The Uncomplicated Firewall or UFW is the default firewall configuration tool for Ubuntu. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
ufw enable
ufw disable
ufw status verbose
[gitlab] (~) >>> ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
[gitlab] (~) >>> ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
[gitlab] (~) >>> ufw allow ssh
Rule added
Rule added (v6)
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere (v6)When using the name of an application the firewall will always allow the default port unless you tell it otherwise. In this case it allowed SSH on the normal port of 22, but this will not do us much good as I do not have SSH running on 22. To allow our actual SSH port just use ufw allow PORT
[gitlab] (~) >>> ufw allow 3367
Rule added
Rule added (v6)
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 3367 ALLOW IN Anywhere
[ 3] 22 ALLOW IN Anywhere (v6)
[ 4] 3367 ALLOW IN Anywhere (v6)
[gitlab] (~) >>> ufw deny ssh
Rule updated
Rule updated (v6)
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 DENY IN Anywhere
[ 2] 3367 ALLOW IN Anywhere
[ 3] 22 DENY IN Anywhere (v6)
[ 4] 3367 ALLOW IN Anywhere (v6)This of course creates another issue in that you have now opened up SSH to everyone. To restrict this further you can use ufw to allow SSH connections from only specific IPs
sudo ufw allow from IP ADDRESS
ufw allow from 192.168.1.0/24
ufw deny from IP ADDRESS
ufw deny from IP ADDRESS to port PORT NUMBERAllow by specific port and IP address
ufw allow from TARGET to DESTINATION port PORT NUMBERAllow/Deny by specific port, IP address and protocol
ufw allow from TARGET to DESTINATION port PORT NUMBER proto PROTOCOL
ufw deny from IP ADDRESS to PROTOCOL port PORT NUMBERDelete numbered rule
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 DENY IN Anywhere
[ 2] 3367 ALLOW IN Anywhere
[ 3] 22 DENY IN Anywhere (v6)
[ 4] 3367 ALLOW IN Anywhere (v6)
[gitlab] (~) >>> ufw delete 1
Deleting:
deny 22
Proceed with operation (y|n)? y
Rule deleted
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 3367 ALLOW IN Anywhere
[ 2] 22 DENY IN Anywhere (v6)
[ 3] 3367 ALLOW IN Anywhere (v6)Insert numbered rule
[gitlab] (~) >>> ufw insert 1 allow from 8.8.8.8
Rule inserted
[gitlab] (~) >>> ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 8.8.8.8
[ 2] 3367 ALLOW IN Anywhere
[ 3] 22 DENY IN Anywhere (v6)
[ 4] 3367 ALLOW IN Anywhere (v6)Syntax: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policyFor more UFW examples see the following sites: