ufw
Ufw stands for Uncomplicated Firewall, and is a program for managing a netfilter firewall on Linux. It provides a command line interface and aims to be uncomplicated and easy to use.
Basic configuration
A very simplistic configuration which will deny all by default.
ufw default denyThe next line is only needed once the first time you install the package:
ufw enableSee status:
ufw statusEnable/Disable:
ufw enable
ufw disableAllow/Deny:
ufw allow <app|port>
ufw deny <app|port>
ufw allow from <CIDR>
ufw deny from <CIDR>Forward policy
Users needing to run a VPN such as OpenVPN or WireGuard can adjust the DEFAULT_FORWARD_POLICY variable in /etc/default/ufw from a value of DROP to ACCEPT to forward all packets regardless of the settings of the user interface. To forward for a specific interface like wg0, user can add the following line in the filter block
# /etc/ufw/before.rules
-A ufw-before-forward -i wg0 -j ACCEPT
-A ufw-before-forward -o wg0 -j ACCEPTYou may also need to uncomment
# /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1Adding other applications
The PKG comes with some defaults based on the default ports of many common daemons and programs. Inspect the options by looking in the /etc/ufw/applications.d directory or by listing them in the program itself:
ufw app listIf users are running any of the applications on a non-standard port, it is recommended to simply make /etc/ufw/applications.d/custom containing the needed data using the defaults as a guide.
Warning: If users modify any of the PKG provided rule sets, these will be overwritten the first time the ufw package is updated. This is why custom app definitions need to reside in a non-PKG file as recommended above!
Example, deluge with custom tcp ports that range from 20202-20205:
[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcpShould you require to define both tcp and udp ports for the same application, simply separate them with a pipe as shown: this app opens tcp ports 10000-10002 and udp port 10003:
ports=10000:10002/tcp|10003/udpOne can also use a comma to define ports if a range is not desired. This example opens tcp ports 10000-10002 (inclusive) and udp ports 10003 and 10009
ports=10000:10002/tcp|10003,10009/udpDeleting applications
Drawing on the Deluge/Deluge-my example above, the following will remove the standard Deluge rules and replace them with the Deluge-my rules from the above example:
ufw delete allow Deluge
ufw allow Deluge-myBlack listing IP addresses
It might be desirable to add ip addresses to a blacklist which is easily achieved simply by editing /etc/ufw/before.rules and inserting an iptables DROP line at the bottom of the file right above the “COMMIT” word.
# /etc/ufw/before.rules
...
## blacklist section
# block just 199.115.117.99
-A ufw-before-input -s 199.115.117.99 -j DROP
# block 184.105.*.*
-A ufw-before-input -s 184.105.0.0/16 -j DROP
# don't delete the 'COMMIT' line or these rules won't be processed
COMMITRate limiting with ufw
ufw has the ability to deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. Users should consider using this option for services such as SSH.
Using the above basic configuration, to enable rate limiting we would simply replace the allow parameter with the limit parameter. The new rule will then replace the previous.
ufw limit SSHDisable remote ping
Change ACCEPT to DROP in the following lines:
/etc/ufw/before.rules
# ok icmp codes
...
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTIf you use IPv6, related rules are in /etc/ufw/before6.rules.
Disable UFW logging
Disabling logging may be useful to stop UFW filling up the kernel (dmesg) and message logs:
ufw logging offUFW and Docker
Docker in standard mode writes its own iptables rules and ignores ufw ones, which could lead to security issues. A solution can be found at https://github.com/chaifeng/ufw-docker.
GUI frontends
If you are using KDE Plasma, you can just go to Wi-Fi & Networking > Firewall to access and adjust firewall configurations given plasma-firewall is installed.