Ubuntu Firewall UFW Installation configuration

Ubuntu system has UFW installed by default.

1. Installation
sudo apt-get install UFW
2. Enable
sudo UFW enable
sudo ufw default deny
After running the above two commands, the firewall is turned on and turned on automatically when the system starts. All external access to the native is turned off, but the native access is normal externally.
3. Turn ON/off
sudo ufw allow|deny [service]
Open or close a port, for example:
sudo UFW allow SMTP allows all external IPs to access native 25/TCP (SMTP) ports
sudo ufw allow 22/tcp allows all external IP access to the native 22/tcp (SSH) port
sudo UFW allow 53 allows external access to 53 ports (TCP/UDP)
sudo ufw allow from 192.168.1.100 allows this IP access to all native ports
sudo ufw allow proto UDP 192.168.0.1 port 192.168.0.2 port 53
sudo UFW deny SMTP prevents external access to the SMTP service
sudo ufw delete allow SMTP to delete a rule established above
4. View firewall status
sudo UFW status
For general users, only the following settings are required:
sudo apt-get install UFW
sudo UFW enable
sudo ufw default deny
The above three commands are safe enough, if you need to open some services, then use sudo ufw allow to open.

Turn firewall on/off (the default setting is ' Disable ')
sudo ufw enable|disable
Conversion status
sudo ufw logging On|off
Set default policy (e.g. "mostly open" vs "mostly closed")
sudo ufw default Allow|deny
Licensed or shielded port (you can view the list of services in "status"). A service that exists in/etc/services can be specified in the "Protocol: port" manner
The name can also be passed through the meta-data of the package. The ' Allow ' parameter will add the entry to/etc/ufw/maps, while ' deny ' is the opposite. The basic syntax is as follows:
sudo ufw allow|deny [service]
Displays the listening state of the firewall and port, see/var/lib/ufw/maps. The numbers in parentheses will not be displayed.
sudo UFW status

UFW Use Example:
Allow Port 53
$ sudo ufw allow 53
Disable Port 53
$ sudo ufw delete Allow 53
Allow Port 80
$ sudo ufw allow 80/tcp
Disable Port 80
$ sudo ufw delete Allow 80/tcp
Allow SMTP ports
$ sudo ufw allow SMTP
Remove licensing for SMTP ports
$ sudo ufw delete allow SMTP
Allow a specific IP
$ sudo ufw allow from 192.168.254.254
Delete the above rule
$ sudo ufw delete allow from 192.168.254.254
5. Enable/Disable the appropriate port or service (for example)
sudo UFW allow 80 allows external access to native 80 ports
sudo ufw delete allow 80 disallow external access to native 80 ports
sudo ufw allow from 192.168.1.1 allows this IP access to all native ports
sudo UFW deny SMTP prevents external access to the SMTP service
sudo ufw delete allow SMTP to delete a rule established above
sudo ufw deny Proto TCP from 10.0.0.0/8 to 192.168.0.1 port is going to deny all traffic from the TCP 10.0.0.0/8 to the address of Port 22 192.168.0.1
You can allow all RFC1918 networks (LAN/WLAN) to access this host (/8,/16,/12 is a network rating):
sudo ufw allow from 10.0.0.0/8
sudo ufw allow from 172.16.0.0/12
sudo ufw allow from 192.168.0.0/16
6. More detailed description
[] represents the optional content. Root privileges may be required, such as unable to run, please use sudo ufw ... The command structure. The contents of the "" can not be copied and changed as needed.
UFW [--dry-run] Enable|disable|reload
command [– Trial run] activation | off | reload
UFW [--dry-run] Default allow|deny|reject [incoming|outgoing]
command [– Trial run] default allow | block | Deny access to native rules | Rules for out-of-access
Note: Reject allows visitors to know that the data is rejected (feedback rejection information). Deny directly discards the access data, and the visitor does not know whether the access is denied or the host is not present.
UFW [--dry-run] Logging on|off| Level
command [– Trial run] Log on | off | "Level"
UFW [--dry-run] Reset
command [– Trial run] Reset
UFW [--dry-run] status [verbose|numbered]
command [– Trial run] status [detail | numbered rules]
UFW [--dry-run] Show report
command [– Trial run] Show "report Type"
UFW [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [In|out][log|log-all] port[/protocol]
command [– Trial run] [delete] [insert to "x rule"] allow | block | deny | limit [Enter | out] [Record New Connection | Log all packets] "port" [/"Protocol]"
UFW [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [In|out on INTERFACE] [Log|log-all] [Proto Protocol] [from address [Port Port] [to address [port Port]]
command [– Trial run] [delete] [before X rules] allow | block | deny | limit [Enter | out based on what network device] [protocol Protocol] [source address [Port Port]] [Destination address [Port ' port]]
UFW [--dry-run] Delete NUM
command [– Trial run] Delete "rule number X"
UFW [--dry-run] App List|info|default|update
command [– Trial run] Program List | info | default | update

