Install and Configure UFW Firewall on Debian 10
Choose a different version or distribution
Introduction
Before we begin talking about how to install UFW Firewall on Debian 10, let's briefly understand - What is UFW Firewall?
UFW Firewall, or Uncomplicated Fisrewall, is a user-friendly tool for managing firewall settings on Linux systems. It provides a simple command-line interface to set up and configure firewall rules, allowing users to control incoming and outgoing network traffic.
With UFW, you can easily block or allow specific connections based on ports, IP addresses, or protocols. It offers an intuitive way to enhance the security of your Linux system by protecting it against unauthorized access and potential network threats. Whether you're a beginner or an experienced user, UFW Firewall makes it easy to strengthen your system's defenses.
In this tutorial, you will install and configure UFW Firewall on Debian 10.
Advantages of UFW Firewall
- Easy Management: UFW Firewall provides a user-friendly interface for effortless management of firewall settings on Linux systems.
- Simplified Configuration: UFW simplifies the process of configuring firewall rules, allowing users to easily block or allow specific connections.
- Effective Security: With UFW, you can enhance the security of your Linux system by protecting it against unauthorized access and potential network threats.
- Port and Protocol Control: UFW enables granular control over incoming and outgoing network traffic based on ports and protocols.
- Beginner-Friendly: UFW is designed to be accessible to users of all levels, making it an ideal choice for both beginners and experienced Linux users.
Prerequisites to Install UFW Firewall
- Debian 10 is the recommended operating system.
- A user account with root access or sudo privileges.
The installation process in the tutorial uses the terminal, which can be found under Activities > Show Applications > Terminal.
Update Operating System
Update your Debian system to ensure that all existing packages are up-to-date:
sudo apt update && sudo apt upgrade -y
Assuming you have sudo status, the tutorial will use the sudo command.
To check your account's sudo status:
sudo whoami
Example output displaying sudo status:
[vegastack@debian~]$ sudo whoami
root
How to Enable, Install or Remove UFW
UFW is not installed by default on Debian distributions, but it is available through its repository. The command below should be used to install UFW.
sudo apt install ufw -y
After installation, activate the service to get started.
sudo systemctl enable ufw --now
Next, ensure UFW is active and error-free by checking its status.
sudo systemctl status ufw
The next step in configuring a UFW firewall is to enable the firewall itself.
sudo ufw enable
Example output:
Output
Firewall is active and enabled on system startup
Once the firewall is live, all incoming traffic is by default automatically blocked, while all outbound traffic is permitted. By prohibiting remote connections to your machine, this will immediately protect it.
In the future, use the following command if you need to temporarily disable UFW.
sudo ufw disable
To uninstall UFW completely from your Debian system, use the following command:
sudo apt remove ufw --purge
Remove UFW only if you have a reliable alternative or are familiar with IPTables, especially if you are managing a server environment that is accessible to the public. This will end badly.
How to Check UFW Status
Once UFW is activated, use the following command to view the status of firewall rules and what is active at the moment.
sudo ufw status verbose
The verbose flag was used in the example above, but listing the rules in numerical order is also a viable option. This makes it much easier to delete rules afterwards.
sudo ufw status numbered
How to set UFW Default Policies
The UFW firewall's default setting is to only permit outbound connections and block all incoming connections to the system. The most secure default setting prevents anyone from accessing your server unless you permit specific IP address ranges, applications, ports, or combinations of all of them. You should not change your system's default access to the outside unless you have special security concerns.
The directory /etc/default/ufw
contains the default UFW firewall policies.
Type the following command to adjust the rules:
To deny all incoming connections:
sudo ufw default deny incoming
To allow all outgoing connections:
sudo ufw default allow outgoing
When activated, these are already set as the default rules, but you can adjust them according to your needs using the same principle.
For instance, all incoming communication is by default prohibited, but if you only want to allow permitted connections outbound and want all outgoing communication blocked, use the following command.
To block all outgoing connections:
sudo ufw default deny outgoing
This is a drastic measure; for most servers and desktops, blocking incoming connections suffices, but some situations may benefit from additional security protection. The drawback is that you must constantly define new rules and manage all outbound connections, which can take time.
How to view UFW Application Profiles
By typing the following, you can display all application profiles.
sudo ufw app list
Learning more about the service listed in the UFW application list is a useful aspect of the application profiles.
