Install and Configure UFW Firewall on Debian 11

Introduction

Before we begin talking about how to install UFW Firewall on Debian 11, let's briefly understand - What is UFW Firewall?

UFW Firewall, or Uncomplicated Firewall, is a user-friendly tool for managing firewall settings on Linux systems. It provides a simple command-line interface to set up and configure firewall rules, allowing users to control incoming and outgoing network traffic.

With UFW, you can easily block or allow specific connections based on ports, IP addresses, or protocols. It offers an intuitive way to enhance the security of your Linux system by protecting it against unauthorized access and potential network threats. Whether you're a beginner or an experienced user, UFW Firewall makes it easy to strengthen your system's defenses.

In this tutorial, you will install and configure UFW Firewall on Debian 11.

Advantages of UFW Firewall

1. Easy Management: UFW Firewall provides a user-friendly interface for effortless management of firewall settings on Linux systems.
2. Simplified Configuration: UFW simplifies the process of configuring firewall rules, allowing users to easily block or allow specific connections.
3. Effective Security: With UFW, you can enhance the security of your Linux system by protecting it against unauthorized access and potential network threats.
4. Port and Protocol Control: UFW enables granular control over incoming and outgoing network traffic based on ports and protocols.
5. Beginner-Friendly: UFW is designed to be accessible to users of all levels, making it an ideal choice for both beginners and experienced Linux users.

Prerequisites to Install UFW Firewall

• Debian 11 is the recommended operating system.
• A user account with root access or sudo privileges.

The installation process in the tutorial uses the terminal, which can be found under Activities > Show Applications > Terminal.

Update Operating System

Update your Debian system to ensure that all existing packages are up-to-date:

sudo apt update && sudo apt upgrade -y

Assuming you have sudo status, the tutorial will use the sudo command.

To check your account's sudo status:

sudo whoami

Example output displaying sudo status:

[vegastack@debian~]$ sudo whoami
root

How to Enable, Install or Remove UFW

UFW is not installed by default on Debian distributions, but it is available through its repository. The command below should be used to install UFW.

sudo apt install ufw -y

After installation, activate the service to get started.

sudo systemctl enable ufw --now

Next, ensure UFW is active and error-free by checking its status.

sudo systemctl status ufw

The next step in configuring a UFW firewall is to enable the firewall itself.

sudo ufw enable

Example output:

Output

Firewall is active and enabled on system startup

Once the firewall is live, all incoming traffic is by default automatically blocked, while all outbound traffic is permitted. By prohibiting remote connections to your machine, this will immediately protect it.

In the future, use the following command if you need to temporarily disable UFW.

sudo ufw disable

To uninstall UFW completely from your Debian system, use the following command:

sudo apt remove ufw --purge

Remove UFW only if you have a reliable alternative or are familiar with IPTables, especially if you are managing a server environment that is accessible to the public. This will end badly.

How to Check UFW Status

Once UFW is activated, use the following command to view the status of firewall rules and what is active at the moment.

sudo ufw status verbose

The verbose flag was used in the example above, but listing the rules in numerical order is also a viable option. This makes it much easier to delete rules afterwards.

sudo ufw status numbered

How to set UFW Default Policies

The UFW firewall's default setting is to only permit outbound connections and block all incoming connections to the system. The most secure default setting prevents anyone from accessing your server unless you permit specific IP address ranges, applications, ports, or combinations of all of them. You should not change your system's default access to the outside unless you have special security concerns.

The directory /etc/default/ufw contains the default UFW firewall policies.

Type the following command to adjust the rules:

To deny all incoming connections:

sudo ufw default deny incoming

To allow all outgoing connections:

sudo ufw default allow outgoing

When activated, these are already set as the default rules, but you can adjust them according to your needs using the same principle.

For instance, all incoming communication is by default prohibited, but if you only want to allow permitted connections outbound and want all outgoing communication blocked, use the following command.

