How to configure and customize Firewall on PiMP OS using ufw


  • Staff

    What is UFW?

    UFW, or uncomplicated firewall, is a frontend for managing firewall rules in Arch Linux, Debian or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall configuration easy (or, uncomplicated). UFW is the fastest and easiest way to configure your firewall on Ubuntu, and therefore on PiMP OS.

    Note: in PiMP you are already root, so sudo is not required before these commands like other systems may require.

    Default Rules Shipping in PiMP OS 2.8.4 and above:

    Out of the box we have done the following, and then committed the changes to the ufw configuration files in /etc/ufw:

    # Start the ufw service on every boot:
    systemctl start ufw
    systemctl enable ufw
    
    # Allow all outgoing and deny all incoming to start:
    ufw default allow outgoing
    ufw default deny incoming
    
    # Allow SSH, RDP, and VNC:
    ufw allow 22/tcp
    ufw allow 3389/tcp
    ufw allow 5900/tcp
    
    # Enable brute-force limit protections:
    ufw limit 22/tcp
    ufw limit 3389/tcp
    ufw limit 5900/tcp
    

    You can feel free to customize your firewall for your own needs. For example, if you want to change the SSH port, you would first edit the SSHD configuration file, then allow (and limit) the new port. Finally, (While still logged in!) restart sshd and attempt to connect. If that works you have made your change successfully.

    If you do not need RDP/VNC you can remove those rules by using the instructions below.

    If you want to enable things like Teamviewer, you may have to enable more rules by using the instructions below.

    Thank you very much for reading this guide! Comment below with any questions or suggestions for the PiMP OS firewall.

    Adding ufw to older PiMP OS installations:

    You can do the above yourself. First, update the system packages:

    apt update && apt upgrade

    Then, install ufw:

    apt install ufw

    Then proceed to configure the firewall. You can use the commands listed above if you like.

    Add Rules

    Rules can be added in two ways: By denoting the port number or by using the service name.

    For example, to allow both incoming and outgoing connections on port 22 for SSH, you can run:

    ufw allow ssh
    You can also run:

    ufw allow 22
    Similarly, to deny traffic on a certain port (in this example, 111) you would only have to run:

    ufw deny 111
    To farther fine-tune your rules, you can also allow packets based on TCP or UDP. The following will allow TCP packets on port 80:

    ufw allow 80/tcp
    ufw allow http/tcp
    Whereas this will allow UDP packets on 1725:

    ufw allow 1725/udp

    Advanced Rules

    Along with allowing or denying based solely on port, UFW also allows you to allow/block by IP addresses, subnets, and a IP address/subnet/port combinations.

    To allow connections from an IP address:

    ufw allow from 123.45.67.89
    To allow connections from a specific subnet:

    ufw allow from 123.45.67.89/24
    To allow a specific IP address/port combination:

    ufw allow from 123.45.67.89 to any port 22 proto tcp
    proto tcp can be removed or switched to proto udp depending upon your needs, and all instances of allow can be changed to deny as needed.

    Remove Rules

    To remove a rule, add delete before the rule implementation. If you no longer wished to allow HTTP traffic, you could run:

    ufw delete allow 80
    Deleting also allows the use of service names.

    Edit UFW’s Configuration Files

    Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, before.rules, that allows loopback, ping, and DHCP. To add to alter these rules edit the /etc/ufw/before.rules file. A before6.rules file is also located in the same directory for IPv6.

    An after.rule and an after6.rule file also exists to add any rules that would need to be added after UFW runs your command-line-added rules.

    An additional configuration file is located at /etc/default/ufw. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains.

    UFW Status

    You can check the status of UFW at any time with the command: ufw status. This will show a list of all rules, and whether or not UFW is active:

    Status: active
    
    To                         Action      From
    --                         ------      ----
    22                         ALLOW       Anywhere
    80/tcp                     ALLOW       Anywhere
    443                        ALLOW       Anywhere
    22 (v6)                    ALLOW       Anywhere (v6)
    80/tcp (v6)                ALLOW       Anywhere (v6)
    443 (v6)                   ALLOW       Anywhere (v6)
    

    Enable the Firewall

    With your chosen rules in place, your initial run of ufw status will probably output Status: inactive. To enable UFW and enforce your firewall rules:

    ufw enable
    Similarly, to disable UFW’s rules:

    ufw disable

    Note
    This still leaves the UFW service running and enabled on reboots.

    Logging

    You can enable logging with the command:

    ufw logging on

    Log levels can be set by running ufw logging low|medium|high, selecting either low, medium, or high from the list. The default setting is low.

    A normal log entry will resemble the following, and will be located at /var/logs/ufw:

    Sep 16 15:08:14 <hostname> kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=123.45.67.89 DST=987.65.43.21 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
    

    The initial values list the date, time, and hostname of your Linode. Additional important values include:

    [UFW BLOCK]: This location is where the description of the logged event will be located. In this instance, it blocked a connection.

    IN: If this contains a value, then the event was incoming

    OUT: If this contain a value, then the event was outgoing

    MAC: A combination of the destination and source MAC addresses

    SRC: The IP of the packet source

    DST: The IP of the packet destination

    LEN: Packet length

    TTL: The packet TTL, or time to live. How long it will bounce between routers until it expires, if no destination is found.

    PROTO: The packet’s protocol

    SPT: The source port of the package

    DPT: The destination port of the package

    WINDOW: The size of the packet the sender can receive

    SYN URGP: Indicated if a three-way handshake is required. 0 means it is not.


 



Want 10% more hash from your rigs?



We promise to keep your email safe and never spam you.



Copyright (c) 2017 PiMP LLC. All rights Reserved.

Looks like your connection to PiMP Forum was lost, please wait while we try to reconnect.