Basic Security in Linux: Set Up a Firewall with UFW

In an age where servers and desktops routinely face automated attacks, misconfigurations, and targeted scans, establishing a robust firewall is a fundamental step in securing any Linux system. The Uncomplicated Firewall (UFW) provides an intuitive interface for managing iptables-based rules. This article walks you through every stage—from installation to advanced usage—and offers practical tips for integrating UFW with VPN solutions to maximize privacy and security.

Why You Need a Firewall

• Restrict Unauthorized Access: Block ports not in use and prevent unauthorized logins.
• Limit Attack Surface: Only expose necessary services, reducing potential vulnerabilities.
• Logging Monitoring: Track and audit connection attempts.
• Easy Management: UFW simplifies complex iptables configurations.

1. Installing and Enabling UFW

Most modern Linux distributions include UFW in their repositories. To install and activate:

sudo apt update
sudo apt install ufw
sudo ufw enable

By default, UFW may set the policy to deny incoming traffic and allow outgoing. Verify:

sudo ufw status verbose

2. Understanding Default Policies

3. Allowing and Denying Services

Use either port numbers or service names recognized by UFW (from /etc/services).

• Allow SSH: sudo ufw allow ssh or sudo ufw allow 22/tcp
• Deny HTTP: sudo ufw deny http or sudo ufw deny 80/tcp
• Allow a range: sudo ufw allow 1000:2000/udp
• Delete a rule: sudo ufw delete allow ssh

4. Advanced Rule Definitions

UFW also supports rate limiting, IPv6, and specific source or destination addresses:

• Rate Limiting: Protect SSH against brute-force attacks:

  sudo ufw limit ssh

• IPv6 Support: Ensure IPV6=yes is set in /etc/default/ufw. Then reload:

  sudo ufw reload

• Restrict by IP: Only allow access from a trusted subnet:

  sudo ufw allow from 203.0.113.0/24 to any port 443

5. Checking Status and Logs

To verify current rules:

sudo ufw status numbered

UFW logs via rsyslog are usually in /var/log/ufw.log. To increase verbosity, set LOGLEVEL=high in /etc/default/ufw and reload.

6. Integrating UFW with VPNs

While UFW secures the server at the network level, using a VPN on the client or gateway adds privacy and an additional layer of encryption. When using VPNs such as NordVPN, ExpressVPN, or ProtonVPN, you may wish to:

1. Restrict Outgoing to VPN Interface: Deny all outbound except via tun0 or wg0:

   sudo ufw default deny outgoing
   sudo ufw allow out on tun0 from any to any
   sudo ufw enable

2. Prevent Leaks: Block traffic if VPN drops:
   • Use ufw-before-up.rules hooks to drop non-VPN traffic.
3. Ensure DNS Privacy: Point DNS queries to the VPN’s resolver or to encrypted resolvers (e.g., 1.1.1.1 over DNS-over-HTTPS).

7. Use Cases and Examples

Below are practical scenarios demonstrating UFW configurations:

Web Server Only (HTTP/HTTPS)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Mail Server (SMTP, IMAP, SSH)

sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp
sudo ufw enable

8. Best Practices

• Least Privilege: Only open the ports you need.
• Regular Audits: Periodically review ufw status verbose and /var/log/ufw.log.
• Backup Rules: Export rules before major changes:

  sudo ufw export /root/ufw-backup.rules

• Combine Tools: Use intrusion detection systems (such as Suricata) alongside UFW.
• Stay Updated: Keep both your OS and UFW package current to benefit from security patches.

Conclusion

Implementing UFW fortifies your Linux environment with a straightforward yet powerful firewall solution. From basic allow/deny rules to advanced rate limiting and VPN-specific configurations, UFW adapts to a wide range of scenarios. By following the guidelines and examples above, you can sharply reduce your exposure to network-based threats and ensure that only legitimate traffic reaches your services.

Article last updated: June 2024.