Linux servers are a popular choice for businesses because they’re easy to manage and can be used for a variety of purposes. However, security is always a top priority, and it’s important to take steps to protect your server from potential threats. One way to protect your server is to use a UFW firewall. UFW is an open source firewall that can be used on Linux servers. It’s easy to set up and can help keep your server safe from potential threats. To set up UFW on your Linux server, first make sure you have the necessary software installed. You can find the software here: https://www.ufw-software.com/. Once you have the software installed, you’ll need to create a new file called “udfw” in the /etc/udfw directory. This file will contain the settings for your UFW firewall. In this example, we’ll use ufw as our UFW firewall and set up rules to allow traffic from our web server into our internal network and out into the world:

ufw allow all traffic # ufw enable logging # ufw add rule name “web_server” type tcp source 10.0.0.* dest 10.1.* # ufw add rule name “internal_network” type tcp destination 10.* # ufw add rule name “out_into_the_world” type tcp destination any

Setting Up UFW

UFW is installed by default in Ubuntu, but if it’s not you can install it from apt:

If you’re running another distro, you’ll have to use that distro’s package manager, but UFW is widely available. You can check the status of the firewall with:

Which should say “Inactive” if you haven’t configured it before.

A good place to start with any firewall is by closing all incoming traffic and allowing outgoing traffic. Don’t worry, this won’t cut off your SSH connection right away, as the firewall isn’t enabled yet.

This gives us a blank slate to work with, and add rules on top of.

Opening Ports With UFW

To open ports, use the command ufw allow. For example, you’ll need to open up port 22, so go ahead and run:

You can also leave a note for your future self when adding any rule:

Many applications install profiles for UFW, SSH being one of them. So you can also allow certain applications to open the ports they require by specifying the name:

You can view a list of available applications with ufw app list, and view details about an application with ufw app info [name].

You can also allow a whole range of ports by using a colon as a separator, and you can specify a protocol. For example, to allow only TCP traffic on ports 3000 through 3100, you can run:

Since the default is set to deny incoming, you won’t have to manually close off any ports. If you did want to close off an outgoing port, you’ll have specify a direction alongside ufw reject:

Whitelisting and Rate Limiting With UFW

You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you could run:

To whitelist specific ports, you’ll have to use the fuller syntax:

You likely won’t want to whitelist off SSH access in this way unless you have a backup connection or some sort of port knocking set up, as IP addresses change quite frequently. One option if you do want to restrict SSH access to only you is to set up an OpenVPN server in the same private cloud, and whitelist access to that server.

If you want to whitelist off a whole block of IP addresses, as is the case when you’re running your servers through a virtual private cloud provider, you can standard CIDR subnet notation:

Subnets are pretty complicated, so you can read our guide to working with them to learn more.

Rate limiting is another useful feature of firewalls that can block connections that are obviously abusive. This is used to protect against an attacker attempting to bruteforce an open SSH port. Obviously you could whitelist the port to protect it entirely, but rate limiting is useful anyway. By default, UFW rate limits 6 connections per 30 seconds, and it’s intended to be used for SSH:

Turn On UFW

Once you’re done configuring your rules, you can enable UFW. Make sure that SSH on port 22 is open, or you’ll lock yourself out. If you want, you can disable UFW from running on boot so that a reset would fix any potential issues:

Then, you can enable UFW with:

If all is good, you can run ufw status to view the current status of the firewall. If you’re not locked out, and the firewall is running, set it to run at boot with:

Any time you make changes, you’ll need to reload the firewall with:

You can also turn on logging, to log connections to /var/log/:

Managing and Deleting Rules

If you’d like to delete a rule, you’ll have to get its number with:

Note that the numbers start at 1, not 0. You can delete a rule by number:

Again, make sure you don’t delete your rule keeping port 22 open. You can use the –dry-run parameter to have UFW ask you for confirmation:

If you make any changes, you’ll need to reload the firewall again.

ufw allow all traffic # ufw enable logging # ufw add rule name “web_server” type tcp source 10.0.0.* dest 10.1.* # ufw add rule name “internal_network” type tcp destination 10.* # ufw add rule name “out_into_the_world” type tcp destination any#

Setting Up UFW#

Opening Ports With UFW#

Whitelisting and Rate Limiting With UFW#

Turn On UFW#

Managing and Deleting Rules#

Related Video#