Nowadays, a Firewall is an essential utility and property of any system for security; by default Debian Operating system having a firewall configuration tool named UFW (Uncomplicated Firewall). UFW is a user-friendly front-end tool to manage iptables firewall rules. It provides you more straightforward methods to manage iptables as the name of this tool start from Uncomplicated.
Before starting this tutorial, you make sure you have Debian 9 Linux installed server and having user access with sudo privileges to execute an administrative command without any issue.
Install UFW Utility
The Uncomplicated Firewall (UFW) should be preinstalled in your Debian 9 server. Still, if it is not available in your system, you can install the UFW package by using the following command:
$ sudo apt install ufw
Check UFW Status
After completion of UFW installation you can check the status of UFW using the following command:
$ sudo ufw status verbose
By default UFW is disabled. If you have never activated UFW, the output will look like the below screen:
Output: Status: inactive
If UFW is activated, the output will be similar to the below screen:
UFW Default Policies
By default, UFW allows all outbound connections and block all incoming connections to the system. It means your system can access any other system, but others can’t unless you allow access to your system by open the port.
The default policies are defined in the file /etc/default/ufw, and we can change these policies using the below command:
$ sudo ufw default <policy> <chain>
There are some predefined application profiles for creating rules on UFW. When installing the UFW package with the apt command, those application profiles will be added in the /etc/ufw/applications.d directory. These profiles contain firewall settings and describe the services for the application.
You can check all available application profiles in your system by using the following command:
$ sudo ufw app list
The output of the above command will list out all application profiles in your screen, similar to the below screen:
Output: Available applications: Dovecot IMAP Dovecot POP3 Dovecot Secure IMAP Dovecot Secure POP3 Nginx Full Nginx HTTP Nginx HTTPS OpenSSH Postfix Postfix SMTPS Postfix Submission
If you want to check more information about a specific application profile and rules, use the following command:
$ sudo ufw app info 'Nginx Full'
Output: Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443/tcp
You can see in the above output, the ‘Nginx Full’ profile will open 80 and 443 ports on your system.
Allow SSH Connections
As I mentioned above, by default, UFW blocks the incoming connection, so before enabling UFW, we need to allow SSH connection on the firewall.
If you connect your server from remote locations, which is very common these days, and enable the UFW firewall before allowing SSH connection, you will not be longer to access your server on SSH.
To allow SSH connection on your UFW firewall, type the following command:
$ sudo ufw allow ssh
Output: Rules updated Rules updated (v6)
The above command will allow default ssh port 22 on your Debian system. If you have changed the SSH port, for example, if you are using 2255 port for SSH daemon, then you should use the following command to allow SSH connection on UFW:
$ sudo ufw allow 2255/tcp
Now your UFW firewall is configured to allow incoming SSH connection; you can enable UFW by using the following command:
$ sudo ufw enable
Output: Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You will get a prompted screen warning that enabling the firewall may disrupt ssh connections, type y and hit Enter.
Allow connections on other ports
You can allow connection on any port for UFW, and It depends on the application running on your server or your specific need for incoming connections.
Open HTTP port – 80
You can allow HTTP connection by using the following commands:
$ sudo ufw allow http
You can also use port 80 to allow HTTP connection, as shown below:
$ sudo ufw allow 80/tcp
Or you can use the application profile also to open the HTTP connection, in this case, ‘Apache HTTP’ or ‘Nginx HTTP.’
$ sudo ufw allow 'Nginx HTTP'
Open HTTPS port – 443
You can allow HTTPS connection by using the following commands:
$ sudo ufw allow https
You can also use port 443 to allow HTTPS connection, as shown below:
$ sudo ufw allow 443/tcp
Or you can use the application profile also to open the HTTPS connection, in this case, ‘Apache HTTPS’ or ‘Nginx HTTPS.’
$ sudo ufw allow 'Nginx HTTPS'
Open Tomcat port 8080
If you are running the Tomcat application on your system, you may need to access your application on port 8080, which you can allow on UFW using the following command:
$ sudo ufw allow 8080/tcp
Allow Port Ranges
UFW utility has the feature to allow a range of ports in a single command instead of a single port. When you allow port range on UFW, you must specify the protocol, either tcp or UDP.
For example, Here you want to allow port from 5000 to 6000 on both tcp and UDP, then you can use the following command:
$ sudo ufw allow 5000:6000/tcp $ sudo ufw allow 5000:6000/udp
Allow Specific IP address on UFW
You can allow a specific IP for all port to your server, like allowing our home machine to our server for any port. Here we whitelist our IP by allowing it for all port using the below command:
$sudo ufw allow from 22.214.171.124
Where 126.96.36.199 is the IP that is allowed for all ports.
Allow Specific IP Address on Specific Port
You can use UFW to allow specific IP on your server on a Specific port. For example, you want to allow IP 188.8.131.52 on SSH port 22; you can do it by using the following command:
$ sudo ufw allow from 184.108.40.206 to any port 22
You can allow a subnet of IP address instead of a specific IP using the IP address CDIR. For example, we are allowing all local IP to connect to our database server.
For example, here, we allowing IP range from 192.168.0.1 to 192.168.0.254 to port 3306 (MySQL) by using the following command:
$ sudo ufw allow from 192.168.0.1/24 to any port 3306
Allow connections to a Specific Network Interface
To allow access to a specific network interface for a specific port, you can use the following command, here we allow 3306 port on interface eth1:
$ sudo ufw allow in on eth1 to any port 3306
You can deny services for a specific IP address to a specific port. For example, you want to block all access from IP 220.127.116.11, use the following command to do it:
$ sudo ufw deny from 18.104.22.168
If you want to block http and https service for IP address 22.214.171.124, use the below command:
$ sudo ufw deny from 126.96.36.199 to any port 80 $ sudo ufw deny from 188.8.131.52 to any port 443
Delete UFW rules
There are two different ways to delete the UFW rules by using the rule number and specifying the actual rule.
The rule deletes using the rule number is very easy. You can delete a rule using the rule number by getting the number of that rule using the following command:
$ sudo ufw status numbered
Output: Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 3306/tcp ALLOW IN Anywhere
After getting the number of rule, you can delete by deleting the rule by specifying the number in the command; for example, here, you can delete rule number 3 using the following command:
$ sudo ufw delete 3
The second method to delete the rule by specifying the actual rule; for example, if you want to delete a rule of port 3306 access, you can do it by using the following command:
$ sudo ufw delete allow 3306
If you want to stop the Firewall on your Debian system configured by UFW and deactivate all UFW rules, you can disable the UFW firewall, as shown below:
$ sudo ufw disable
When you want again to implement all UFW set up rules, you can do it by enable the UFW, as shown below:
$ sudo ufw enable
The Resetting of the UFW firewall will delete all active rules and disable it. This is very helpful when you want to revert all your changes and start a new UFW setup.
You can reset UFW by merely using the following command:
$ sudo ufw reset
Now, you have learned how to install the UFW firewall utility on your Debian 9 server. You also learn to configure any types of incoming rules on your UFW firewall.
If you have any doubt or feedback, feel free to comment below.