RitabrataDas343/UFW.md

## UFW.md

      
    Raw
  

              UFW.md
            
          
    Uncomplicated Firewall (UFW) - To Open New Ports in Linux.


Task: Add port "8080/tcp" and verify by listing the ports currently listening or are active and append the output to "zones.txt".


Assigned by: GNU/Linux Users' Group, NIT DURGAPUR.

What is Uncomplicated Firewall or UFW?

A correctly functioning firewall is the most crucial part of the complete Linux system security. By default, Debian and Ubuntu distribution comes with a firewall configuration tool called UFW (Uncomplicated Firewall), is a most popular and easy-to-use command line tool for configuring and managing a firewall on Ubuntu and Debian distributions.
Getting Started with UFW

To get started with Uncomplicated Firewall, you have to ensure that you have logged into your Ubuntu or Debian server with sudo user or with the root account.
┌─[ritabrata@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[~]
└──╼ $sudo su
[sudo] password for ritabrata:          
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #
Installing UFW

UFW is usually pre-installed on your Debian or Ubuntu distribution packages. In case you don't have UFW installed, then install it using the APT package manager.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo apt-get install ufw
Checking the status of UFW

Once the installation is completed you can check the status of UFW.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #ufw status
On first install, the UFW firewall is disabled by default, the output will similar to below.
Status: inactive
Enabling and Disabling UFW Firewall

You can activate or enable UFW firewall using the following command, which should load the firewall and enables it to start on boot.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw enable
You will get an output like below.
Firewall is active and enabled on system startup
To disable UFW firewall, use the following command, which unloads the firewall and disables it from starting on boot.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw disable
It will give the following output.
Firewall is inactive and disabled on system startup
UFW Default Policies

By default, the UFW firewall denies every incoming connections and only allow all outbound connections to server. This means, no one can access your server, unless you specifically open the port, while all the running services or applications on your server can be able to access the outside network.
The default UFW firewall polices are placed in the /etc/default/ufw file and can be altered using the following command.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw deny incoming     
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw allow outgoing
UFW Application Profiles

When installing a software package using APT package manager, it will include an application profile in /etc/ufw/applications.d directory that defines the service and hold UFW settings.
You can list all available application profiles on your server using the following command.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw app list
Depending upon software package installations on your system the output will look similar to the following:
Available applications:
  CUPS
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
If you want to get more information about a particular profile and defined rules you can use the following command.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw app info 'Nginx Full'
Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server

Ports:
  80,443/tcp
Allow SSH Connections on UFW

If you’ve enabled UFW firewall by now, it would block all incoming connections and if you are connected to your server over SSH from a remote location, you will no longer able to connect it again.
Let’s enable SSH connections to our server to stop that from happening using the following command:
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw allow ssh
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw allow 8080/tcp
To block all SSH connections type the following command.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #sudo ufw deny 8080/tcp 
Enable Specific Ports on UFW

You can also open a specific port in the firewall to allow connections via it to a certain service like 8080/tcp (HTTPS).
List the status of UFW when active

┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #ufw status
Status: active

To                         Action      From
--                         ------      ----
8080/tcp                   ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
CUPS                       ALLOW       Anywhere                  
8080/tcp (v6)              ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
CUPS (v6)                  ALLOW       Anywhere (v6)
View the active ports using netstat

The active ports can be listed using the netstat command. Before assigning any action on the port 8080/tcp  the command gives the following output.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
udp        0      0 0.0.0.0:55684           0.0.0.0:*                          
udp        0      0 127.0.0.53:53           0.0.0.0:*                          
udp        0      0 192.168.43.214:123      0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp6       0      0 :::47429                :::*                               
udp6       0      0 fe80::ae80:63de:c62:123 :::*                               
udp6       0      0 2409:4060:e81:12e0::123 :::*                               
udp6       0      0 2409:4060:e81:12e0::123 :::*                               
udp6       0      0 ::1:123                 :::*                               
udp6       0      0 :::123                  :::*                               
udp6       0      0 :::5353                 :::*                               
Let us assign a task to the port 8080/tcp.
┌─[root@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[/home/ritabrata]
└──╼ #ls | nc -l -p 8080
Now view the acrive ports on your system, you will get the following:
┌─[ritabrata@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[~]
└──╼ $netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
udp        0      0 0.0.0.0:55684           0.0.0.0:*                          
udp        0      0 127.0.0.53:53           0.0.0.0:*                          
udp        0      0 192.168.43.214:123      0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp6       0      0 :::47429                :::*                               
udp6       0      0 fe80::ae80:63de:c62:123 :::*                               
udp6       0      0 2409:4060:e81:12e0::123 :::*                               
udp6       0      0 2409:4060:e81:12e0::123 :::*                               
udp6       0      0 ::1:123                 :::*                               
udp6       0      0 :::123                  :::*                               
udp6       0      0 :::5353                 :::*  
Appending the active ports to "zones.txt"

To append the active ports in "zones.txt", use the following command, and view it in your text editor. (I use Sublime text editor).
┌─[ritabrata@ritabrata-VivoBook-ASUSLaptop-X409JB-X409JB]─[~]
└──╼ $netstat -lntu >> zones.txt
Now go to the path where you have saved the "zones.txt" file, and you will get the list of all the active ports on your system.
May the Source be with you