How to configure and customize Firewall on PiMP OS using ufw
What is UFW?
UFW, or uncomplicated firewall, is a frontend for managing firewall rules in Arch Linux, Debian or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall configuration easy (or, uncomplicated). UFW is the fastest and easiest way to configure your firewall on Ubuntu, and therefore on PiMP OS.
Note: in PiMP you are already root, so
sudois not required before these commands like other systems may require.
Default Rules Shipping in PiMP OS 2.8.4 and above:
Out of the box we have done the following, and then committed the changes to the ufw configuration files in /etc/ufw:
# Start the ufw service on every boot: systemctl start ufw systemctl enable ufw # Allow all outgoing and deny all incoming to start: ufw default allow outgoing ufw default deny incoming # Allow SSH, RDP, and VNC: ufw allow 22/tcp ufw allow 3389/tcp ufw allow 5900/tcp # Enable brute-force limit protections: ufw limit 22/tcp ufw limit 3389/tcp ufw limit 5900/tcp
You can feel free to customize your firewall for your own needs. For example, if you want to change the SSH port, you would first edit the SSHD configuration file, then allow (and limit) the new port. Finally, (While still logged in!) restart sshd and attempt to connect. If that works you have made your change successfully.
If you do not need RDP/VNC you can remove those rules by using the instructions below.
If you want to enable things like Teamviewer, you may have to enable more rules by using the instructions below.
Thank you very much for reading this guide! Comment below with any questions or suggestions for the PiMP OS firewall.
Adding ufw to older PiMP OS installations:
You can do the above yourself. First, update the system packages:
apt update && apt upgrade
Then, install ufw:
apt install ufw
Then proceed to configure the firewall. You can use the commands listed above if you like.
Rules can be added in two ways: By denoting the port number or by using the service name.
For example, to allow both incoming and outgoing connections on port 22 for SSH, you can run:
ufw allow ssh
You can also run:
ufw allow 22
Similarly, to deny traffic on a certain port (in this example, 111) you would only have to run:
ufw deny 111
To farther fine-tune your rules, you can also allow packets based on TCP or UDP. The following will allow TCP packets on port 80:
ufw allow 80/tcp
ufw allow http/tcp
Whereas this will allow UDP packets on 1725:
ufw allow 1725/udp
Along with allowing or denying based solely on port, UFW also allows you to allow/block by IP addresses, subnets, and a IP address/subnet/port combinations.
To allow connections from an IP address:
ufw allow from 184.108.40.206
To allow connections from a specific subnet:
ufw allow from 220.127.116.11/24
To allow a specific IP address/port combination:
ufw allow from 18.104.22.168 to any port 22 proto tcp
proto tcpcan be removed or switched to
proto udpdepending upon your needs, and all instances of
allowcan be changed to
To remove a rule, add
deletebefore the rule implementation. If you no longer wished to allow HTTP traffic, you could run:
ufw delete allow 80
Deleting also allows the use of service names.
Edit UFW’s Configuration Files
Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, before.rules, that allows loopback, ping, and DHCP. To add to alter these rules edit the /etc/ufw/before.rules file. A before6.rules file is also located in the same directory for IPv6.
An after.rule and an after6.rule file also exists to add any rules that would need to be added after UFW runs your command-line-added rules.
An additional configuration file is located at /etc/default/ufw. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains.
You can check the status of UFW at any time with the command:
ufw status. This will show a list of all rules, and whether or not UFW is active:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 80/tcp ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
Enable the Firewall
With your chosen rules in place, your initial run of
ufw statuswill probably output Status: inactive. To enable UFW and enforce your firewall rules:
Similarly, to disable UFW’s rules:
This still leaves the UFW service running and enabled on reboots.
You can enable logging with the command:
ufw logging on
Log levels can be set by running
ufw logging low|medium|high, selecting either low, medium, or high from the list. The default setting is low.
A normal log entry will resemble the following, and will be located at /var/logs/ufw:
Sep 16 15:08:14 <hostname> kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=22.214.171.124 DST=9126.96.36.199 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
The initial values list the date, time, and hostname of your Linode. Additional important values include:
[UFW BLOCK]: This location is where the description of the logged event will be located. In this instance, it blocked a connection.
IN: If this contains a value, then the event was incoming
OUT: If this contain a value, then the event was outgoing
MAC: A combination of the destination and source MAC addresses
SRC: The IP of the packet source
DST: The IP of the packet destination
LEN: Packet length
TTL: The packet TTL, or time to live. How long it will bounce between routers until it expires, if no destination is found.
PROTO: The packet’s protocol
SPT: The source port of the package
DPT: The destination port of the package
WINDOW: The size of the packet the sender can receive
SYN URGP: Indicated if a three-way handshake is required. 0 means it is not.
We promise to keep your email safe and never spam you.
Copyright (c) 2017 PiMP LLC. All rights Reserved.