To block all outgoing connections:

sudo ufw default deny outgoing

This is a drastic measure; for most servers and desktops, blocking incoming connections suffices, but some situations may benefit from additional security protection. The drawback is that you must constantly define new rules and manage all outbound connections, which can take time.

How to view UFW Application Profiles

By typing the following, you can display all application profiles.

sudo ufw app list

Learning more about the service listed in the UFW application list is a useful aspect of the application profiles.

To do this, enter the following command to view additional details on an existing profile.

sudo ufw app info qBittorrent

The application's general description and the port it uses are printed out, as mentioned previously. This is a useful function to have when you are investigating open ports and are not sure what kinds of applications they relate to or what the applications do.

How to Enable IPv6 on UFW

If your Debian system is set up with IPv6, you must ensure that UFW is configured to support both IPv6 and IPv4. This should be enabled by default; nevertheless, you should check and, if necessary, change it. The following are some methods you can use to do this.

Open the UFW default firewall file.

sudo nano /etc/default/ufw

If not set, change the next line to yes

IPV6=yes

Press CTRL+O to save the updated modifications to the file, and CTRL+X to close it.

To make the modifications effective, restart the UFW firewall service.

sudo systemctl restart ufw

How to Allow UFW SSH Connections

SSH connections are prohibited by UFW by default. You would have realized you were locked out if you had already enabled the firewall remotely.

To fix this, you must first enable UFW firewall and then specify the following SSH configuration, especially if you are connected to a remote server.

Enable the SSH application profile first.

sudo ufw allow ssh

You will open the port on the UFW firewall by typing the following if you have configured a custom listening port for SSH connections rather than the standard port 22, for example, port 3541.

sudo ufw allow 3541/tcp

Change the port and block the older ones if you want to block all SSH connections.

Use the following command to block all SSH connections (ensure that local access is permitted).

sudo ufw deny ssh/tcp

Open a new port and close the old one if you need to change the custom SSH port; this tutorial uses port 3541 as an example.

sudo ufw deny 3541/tcp 

How to Enable UFW Ports

With UFW, you can configure the firewall to allow connections to specified ports that are allocated for a particular application. You can customize the application with your own rules. Setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default is an excellent demonstration of this rule.

Allow HTTP Port 80

Allow by application profile:

sudo ufw allow 'Nginx HTTP'

Allow by service name:

sudo ufw allow http

Allow by port number:

sudo ufw allow 80/tcp

Allow HTTPS Port 443

Allow by application profile:

sudo ufw allow 'Nginx HTTPS'

Allow by service name:

sudo ufw allow https

Allow by port number:

sudo ufw allow 443/tcp

Keep in mind that by using the following command, you can enable all the rules by default.

sudo ufw allow 'Nginx Full'

UFW Allow Port Ranges

UFW can grant access to port ranges. You must specify the port protocol before opening a port range.

Allow port range with TCP & UDP:

sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udp

Conversely, you can allow several ports in a single hit, however, allow ranging might be better to use as described above.

sudo ufw allow 6500:6509/tcp
sudo ufw allow 6500:6509/udp

How to Allow Remote Connections on UFW

UFW Allow Specific IP Address

For instance, to permit particular IP addresses, you are on an internal network and need the systems to connect together, use the below syntax.

sudo ufw allow from 192.168.55.131

UFW Allow Specific IP Address on Specific Port

Type the following command to allow an IP to connect to your system on a specific port (for instance, port “3900”).

sudo ufw allow from 192.168.55.131 to any port 3900

Allow Subnet Connections to a Specified Port

You can enable the following rule to allow any number of connections from an IP range subnet to a particular port.

sudo ufw allow from 192.168.1.0/24 to any port 3900

All IP addresses between 192.168.1.1 and 192.168.1.254 will be able to connect to port 3900 as a result.

