In this tutorial, we will show you how to install and use the UFW firewall system on a Linux VPS running Debian 9. Security is a very important thing to consider when you run your own server.
UFW (Uncomplicated Firewall) is a simple and user-friendly front-end for managing iptables firewall rules – UFW aims to provide an easy to use interface for the user, making a secure server more accessible to more users. It is specially designed for beginner users who are unfamiliar with firewall concepts.
Let’s begin with the installation.
Table of Contents
Prerequisites
- For the purposes of this tutorial, we will use a Debian 9 VPS.
- Full SSH root access or a user with sudo privileges is also required.
Step 1: Connect via SSH and Update the OS
Connect to your server via SSH as the root user using the following command:
ssh root@IP_ADDRESS -p PORT_NUMBER
Remember to replace “IP_ADDRESS” and “PORT_NUMBER” with your server’s respective IP address and SSH port number.
Before starting with the installation, you will need to update your OS packages to their latest versions. It’s easy to do, and it won’t take more than a few minutes.
You can do this by running the following command:
apt-get update apt-get upgrade
Once the updates are completed, we can move on to the next step.
Step 2: Install UFW
By default, UFW is not installed on Debian 9. We can install UFW by running the following command:
apt-get install ufw
Once the installation is complete, we can check the status of UFW using the following command:
ufw status verbose
The output should be similar to the one below:
Status: inactive
UFW is disabled by default to avoid a lockout from the server.
Step 3: Allow SSH Connections
By default, all incoming connections to your Debian VPS are blocked by UFW – nobody can connect to it. Therefore, we will need to allow incoming SSH connections before enabling the UFW firewall.
ufw allow ssh
or
ufw allow 22/tcp
Step 4: Enable UFW
To enable UFW, we can use the command below:
ufw enable
Once enabled, UFW will block all of the incoming connections and allow all outbound connections. To check the default configuration, we can use the following command:
ufw show raw
Or
grep 'DEFAULT_' /etc/default/ufw
The output will looks like this:
DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="ACCEPT" DEFAULT_FORWARD_POLICY="DROP" DEFAULT_APPLICATION_POLICY="SKIP"
That’s it! Your server now has UFW installed and enabled. As you can see, by default, every incoming connection is denied. We specifically need to open a port if we want to access the server remotely.
Allowing Other Services
We may also need to allow some other incoming connections.
ufw allow 21/tcp ufw allow 80/tcp ufw allow 443/tcp
We can check the UFW status using the following command:
ufw status
The output should be similar to one below:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6)
If we want to deny access to port 80 for example, we have to run the following command:
ufw deny 80/tcp
To delete the rule that allows the incoming connections on port 21, run the following command:
ufw delete allow 21/tcp
Allowing Connections from Specific IP addresses and Port Ranges
We can also allow connections from a specific IP address with the following command:
ufw allow 192.168.10.100
We can use a subnet mask to widen the range:
ufw allow 192.168.10.0/24
We can also combine the IP address, port, and protocol with a single command. For example, in order to allow the connection only from the IP 192.168.10.100, protocol tcp, and to port 22, we have to run the following command:
ufw allow from 192.168.10.100 proto tcp to any port 22
We can also specify port ranges with UFW. For example, to allow TCP ports 1100 to 1200, run the following command:
ufw allow 1100:1200/tcp
If we want to allow UDP on ports 1100 to 1200, for example, we have to use the following command:
ufw allow 1100:1200/udp
Rejecting Incoming Connections
The UFW with deny syntax just ignores traffic. To let the sender know when traffic is being denied, run the command below:
ufw reject 443
If somebody tries to connect to port 443 they will get the following reject message:
telnet: Unable to connect to remote host: Connection refused
Displaying UFW Reports
We can list of rules as they were added with the following command:
ufw show added
The output should be similar to one below:
Added user rules (see 'ufw status' for running firewall): ufw allow 22/tcp ufw allow 21/tcp ufw allow 80/tcp ufw allow 443/tcp
Disabling UFW
If for some reason we need to disable UFW, we can run the following command:
ufw disable
In order to reset all rules to their default settings, use the following command:
ufw reset
We can use the –help flag for more usage commands:
ufw --help
That’s all – in this tutorial, we learned how to install and enable the UFW firewall system, and we also covered how to add and remove rules on it, with varying levels of criteria.
Of course, you don’t have to configure a firewall with UFW on Debian 9 if you use one of our managed Debian VPS Hosting Services, in which case you can simply ask our expert Linux admins to install and configure UFW on Debian 9 for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post on how to Configure a Firewall with UFW on Debian 9, please share it with your friends on the social networks using the share shortcuts below, or simply leave a comment down in the comments section. Thanks.