To do this, enter the following command to view additional details on an existing profile.
sudo ufw app info qBittorrent
The application's general description and the port it uses are printed out, as mentioned previously. This is a useful function to have when you are investigating open ports and are not sure what kinds of applications they relate to or what the applications do.
How to Enable IPv6 on UFW
If your Debian system is set up with IPv6, you must ensure that UFW is configured to support both IPv6 and IPv4. This should be enabled by default; nevertheless, you should check and, if necessary, change it. The following are some methods you can use to do this.
Open the UFW default firewall file.
sudo nano /etc/default/ufw
If not set, change the next line to yes
IPV6=yes
Press CTRL+O
to save the updated modifications to the file, and CTRL+X
to close it.
To make the modifications effective, restart the UFW firewall service.
sudo systemctl restart ufw
How to Allow UFW SSH Connections
SSH connections are prohibited by UFW by default. You would have realized you were locked out if you had already enabled the firewall remotely.
To fix this, you must first enable UFW firewall and then specify the following SSH configuration, especially if you are connected to a remote server.
Enable the SSH application profile first.
sudo ufw allow ssh
You will open the port on the UFW firewall by typing the following if you have configured a custom listening port for SSH connections rather than the standard port 22
, for example, port 3541
.
sudo ufw allow 3541/tcp
Change the port and block the older ones if you want to block all SSH connections.
Use the following command to block all SSH connections (ensure that local access is permitted).
sudo ufw deny ssh/tcp
Open a new port and close the old one if you need to change the custom SSH port; this tutorial uses port 3541
as an example.
sudo ufw deny 3541/tcp
How to Enable UFW Ports
With UFW, you can configure the firewall to allow connections to specified ports that are allocated for a particular application. You can customize the application with your own rules. Setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default is an excellent demonstration of this rule.
Allow HTTP Port 80
Allow by application profile:
sudo ufw allow 'Nginx HTTP'
Allow by service name:
sudo ufw allow http
Allow by port number:
sudo ufw allow 80/tcp
Allow HTTPS Port 443
Allow by application profile:
sudo ufw allow 'Nginx HTTPS'
Allow by service name:
sudo ufw allow https
Allow by port number:
sudo ufw allow 443/tcp
Keep in mind that by using the following command, you can enable all the rules by default.
sudo ufw allow 'Nginx Full'
UFW Allow Port Ranges
UFW can grant access to port ranges. You must specify the port protocol before opening a port range.
Allow port range with TCP & UDP:
sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udp
Conversely, you can allow several ports in a single hit, however, allow ranging might be better to use as described above.
sudo ufw allow 6500:6509/tcp
sudo ufw allow 6500:6509/udp
How to Allow Remote Connections on UFW
UFW Allow Specific IP Address
For instance, to permit particular IP addresses, you are on an internal network and need the systems to connect together, use the below syntax.
sudo ufw allow from 192.168.55.131
UFW Allow Specific IP Address on Specific Port
Type the following command to allow an IP to connect to your system on a specific port (for instance, port “3900”).
sudo ufw allow from 192.168.55.131 to any port 3900
Allow Subnet Connections to a Specified Port
You can enable the following rule to allow any number of connections from an IP range subnet to a particular port.
sudo ufw allow from 192.168.1.0/24 to any port 3900
All IP addresses between 192.168.1.1 and 192.168.1.254 will be able to connect to port 3900 as a result.
Allow Specific Network Interface
For instance, permit connections to a specific network interface, “eth2” to a particular port 3900. You can accomplish this by applying the following rule.
sudo ufw allow in on eth2 to any port 3900
How to Deny Remote Connections on UFW
When UFW is installed, all incoming connections are set to “deny” in accordance with its default configuration policy. Unless you add a rule to enable the connections to come through, this rejects all incoming traffic.
If you notice a particular IP address that is constantly attacking you. Use the following steps to block it.
sudo ufw deny from 203.13.56.121
A hacker may try to access your data using multiple IP addresses from the same network. To protect yourself, use the following command.
sudo ufw deny from 203.13.56.121/24
If you wish to restrict access to particular ports, you can define custom rules. Type the example that follows.
sudo ufw deny from 203.13.56.121/24 to any port 80
sudo ufw deny from 203.13.56.121/24 to any port 443
How to Delete UFW Rules
You need to remove the rules you have made and denied access to, since you no longer require them. There are two ways to accomplish this.
