How to set up a firewall with UFW on Debian 10/11
Introduction
UFW or Uncomplicated Firewall is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. Securing a network with an uncomplicated firewall is super easy and highly recommended
In this article, we will show you how to setup a firewall with UFW on Debian 10
Prerequisites
- an active KVM VPS
- a
sudo
non-root user
1. Installing UFW
Debian does not install UFW by default. Enter the following command to install the ufw
package:
sudo apt update sudo apt install ufw
2. Enabling IPv6 support
This tutorial is written with IPv4 in mind, but will work for IPv6 as long as you enable it. Make sure the directive IPV6=yes do exists in /etc/default/ufw file.
cat /etc/default/ufw
It should look like this:
IPV6=yes
3. Checking UFW Status
The installation will not activate the firewall automatically to avoid a lockout from the server. You can check the status of UFW by typing:
sudo ufw status verbose
The output will look like this:
Status: inactive
Note: If you see something along the lines of:
ERROR: problem running iptables: iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument
Please run the following:
- apt install iptables
- update-alternatives –set iptables /usr/sbin/iptables-legacy
- update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy
4. UFW Default Policies
By default, UFW blocks all of the incoming connections and allow all outbound connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.
For reference, the default UFW firewall policies can be found in the location /etc/default/ufw file and can you adjust the rules by typing the following command:
sudo ufw default allow outgoing sudo ufw default deny incoming
These commands set the defaults to allow outgoing and deny incoming connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users.
5. Allow SSH Connections
Before enabling the UFW firewall first, you need to allow incoming SSH connections.
To configure your VPS/server to allow incoming SSH connections, you can use this command:
sudo ufw allow ssh
This will create firewall rules that will allow all connections on port 22
, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh
means because it’s listed as a service in the /etc/services
file.
If you are running ssh on TCP port 2222 or TCP port 2233, enter:
sudo ufw allow 2222/tcp sudo ufw allow 2233/tcp
6. Enable UFW
Now that the UFW firewall is configured to allow incoming SSH connections, enable it by running:
sudo ufw enable
You will be warned that enabling the firewall may disrupt existing ssh connections.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Respond to the prompt with y
and hit ENTER
. The firewall is now active.
Firewall is active and enabled on system startup
Run the following command to see the rules that you have set.
sudo ufw status verbose
7. Allowing Other Connections
Depending on the applications that run on your server, you’ll need to open the ports on which the services run. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22
. You can also do this for:
- HTTP on port
80
, which is what unencrypted web servers use. To allow this type of traffic, you can use this command
sudo ufw allow http
Instead of the http
profile, you can also use the port number, 80
: sudo ufw allow 80
- HTTPS on port
443
, which is what encrypted web servers use. To allow this type of traffic, you can use this command
sudo ufw allow https
You can also use the port number, 443
: sudo ufw allow 443/tcp: sudo ufw allow 443/tcp
Opening Port Ranges
With UFW, you can also allow access to port ranges. For example, some applications use multiple ports instead of a single port. To allow ports from 5100
to 5200
on both tcp
and udp
, run the following command:
sudo ufw allow 5100:5200/tcp sudo ufw allow 5100:5200/udp
When specifying port ranges with UFW, you must specify the protocol (tcp
or udp
) that the rules should apply to. We haven’t mentioned this before because not specifying the protocol automatically allows both protocols, which is OK in most cases.
Allowing Specific IP Addresses
When working with UFW, you can also specify IP addresses.
For example: to allow access on all ports from a specific IP address, use the ufw allow from
command followed by the IP address:
sudo ufw allow from 10.100.100.11
Allowing Specific IP Addresses on Specific port
If you want to allow 10.100.100.11
to connect to port 22
(SSH), use this command:
sudo ufw allow from 10.100.100.11 to any port 22
Allowing Subnets
The command for allowing connection from a subnet of IP addresses is the same as when using a single IP address. The only difference is that you need to specify the netmask.
For example, if you want to allow all of the IP addresses ranging from 10.100.100.1
to 10.100.100.254
you can use this command:
sudo ufw allow from 10.100.100.0/24
if you want to allow access for IP addresses ranging from 10.100.100.1
to 10.100.100.254
to port 22 ( SSH ) you can use this command:
sudo ufw allow from 10.100.100.0/24 to any port 22
Allow Connections to a Specific Network Interface
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying allow in on
, followed by the name of the network interface.
You may want to look up your network interfaces before continuing. To do so, use this command:
ip a
The output should be the following:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ..... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 .....
Your VPS/server has a public network interface called eth0
, for example, you could allow HTTP traffic to it with this command:
sudo ufw allow in on eth0 to any port 80
Deny connections
The default policy for all incoming connections is set to deny
, which means that UFW will block all incoming connections unless you specifically open the connection.
Sometimes you will want to deny specific connections based on the source IP address or subnet, however, perhaps because you know that your VPS/Server is being attacked from there. Also, if you want to change your default incoming policy to allow (which is not recommended), you would need to create deny rules for any services or IP addresses that you don’t want to allow connections for.
To write deny rules, you can use the commands described above, replacing allow with deny.
For example, to deny HTTP connections, you could use this command:
sudo ufw deny http
To deny all connections from 11.22.33.0/24
, use the following command:
sudo ufw deny from 11.22.33.0/24
If you only want to deny access to ports 80
and 443
from 11.22.33.0/24
use:
sudo ufw deny from 11.22.33.0/24 to any port 80 sudo ufw deny from 11.22.33.0/24 to any port 443
Writing deny rules is the same as writing allow rules. You only need to replace allow
with deny
Delete UFW Rules
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways to delete UFW rules. By rule number and by specifying the actual rule.
Deleting UFW rules by rule number is easier, especially if you are new to UFW. We’ll start by explaining the delete by rule number method.
- By Rule Number
To delete a rule by its number first, you need to find the number of the rule you want to delete. To do that run following command:
sudo ufw status numbered
Output Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 443 ALLOW IN Anywhere [ 3] 80/tcp ALLOW IN Anywhere
If we decide that we want to delete rule 3
, which allows HTTP connections on port 80
, we can specify this in the following UFW delete
command:
sudo ufw delete 3
This will show a confirmation prompt, which you can answer with y/n
. Typing y
will then delete rule 2
- By Actual Rule
The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the allow http
rule, you could write it like this:
sudo ufw delete allow http
You can also specify the rule with allow 80
instead of the service name:
sudo ufw delete allow 80
This method will delete both IPv4 and IPv6 rules, if they exist.
8. Disabling or Resetting UFW (optional)
If for any reason you want to stop UFW and deactivate all rules run. You can disable it with this command:
sudo ufw disable
Any rules that you created with UFW will no longer be active. Later if you want to re-enable UTF and activate all rules just type:
sudo ufw enable
If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:
sudo ufw reset
This will disable UFW and delete any rules that you have previously defined. Keep in mind that the default policies won’t change to their original settings if you modified them at any point. This should give you a fresh start with UFW.