Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
I have always been scared of IP tables. If you want to know the reason check out the man page for the same. Though I have heard from many people that IPtables are more robust and secure, I have never used them because it has always been daunting. I personally feel that if I am not comfortable with something like IPtables and still use it I might add more security holes while not leveraging the benefits it provides. So I have stuck to using ufw for now. It is for the same reason that I prerfer Ubuntu over other flavors. Familiarity breeds confidence and I know that I will make less blunders. Donot consider this as a promotion of Ubuntu over other more secure flavors, because it is not. It is just my personal preference.
Side note : Did you know that “Ubuntu” is generally translated as “I am because we are,"
Before getting started
Keep these things in mind before getting started.
- Use some form of firewall. If not ufw you can use iptables directly.
- If you are using ufw, make sure that your ufw service is started on reboot.
- Understand the defaults of ufw well.
- Blacklist all and whitelist what is required is always a better option.
- Set up a monitoring tool like zabbix that gives you a trigger when ufw is down.
Installing ufw
sudo apt install ufw
Check status
# ufw statusStatus: inactive
We will enable ufw after adding the relevant rules.
Whitelist ssh
Make sure allow ssh before enabling ufw so that you can access your server from anywhere using ssh.
#sudo ufw allow sshRules updatedRules updated (v6)
Checking added rules
You cannot check the added rules using ufw status when ufw is not active. Instead you can use ufw show added. You can use this even after enabling the ufw.
# ufw show addedAdded user rules (see 'ufw status' for running firewall):ufw allow 22/tcp
Enable ufw
Enabling ufw without adding rule for ssh might lock you out of your server. So be careful before enabling ufw. I have not tried it though, so I can’t be sure. :P
# ufw enableCommand may disrupt existing ssh connections. Proceed with operation (y|n)? yFirewall is active and enabled on system startup
Check status
ufw status gives you the status of ufw and also lists all the enabled rules.
# ufw statusStatus: active
To Action From-- ------ ----22/tcp ALLOW Anywhere22/tcp (v6) ALLOW Anywhere (v6)
ufw status can be problematic as it doesn’t give all the details. Checkout next section.
UFW Defaults
Not knowing the defaults cost me a couple of hours the other day.
Since defaults were not displayed and details under Action was not clear enough, I had assumed a few things which cost me dearly. So go through the default options before actually setting up the relevant rules for your applications.
You can get those details using ufw status verbose
# ufw status verboseStatus: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skip
To Action From-- ------ ----22/tcp ALLOW IN Anywhere22/tcp (v6) ALLOW IN Anywhere (v6)
As you can see from the output now
- Defaults are deny (incoming) : This will make sure that no outside systems can connect to your machine until you add an overriding rule for the same.
- Defaults are allow (outgoing) : This means that all outgoing request are enabled. While this setting helps you run commands like apt-install , wget and ping without any issues. But if you want to keep your server secure it is better to make defaults as block outgoing and then allow specific IPs/domains that you need.
- Default are disabled (routed) This means that all routing is disabled and forwarding is blocked. This is a good default provided you are not using your machine as a router.
- As you can see in Action columns it is “ALLOW IN”. Which means there is also “ALLOW OUT”. You need to add such a rule if you make the default as deny (outgoing).
Changing Defaults
The defaults we see above are equivalent of the following rules.
sudo ufw default deny incomingsudo ufw default allow outgoing
If you want to change the default to deny outgoing you can run
#sudo ufw default deny outgoingDefault outgoing policy changed to 'deny'(be sure to update your rules accordingly)
If you set the above default you will need to manually add rules for accessing outside systems. It can be a cumbersome process but much safer.
For example let us say you want to allow outgoing traffic on port 10060 then you can run
ufw allow out 10060
Instead of keeping the outgoing default as is, I think it is better to deny outgoing. Whenever you want to perform some upgrades or install software you can add rule like temporarily and then delete it once you are done.
Also if you want to open only specific ports so that you can use apt you can use the following rules that I borrowed from this answer.
ufw default deny incomingufw default deny outgoingufw limit sshufw allow svnufw allow gitufw allow out httpufw allow in http ufw allow out httpsufw allow in httpsufw allow out 53ufw logging onufw enable
Show rules
You can use ufw show added to show all the added rules.
# ufw show addedufw allow 22/tcpufw allow from x.x.x.x to any port 27017ufw allow from x.x.x.x to any port 27017ufw allow from x.x.x.x to any port 10050ufw allow from x.x.x.x to any port 10050
Earlier I was using the command ufw status numbered but now I use ufw show added and then use the rules from there to delete like following.
ufw delete allow 22/tcp
Thumb Rules
- Make sure ufw is started on boot.
- Change the defaults to make then more restrictive based on your comfort.
- Deny by default and enabled only what is required.
- Keep your rules as specific as possible. Example sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp
- Add a monitoring tool like Zabbix which check the status of ufw as well any rules that are very critical.
Further Reading
If you want more details and more query options checkout https://help.ubuntu.com/community/UFW
I had created done blunders without knowing the ufw clearly. I hope this article can stop you from committing such blunders.
If you liked this article and would like to read similar articles, don’t forget to clap.
Click and drag to clap more than once. 50 is the limit.
You can read the others articles from the series.
- Understanding promises in JavaScript
- Understanding async-await in Javascript
- Should I use Promises or Async-Await
If you are interested in cryptocurrencies checkout
- 10 things to know/do before investing in cryptocurrencies
- Beginner’s Guide to “Investing in Cryptocurrencies”
- Why comparing cryptocurrency prices is wrong
Understanding UFW was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.