Allow Specific Network Interface

For instance, permit connections to a specific network interface, “eth2” to a particular port 3900. You can accomplish this by applying the following rule.

sudo ufw allow in on eth2 to any port 3900

How to Deny Remote Connections on UFW

When UFW is installed, all incoming connections are set to “deny” in accordance with its default configuration policy. Unless you add a rule to enable the connections to come through, this rejects all incoming traffic.

If you notice a particular IP address that is constantly attacking you. Use the following steps to block it.

sudo ufw deny from 203.13.56.121

A hacker may try to access your data using multiple IP addresses from the same network. To protect yourself, use the following command.

sudo ufw deny from 203.13.56.121/24

If you wish to restrict access to particular ports, you can define custom rules. Type the example that follows.

sudo ufw deny from 203.13.56.121/24 to any port 80
sudo ufw deny from 203.13.56.121/24 to any port 443

How to Delete UFW Rules

You need to remove the rules you have made and denied access to, since you no longer require them. There are two ways to accomplish this.

You must first list the rule numbers by typing the following in order to delete a UFW rule using the rule number.

sudo ufw status numbered

Enter the following in your terminal.

sudo ufw delete 3

How to Access and View UFW Logs

Most desktop systems are acceptable with UFW logging being set to low, which is the default setting. However, servers might need more extensive logging.

If you want to set UFW logging to low (Default):

sudo ufw logging low

If you want to set UFW logging to the medium:

sudo ufw logging medium

If you want to set UFW logging to high:

sudo ufw logging high

The final option is to disable logging entirely, be sure you are comfortable with this and will not require log checking.

sudo ufw logging off

You can view UFW logs in their default location of /var/log/ufw.log.

The tail command is a simple and quick way to view live logs.

tail -f /var/log/ufw.log

Alternatively, you can use the -n <number flags> to print out numerous recent lines.

tail /var/log/ufw.log -n 30

The last 30 lines of the log will be printed out as a result. You can fine-tune the results even further with GREP and other sorting commands.

How to Test UFW Rules

When experimenting with the firewall settings, highly critical systems can add the -dry-run flag. This enables viewing an example of the potential modifications without actually processing them.

sudo ufw --dry-run enable

Execute the following command to disable the -dry-run flag.

sudo ufw --dry-run disable

How to Reset UFW Rules

Type the following to restore your firewall to its default settings, which have all incoming traffic blocked and outbound traffic set to allow.

sudo ufw reset

To confirm the reset, input the following:

sudo ufw status

The output should be as follows:

Status: inactive 

You must now re-enable the firewall and begin the process of adding rules after the UFW firewall was reset. If feasible, use the reset command sparingly.

How to find All Open Ports (Security Check)

Most systems are unaware of the possibility of having ports open. It is essential to keep an eye on what is going on behind the scenes in the age where every IP address on the Internet is inspected every day.

Installing Nmap and then utilizing this well-known application to identify the open ports is the best course of action.

sudo apt install nmap -y

Next, identify the system's internal IP address.

hostname -I

Example output:

192.168.50.45

Now run the Nmap command with the server's IP address.

sudo nmap 192.168.50.45

All ports are shut, as mentioned before. To avoid breaking services or, worse yet, being locked out of a server, check the open ports before closing or blocking them if you are unaware of what they are.

From this point, you can close or restrict the open ports using the custom UFW rules you have learned to create throughout the lesson.

FAQs to Install UFW Firewall on Debian 11

Conclusion

You now know how to set up and configure UFW for desktop or server on Debian 11.

UFW is strongly advised because it is a straightforward firewall system in contrast to other choices that could be too complex for non-power users. Given the surge in hacking and cybercrime, it is a surefire approach to protect your system.

The one area where UFW will fall short is in vast rule sets and IP blacklists, where hundreds of thousands, if not millions, of IP addresses will be blocked. Other options might be required, but as such servers frequently have a decent alternative available, most users will not be affected.

If you have any queries, feel free to post a comment below and we'll be happy to answer them.