You must first list the rule numbers by typing the following in order to delete a UFW rule using the rule number.
sudo ufw status numbered
Enter the following in your terminal.
sudo ufw delete 3
How to Access and View UFW Logs
Most desktop systems are acceptable with UFW logging being set to low, which is the default setting. However, servers might need more extensive logging.
If you want to set UFW logging to low (Default):
sudo ufw logging low
If you want to set UFW logging to the medium:
sudo ufw logging medium
If you want to set UFW logging to high:
sudo ufw logging high
The final option is to disable logging entirely, be sure you are comfortable with this and will not require log checking.
sudo ufw logging off
You can view UFW logs in their default location of /var/log/ufw.log
.
The tail command is a simple and quick way to view live logs.
tail -f /var/log/ufw.log
Alternatively, you can use the -n <number flags>
to print out numerous recent lines.
tail /var/log/ufw.log -n 30
The last 30 lines of the log will be printed out as a result. You can fine-tune the results even further with GREP and other sorting commands.
How to Test UFW Rules
When experimenting with the firewall settings, highly critical systems can add the -dry-run flag
. This enables viewing an example of the potential modifications without actually processing them.
sudo ufw --dry-run enable
Execute the following command to disable the -dry-run flag
.
sudo ufw --dry-run disable
How to Reset UFW Rules
Type the following to restore your firewall to its default settings, which have all incoming traffic blocked and outbound traffic set to allow.
sudo ufw reset
To confirm the reset, input the following:
sudo ufw status
The output should be as follows:
Status: inactive
You must now re-enable the firewall and begin the process of adding rules after the UFW firewall was reset. If feasible, use the reset command sparingly.
How to find All Open Ports (Security Check)
Most systems are unaware of the possibility of having ports open. It is essential to keep an eye on what is going on behind the scenes in the age where every IP address on the Internet is inspected every day.
Installing Nmap and then utilizing this well-known application to identify the open ports is the best course of action.
sudo apt install nmap -y
Next, identify the system's internal IP address.
hostname -I
Example output:
192.168.50.45
Now run the Nmap command with the server's IP address.
sudo nmap 192.168.50.45
All ports are shut, as mentioned before. To avoid breaking services or, worse yet, being locked out of a server, check the open ports before closing or blocking them if you are unaware of what they are.
From this point, you can close or restrict the open ports using the custom UFW rules you have learned to create throughout the lesson.
FAQs to Install UFW Firewall on Debian 10
How do I check the status of UFW Firewall on Debian 10?
Type sudo ufw status
in the terminal to check the current status of UFW Firewall on Debian 10. It will display active or inactive along with the rules.
Can I allow incoming connections with UFW Firewall on Debian 10?
Yes, you can allow incoming connections by specifying the desired port or protocol using the command sudo ufw allow [port/protocol]
.
How can I block specific IP addresses with UFW Firewall on Debian 10?
To block specific IP addresses, use the command sudo ufw deny from [IP address]
. Replace [IP address] with the actual IP you want to block.
How do I disable UFW Firewall on Debian 10?
To disable UFW, run "sudo ufw disable" in the terminal. It will stop the firewall and prevent it from starting upon system boot.
Does UFW Firewall provide logging on Debian 10?
Yes, UFW Firewall provides logging by default. You can check the logs in /var/log/ufw.log
to monitor firewall activities and track any blocked or allowed connections.
Can I view the list of existing firewall rules with UFW on Debian 10?
To view the list of firewall rules, use the command sudo ufw status numbered
. It will display the rules along with their corresponding numbers.
How can I remove a specific firewall rule with UFW on Debian 10?
Identify the rule number using sudo ufw status numbered
, then run sudo ufw delete [rule number]
to remove the specific firewall rule from UFW on Debian 10.
Conclusion
You now know how to set up and configure UFW for desktop or server on Debian 10.
UFW is strongly advised because it is a straightforward firewall system in contrast to other choices that could be too complex for non-power users. Given the surge in hacking and cybercrime, it is a surefire approach to protect your system.
The one area where UFW will fall short is in vast rule sets and IP blacklists, where hundreds of thousands, if not millions, of IP addresses, will be blocked. Other options might be required, but as such servers frequently have a decent alternative available, most users will not be affected.
If you have any queries, feel free to post a comment below and we'll be happy to answer them.