viniciusdaniel/ufw.html

## ufw.html
Introduction
<span class="colour" style="color: rgb(0, 0, 0);">One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.</span>
<span class="colour" style="color: rgb(0, 0, 0);">To this end, UFW is a considerably easier-to-use alternative.</span><br>
<br>


## What is UFW?

<span class="colour" style="color: rgb(0, 0, 0);">UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.</span><br>
<br>


## Before We Get Started

<span class="colour" style="color: rgb(0, 0, 0);">First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:</span>

```
sudo aptitude install ufw

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo apt-get install ufw

```

## Check the Status

<span class="colour" style="color: rgb(0, 0, 0);">You can check the status of UFW by typing:</span>

```
sudo ufw status

```

<span class="colour" style="color: rgb(0, 0, 0);">Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:</span>

```
Status: active

To               Action      From
--               ------      ----
22               ALLOW       Anywhere

```

## Using IPv6 with UFW

<span class="colour" style="color: rgb(0, 0, 0);">If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:</span>

```
sudo vi /etc/default/ufw

```

<span class="colour" style="color: rgb(0, 0, 0);">Then make sure "IPV6" is set to "yes", like so:</span>

```
IPV6=yes

```

<span class="colour" style="color: rgb(0, 0, 0);">Save and quit. Then restart your firewall with the following commands:</span>

```
sudo ufw disable
sudo ufw enable

```

<span class="colour" style="color: rgb(0, 0, 0);">Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.</span><br>
<br>


## Set Up Defaults

<span class="colour" style="color: rgb(0, 0, 0);">One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:</span>

```
sudo ufw default deny incoming

```

<span class="colour" style="color: rgb(0, 0, 0);">and</span>

```
sudo ufw default allow outgoing

```

<span class="colour" style="color: rgb(0, 0, 0);">Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:</span>

```
sudo ufw default deny outgoing

```

## Allow Connections

<span class="colour" style="color: rgb(0, 0, 0);">The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:</span>

```
sudo ufw allow ssh

```

<span class="colour" style="color: rgb(0, 0, 0);">As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:</span>

```
sudo ufw allow 22/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:</span>

```
sudo ufw allow 2222/tcp

```

### Other Connections We Might Need

<span class="colour" style="color: rgb(0, 0, 0);">Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:</span>
<span class="colour" style="color: rgb(0, 0, 0);">`sudo ufw allow www` or `sudo ufw allow 80/tcp` `sudo ufw allow ftp` or `sudo ufw allow 21/tcp`</span>
<span class="colour" style="color: rgb(0, 0, 0);">You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.</span>

### Port Ranges

<span class="colour" style="color: rgb(0, 0, 0);">You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:</span>

```
sudo ufw allow 1000:2000/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">If you want UDP:</span>

```
sudo ufw allow 1000:2000/udp

```

### IP Addresses

<span class="colour" style="color: rgb(0, 0, 0);">You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:</span>

```
sudo ufw allow from 192.168.255.255

```

## Denying Connections

<span class="colour" style="color: rgb(0, 0, 0);">Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:</span>

```
sudo ufw allow 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">would allow access to port 80 while:</span>

```
sudo ufw deny 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">would deny access to port 80.</span><br>
<br>


## Deleting Rules

<span class="colour" style="color: rgb(0, 0, 0);">There are two options to delete rules. The most straightforward one is to use the following syntax:</span>

```
sudo ufw delete allow ssh

```

<span class="colour" style="color: rgb(0, 0, 0);">As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:</span>

```
sudo ufw delete allow 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo ufw delete allow 1000:2000/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">This can get tricky when you have rules that are long and complex.</span>
<span class="colour" style="color: rgb(0, 0, 0);">A simpler, two-step alternative is to type:</span>

```
sudo ufw status numbered

```

<span class="colour" style="color: rgb(0, 0, 0);">which will have UFW list out all the current rules in a numbered list. Then, we issue the command:</span>

```
sudo ufw delete [number]

```

<span class="colour" style="color: rgb(0, 0, 0);">where “[number]” is the line number from the previous command.</span><br>
<br>


## Turn It On

<span class="colour" style="color: rgb(0, 0, 0);">After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):</span>

```
sudo ufw enable

```

<span class="colour" style="color: rgb(0, 0, 0);">You should see the command prompt again if it all went well. You can check the status of your rules now by typing:</span>

```
sudo ufw status

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo ufw status verbose

```

<span class="colour" style="color: rgb(0, 0, 0);">for the most thorough display.</span>
<span class="colour" style="color: rgb(0, 0, 0);">To turn UFW off, use the following command:</span>

```
sudo ufw disable

```

## Reset Everything

<span class="colour" style="color: rgb(0, 0, 0);">If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:</span>

