In this tutorial, you will learn:
The default Ubuntu firewall is ufw, with is short for “uncomplicated firewall.” Ufw is a frontend for the typical Linux iptables commands, but it is developed in such a way that basic firewall tasks can be performed without the knowledge of iptables.
Additionally, ufw can be managed from a graphical interface, gufw. In this tutorial, you will learn how to enable and disable the firewall on Ubuntu 20.04 LTS Linux from both the command line and GUI.
- How to check the firewall status
- How to enable/disable the firewall
- How to control firewall settings from GUI
- How to install the GUI or gufw
UFW, in most cases, will already be installed on the machine, but the GUI gufw might not. If you don’t see gufw in the “Show Applications” as pictured below:
You will need to install it. Installing the GUI of gufw is easy. As root, or using sudo, install gufw by executing the following commands from a terminal:
sudo apt-get update -y
sudo apt-install gufw -yNow, you should find it and launch it. This shows the status of the ufw as “off”:
In my particular case for writing this article, I was troubleshooting why I could not SSH into this particular server. As noted in the screenshot, I will echo by opening SSH on a machine; it could pose a security risk. Choose wisely if you don’t know what you are doing, and if you do, great! Chive on.
Adding a rule is simple. From the “rules tab” click on the + button in the lower right-hand corner of the GUFW window, and choose the appropriate details. There are many other options here you may choose for your particular use case, but I am only showing how to allow port 22 connections, IPv4 and IPV6.
The “report tab” shows the entire list of rules that ufw is aware of for the server. I am running Mysterium miner and Nord VPN.
There are so many other aspects to gufw, ufw and iptables, this was meant to cover some basics to learn some basics.
If you want to learn how to do this from the command line, read further below. If not, I hope this helped for the gufw intro.
If you want to roll up your sleeves and get down and dirty with the terminal, let us re-create what I illustrated above.
The first thing we should do is check the status of the firewall to see if it’s on or off. There is also the “verbose” option that can be used:
sudo ufw status Status: inactive $ sudo ufw status verbose Status: inactive
Upon installation, applications that rely on network communications will typically set up a UFW profile that you can use to allow connection from external addresses. This is often the same as running. ufw allow from with the advantage of providing a shortcut that abstracts the specific port numbers a service uses and provides a user-friendly nomenclature to referenced services.
Now, let’s go and turn on ufw:
$ sudo ufw enable
Firewall is active and enabeled on system startup
$sudo ufw status
Status: active
$ sudo ufw status verbose
Status: activeThe firewall starts upon issuing this command immediately and will also start on system startup.
Now, we want to create a rule to allow SSH into the server. To do this by application/service profile, we will list which profiles are currently available. Run the following:
sudo ufw app listIf you installed a service such as a web server or other network-dependent software and a profile was not made available within UFW, first, make sure the service is enabled. Your mileage may vary depending on what else you have installed on your system and if they added their profile. For remote servers, you’ll typically have OpenSSH readily available:
Available applications:
OpenSSH To enable a ufw application profile, run ufw allow followed by the name of the application profile you want to enable, which you can obtain with a sudo ufw app list command. In the following example, we’re enabling the OpenSSH profile, which will allow all incoming SSH connections on the default SSH port.
$ sudo ufw allow “OpenSSH”
Rule added
Rule added (v6)
Now, let us see what the ufw system rules look like now:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: Deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Ation From
-- ----- ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)Conclusion
This is a great way to lock down your Linux instance from being accessed outside of what you want to be allowed. You should test this out on a non-mission critical machine if you are new to this to ensure you do not bring down a production system. There are so many additional facets to this, and I will add to them. I was troubleshooting an issue on a network, which was part of the puzzle. I thought to document this for others since I was looking this up myself and thought it to be a great start. This is just the tip of the iceberg.
