What is a UFW -?
UFW (Uncomplicated Firewall) is a frontend for iptables and the default firewall configuration tool in Ubuntu.
By default UFW is disabled so first it will need to be installed:
I'm going to add basic allow rule for OpenSSH access from my local network
sudo ufw allow from 192.168.1.0/24 to any port 22
Well known port allocations
- 20 – FTP Data (For transferring FTP data)
- 21 – FTP Control (For starting FTP connection)
- 22 – SSH (For secure remote administration which uses SSL to encrypt the transmission)
- 23 – Telnet (For insecure remote administration)
- 25 – SMTP (Mail Transfer Agent for e-mail server such as SEND mail)
- 53 – DNS (Special service which uses both TCP and UDP)
- 67 – Bootp
- 68 – DHCP
- 69 – TFTP (Trivial file transfer protocol uses udp protocol for connection less transmission of data)
- 80 – HTTP/WWW(Apache)
- 88 – Kerberos
- 110 – POP3 (Mail delivery Agent)
- 123 – NTP (Network time protocol used for time syncing uses UDP protocol)
- 137 – NetBIOS (nmbd)
- 139 – SMB-Samba (smbd)
- 143 – IMAP
- 161 – SNMP (For network monitoring)
- 389 – LDAP (For centralized administration)
- 443 – HTTPS (HTTP+SSL for secure web access)
- 514 – Syslogd (udp port)
- 636 – ldaps (both ctp and udp)
- 873 – rsync
- 989 – FTPS-data
- 990 – FTPS
- 993 – IMAPS
- 1194 – openVPN
- 1812 – RADIUS
- 995 – POP3s
- 2049 – NFS (nfsd, rpc.nfsd, rpc, portmap)
- 2401 – CVS server
- 3306 – MySql
- 3690 – SVN
- 6000-6063-X11
The "deny" command works similar to the "allow" command and is used to close a port in the firewall:
Then check your UFW configured status
If you need more detail of status you can use
or when adding or removing rules use the rule number
using Numbered entries it makes it easier to add or delete rules
sudo ufw insert 1 deny from 221.194.0.0/16 to any
sudo ufw insert 2 allow ntp
After we’ve configured UFW, we can turn it on using this command.
To disable (stop) UFW, run this command.
If you need to reload UFW (reload rules), run the following.
In order to restart UFW after changes, you will need to disable it first, and then enable it again.
sudo ufw disable && sudo ufw enable
Then recheck your UFW configured status
Getting more clever with ufw by adding comments use comment 'COMMENT'
sudo ufw insert 2 deny from 221.194.0.0/16 to any comment 'block 221.194.47.249 & 221.194.47.229 - from 221.194.0.0 to 221.194.255.255'
You can enable logging with the command:
Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.
With the setting as low. A normal log entry located at /var/logs/ufw.log and will resemble the following log structure:
Dec 6 08:50:53 <my-server-hostname> kernel: [ 7818.432401] [UFW BLOCK] IN=enp0s18 OUT= MAC=01:00:5e:00:00:11:c8:91:g9:06:50:10:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Dec 6 09:58:36 <my-server-hostname> kernel: [11881.028665] [UFW BLOCK] IN=enp0s18 OUT= MAC=00:13:d3:ae:4c:a5:09:21:5f:71:1g:be:08:00 SRC=192.168.1.68 DST=192.168.1.100 LEN=56 TOS=0x00 PREC=0x00 TTL=128 ID=23030 PROTO=UDP SPT=51895 DPT=2054 LEN=36
The initial values list the date, time, and your device hostname. Additional important values include:
- [UFW BLOCK]: Short description of the logged event; e.g. [UFW BLOCK] . In this instance, it blocked a connection.
- IN: If set, then the event was an incoming event.
- OUT: If set, then the event was an outgoing event.
- MAC: A combination of the destination and source MAC addresses
- SRC: This indicates the source IP, who sent the packet initially.
- DST: The IP of the packet destination
- LEN: Packet length
- TOS: This refers to the TOS field of the IPv4 header
- PREC: I believe this refers to the Precedence field of the IPv4 header.
- TTL: The packet TTL, or time to live. How long it will bounce between routers until it expires, if no destination is found.
- ID: ufw’s internal ID system, it might be the operating system’s ID.
- PROTO: The packet’s protocal
- SPT: The source port of the package
- DPT: The destination port of the package
- WINDOW: The size of the packet the sender can receive
- RES: This bit is reserved for future use & is always set to 0.
- SYN URGP: Indicated if a three-way handshake is required. 0 means it is not. Doesn’t really matter for firewall log reading.
ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified.
LEVEL may be 'on', 'off', 'low', 'medium', 'high' and 'full'.Users may specify a loglevel with:
| Log levels are defined as: |
| off |
disables ufw managed logging |
| low |
logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules |
| medium |
log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections.
All logging is done with rate limiting. |
| high |
log level medium (without rate limiting), plus all packets with rate limiting |
| full |
log level high without rate limiting |
Log levels above medium generate may quickly fill up your disk.
Log level medium may generate a lot of logging output on a busy system.
If you want to turn off UFW completely and delete all the rules, you can use "reset" command:
Whilst creating my ufw I needed to work out my external IP address the quickest way was to use the following:
The next step to secure your server ports is to use intrusion prevention framework like fail2ban
Jump to Ubuntu, Linux and me on....
