check all available application profiles in your system by using the following command:

$ sudo ufw app list

The output of the above command will list out all application profiles in your screen, similar to the below screen:

Output:
Available applications:
  Dovecot IMAP
  Dovecot POP3
  Dovecot Secure IMAP
  Dovecot Secure POP3
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH
  Postfix
  Postfix SMTPS
  Postfix Submission

If you want to check more information about a specific application profile and rules, use the following command:

$ sudo ufw app info 'Nginx Full'
Output:
Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server
Ports:
  80,443/tcp

You can see in the above output, the ‘Nginx Full’ profile will open 80 and 443 ports on your system.

Allow SSH Connections

As I mentioned above, by default, UFW blocks the incoming connection, so before enabling UFW, we need to allow SSH connection on the firewall.

If you connect your server from remote locations, which is very common these days, and enable the UFW firewall before allowing SSH connection, you will not be longer to access your server on SSH.

To allow SSH connection on your UFW firewall, type the following command:

$ sudo ufw allow ssh
Output:
Rules updated
Rules updated (v6)

The above command will allow default ssh port 22 on your Debian system. If you have changed the SSH port, for example, if you are using 2255 port for SSH daemon, then you should use the following command to allow SSH connection on UFW:

$ sudo ufw allow 2255/tcp

Enable UFW

Now your UFW firewall is configured to allow incoming SSH connection; you can enable UFW by using the following command:

$ sudo ufw enable
Output:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You will get a prompted screen warning that enabling the firewall may disrupt ssh connections, type y and hit Enter.

Allow connections on other ports

You can allow connection on any port for UFW, and It depends on the application running on your server or your specific need for incoming connections.

Open HTTP port – 80

You can allow HTTP connection by using the following commands:

$ sudo ufw allow http

You can also use port 80 to allow HTTP connection, as shown below:

$ sudo ufw allow 80/tcp

Or you can use the application profile also to open the HTTP connection, in this case, ‘Apache HTTP’ or ‘Nginx HTTP.’

$ sudo ufw allow 'Nginx HTTP'

Open HTTPS port – 443

You can allow HTTPS connection by using the following commands:

$ sudo ufw allow https

You can also use port 443 to allow HTTPS connection, as shown below:

$ sudo ufw allow 443/tcp

Or you can use the application profile also to open the HTTPS connection, in this case, ‘Apache HTTPS’ or ‘Nginx HTTPS.’

$ sudo ufw allow 'Nginx HTTPS'

Open Tomcat port 8080

If you are running the Tomcat application on your system, you may need to access your application on port 8080, which you can allow on UFW using the following command:

$ sudo ufw allow 8080/tcp

Allow Port Ranges

UFW utility has the feature to allow a range of ports in a single command instead of a single port. When you allow port range on UFW, you must specify the protocol, either tcp or UDP.

For example, Here you want to allow port from 5000 to 6000 on both tcp and UDP, then you can use the following command:

$ sudo ufw allow 5000:6000/tcp
$ sudo ufw allow 5000:6000/udp

Allow Specific IP address on UFW

You can allow a specific IP for all port to your server, like allowing our home machine to our server for any port. Here we whitelist our IP by allowing it for all port using the below command:

$sudo ufw allow from 11.11.11.11

Where 11.11.11.11 is the IP that is allowed for all ports.

Allow Specific IP Address on Specific Port

You can use UFW to allow specific IP on your server on a Specific port. For example, you want to allow IP 11.11.11.11 on SSH port 22; you can do it by using the following command:

$ sudo ufw allow from 11.11.11.11 to any port 22

Allow Subnets

You can allow a subnet of IP address instead of a specific IP using the IP address CDIR. For example, we are allowing all local IP to connect to our database server.

For example, here, we allowing IP range from 192.168.0.1 to 192.168.0.254 to port 3306 (MySQL) by using the following command:

$ sudo ufw allow from 192.168.0.1/24 to any port 3306

Allow connections to a Specific Network Interface

To allow access to a specific network interface for a specific port, you can use the following command, here we allow 3306 port on interface eth1:

$ sudo ufw allow in on eth1 to any port 3306

Deny Connections

You can deny services for a specific IP address to a specific port. For example, you want to block all access from IP 11.11.11.11, use the following command to do it:

$ sudo ufw deny from 11.11.11.11

If you want to block http and https service for IP address 11.11.11.11, use the below command:

$ sudo ufw deny from 11.11.11.11 to any port 80
$ sudo ufw deny from 11.11.11.11 to any port 443

Delete UFW rules

There are two different ways to delete the UFW rules by using the rule number and specifying the actual rule.

The rule deletes using the rule number is very easy. You can delete a rule using the rule number by getting the number of that rule using the following command:

$ sudo ufw status numbered
Output:
Status: active
     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 3306/tcp                   ALLOW IN    Anywhere

After getting the number of rule, you can delete by deleting the rule by specifying the number in the command; for example, here, you can delete rule number 3 using the following command:

$ sudo ufw delete 3

The second method to delete the rule by specifying the actual rule; for example, if you want to delete a rule of port 3306 access, you can do it by using the following command:

$ sudo ufw delete allow 3306

Disable UFW

If you want to stop the Firewall on your Debian system configured by UFW and deactivate all UFW rules, you can disable the UFW firewall, as shown below:

$ sudo ufw disable

When you want again to implement all UFW set up rules, you can do it by enable the UFW, as shown below:

$ sudo ufw enable

Reset UFW

The Resetting of the UFW firewall will delete all active rules and disable it. This is very helpful when you want to revert all your changes and start a new UFW setup.

You can reset UFW by merely using the following command:

$ sudo ufw reset

Conclusion

Now, you have learned how to install the UFW firewall utility on your Debian 9 server. You also learn to configure any types of incoming rules on your UFW firewall.

If you have any doubt or feedback, feel free to comment below.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

twelve + four =

Related Articles