Parameters
–version
Show Program Version number
-H, Help
Display Help information
–dry-run
Do not actually run, just show the changes involved.
Enable
Activate the firewall and start automatically at boot time
Disable
Turn off the firewall and do not start when the machine is switched
Reload
Re-loading the firewall
Default Allow|deny|reject Direction
Direction: Inward (incoming) | outward (outgoing). If you change the default policy, some rules that already exist may need to be modified manually. See the "Rule Examples" section for more content.
Logging On|off| " Level
Toggles the log status. The logging package uses the System log. There are several "levels", which are low by default. See the "Logs" section for details.
Reset [--force]
Turn off the firewall and reset to the initial installation state. If you use the –force option, the confirmation prompt is ignored.
Status
Displays the status of the firewall and the rules that have been set. Use the status verbose to display more detailed information. ' Anywhere ' with ' any ', ' 0.0.0.0/0 ' one meaning.
Show "Report Type"
Displays firewall run information. See "Report type" for details
Limit "Rules"
This command is currently available only for IPV4. IPV6 is not supported yet.
Rule examples
Rules can be abbreviated or fully expressed. The rules for shorthand can only specify that ports and/or protocols are allowed or blocked. The default is to access the native rules (incoming). For example:
UFW Allow 53
Allows the machine to access the native 53 port, the protocol contains TCP and UDP.
If you want to control the protocol, simply join the "/protocol" behind the port. For example:
UFW Allow 25/tcp
Allow other machines to access port 25 using the TCP protocol.
UFW can also check the/etc/services file, understand the name of the service and the corresponding port and protocol. We can use the name of the service.
UFW Allow SMTP
The UFW also supports ingress filtering. The user can use in or out to specify inward or outward. If not specified, the default is in. For example:
UFW allow in HTTP
UFW reject out SMTP
UFW deny out to 192.168.1.1
Prevent sending information to 192.168.1.1
The user can also use the full rules to specify the source and destination, as well as the port. The writing rules are based on OpenBSD PF. Example:
UFW deny Proto TCP to any port 80
Prevents the native TCP protocol from sending data on port 80
UFW deny Proto TCP from 10.0.0.0/8 to 192.168.0.1 port 25
This would deny all traffic from the RFC1918 Class A network to TCP port with the address 192.168.0.1. (The command is currently not available for translation from and To the relationship, want to change later)
UFW can also use the IPV6 protocol. However, you must set the IPV6 as the boot state in/ETC/DEFAULT/UFW beforehand. Example:
UFW deny Proto TCP from 2001:DB8::/32 to any port 25
Block IPv6 to 2001:DB8::/32 type of address, connect to native 25 port
UFW can be used to raise the port number consecutively. You must use commas or semicolons between port numbers, and you cannot use spaces. The "Input port number" character number cannot exceed 15 characters (8,080:8,090 counts two characters). For example, allow 80,443,8080~8090 these ports to accept TCP incoming connections.
UFW allow proto TCP from any to any port 80,443,8080:8090
In this example, the number of "input port number" characters is 4.
UFW can limit the number of connections to prevent brute-force login attacks. If the same IP address has been connected 6 times and more than 6 times within 30 seconds, UFW will block (deny) the connection. You can view more information.
UFW Limit Ssh/tcp
Of course there are times when we want visitors to know that his visit has been denied, rather than keeping silent so he doesn't know what's wrong. Use reject instead of deny
UFW Reject Auth
By default, all UFW rules are for all network devices (such as Nic 1, Nic 2, Wireless card 1, Virtual NIC 1 ...). ）。 But we can specifically specify what network device the rule will take effect on. Note You can use only the device number, not the alias. For example, a wired network card: eth0 (You can use the Ifconfig command to view your existing network devices)
UFW allow in on eth0 to any port proto TCP
To delete a rule, simply add the delete to the command. Like what:
UFW Deny 80/tcp
To delete the rules established by this command, use:
UFW Delete Deny 80/tcp
Of course, you can also use the rule number to delete it. Like rule number 3rd.
UFW Delete 3
Note that if you turn on the IPV6 feature. To delete both the IPV4 and IPV6 rules (for example: UFW allow 22/tcp), deleting a rule number may delete only one.
Show the date of the rule, you can use such a command
UFW status numbered (i.e. rule number)
Log function. If you use log to log all new connections that conform to the rule, all compliant packets will be logged if you use Log-all. For example, to allow and record a new connection on Shh (22/TCP):
UFW Allow log 22/tcp
See "Logs" section for more content
Special example: Allow RFC1918 network structure to access this machine:
UFW allow from 10.0.0.0/8
UFW allow from 172.16.0.0/12
UFW allow from 192.168.0.0/16
The last pass, the range is about 192.168.0.0~192.168.225.225. Of course, it involves a lot of expertise and I hope someone will add.
Remote Management
This section has not been edited yet
Application integration Management
UFW can be from/ETC/UFW/APPLICATIONS.D. To read the application manifest. You can use the command to view:
UFW App List
You can use the application name to add rules. Like what
UFW Allow < program name >
UFW Allow CUPS
UFW allow from 192.168.0.0/16 to any app < program name >
Note that the port number is included in the policy that corresponds to the program name, and do not re-enumerate the port numbers.
To view the policy content corresponding to the program name, command:
UFW app into < program name >
Note: The program name is on the list. The program name instead of using all, you can see all the policies.
If you edit or add a list of programs, you can use this command to update the firewall:
UFW App Update < program name >
The program name is replaced with all, and the entire list is updated.
To update the manifest and add the rule, you can use the following command:
UFW app Update–add-new < program name >
Note: The behavior of the Update–add-new parameter is configured by this command:
UFW App Default Skip|allow|deny
The default is skip, which is not set.
Warning: If the program rules are set to default allow, this can be a significant risk. Think twice before you leap!
Log
UFW supports many log levels. The default is low, and the user can specify it yourself:
UFW Logging On|off|low|medium|high|full
Off is to close the log
The low record encapsulates packets that conflict with the default policy (record speed is limited). Record packets that are compliant with the rule (there is no requirement to close the record)
Medium records packets that conflict with the default policy (including rules allowed), invalid packets, and all new connections. Recording speed is limited.
High with medium, just no speed limit recorded. Attach record all packets (with record speed limit).
Full is equal to high, just cancels the record limit.
Medium level and higher will record a lot of content, it is possible to burst your hard drive in a short time. This is especially used on machines of a server type.
On and off are only switches that do not represent levels.

Ubuntu Firewall UFW Installation configuration