```
sudo ufw reset

```

## Conclusion

<span class="colour" style="color: rgb(0, 0, 0);">You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.</span>
Article Submitted by: Shaun Lewis
<span class="colour" style="color: rgb(0, 0, 0);">></span><span class="colour" style="color: rgb(0, 0, 0);">Introduction</span><span class="colour" style="color: rgb(0, 0, 0);">One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.</span>
<span class="colour" style="color: rgb(0, 0, 0);">To this end, UFW is a considerably easier-to-use alternative.</span><br>
<br>


## What is UFW?

<span class="colour" style="color: rgb(0, 0, 0);">UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.</span><br>
<br>


## Before We Get Started

<span class="colour" style="color: rgb(0, 0, 0);">First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:</span>

```
sudo aptitude install ufw

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo apt-get install ufw

```

## Check the Status

<span class="colour" style="color: rgb(0, 0, 0);">You can check the status of UFW by typing:</span>

```
sudo ufw status

```

<span class="colour" style="color: rgb(0, 0, 0);">Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:</span>

```
Status: active

To               Action      From
--               ------      ----
22               ALLOW       Anywhere

```

## Using IPv6 with UFW

<span class="colour" style="color: rgb(0, 0, 0);">If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:</span>

```
sudo vi /etc/default/ufw

```

<span class="colour" style="color: rgb(0, 0, 0);">Then make sure "IPV6" is set to "yes", like so:</span>

```
IPV6=yes

```

<span class="colour" style="color: rgb(0, 0, 0);">Save and quit. Then restart your firewall with the following commands:</span>

```
sudo ufw disable
sudo ufw enable

```

<span class="colour" style="color: rgb(0, 0, 0);">Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.</span><br>
<br>


## Set Up Defaults

<span class="colour" style="color: rgb(0, 0, 0);">One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:</span>

```
sudo ufw default deny incoming

```

<span class="colour" style="color: rgb(0, 0, 0);">and</span>

```
sudo ufw default allow outgoing

```

<span class="colour" style="color: rgb(0, 0, 0);">Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:</span>

```
sudo ufw default deny outgoing

```

## Allow Connections

<span class="colour" style="color: rgb(0, 0, 0);">The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:</span>

```
sudo ufw allow ssh

```

<span class="colour" style="color: rgb(0, 0, 0);">As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:</span>

```
sudo ufw allow 22/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:</span>

```
sudo ufw allow 2222/tcp

```

### Other Connections We Might Need

<span class="colour" style="color: rgb(0, 0, 0);">Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:</span>
<span class="colour" style="color: rgb(0, 0, 0);">`sudo ufw allow www` or `sudo ufw allow 80/tcp` `sudo ufw allow ftp` or `sudo ufw allow 21/tcp`</span>
<span class="colour" style="color: rgb(0, 0, 0);">You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.</span>

### Port Ranges

<span class="colour" style="color: rgb(0, 0, 0);">You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:</span>

```
sudo ufw allow 1000:2000/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">If you want UDP:</span>

```
sudo ufw allow 1000:2000/udp

```

### IP Addresses

<span class="colour" style="color: rgb(0, 0, 0);">You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:</span>

```
sudo ufw allow from 192.168.255.255

```

## Denying Connections

<span class="colour" style="color: rgb(0, 0, 0);">Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:</span>

```
sudo ufw allow 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">would allow access to port 80 while:</span>

```
sudo ufw deny 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">would deny access to port 80.</span><br>
<br>


## Deleting Rules

<span class="colour" style="color: rgb(0, 0, 0);">There are two options to delete rules. The most straightforward one is to use the following syntax:</span>

```
sudo ufw delete allow ssh

```

<span class="colour" style="color: rgb(0, 0, 0);">As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:</span>

```
sudo ufw delete allow 80/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo ufw delete allow 1000:2000/tcp

```

<span class="colour" style="color: rgb(0, 0, 0);">This can get tricky when you have rules that are long and complex.</span>
<span class="colour" style="color: rgb(0, 0, 0);">A simpler, two-step alternative is to type:</span>

```
sudo ufw status numbered

```

<span class="colour" style="color: rgb(0, 0, 0);">which will have UFW list out all the current rules in a numbered list. Then, we issue the command:</span>

```
sudo ufw delete [number]

```

<span class="colour" style="color: rgb(0, 0, 0);">where “[number]” is the line number from the previous command.</span><br>
<br>


## Turn It On

<span class="colour" style="color: rgb(0, 0, 0);">After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):</span>

```
sudo ufw enable

```

<span class="colour" style="color: rgb(0, 0, 0);">You should see the command prompt again if it all went well. You can check the status of your rules now by typing:</span>

```
sudo ufw status

```

<span class="colour" style="color: rgb(0, 0, 0);">or</span>

```
sudo ufw status verbose

```

<span class="colour" style="color: rgb(0, 0, 0);">for the most thorough display.</span>
<span class="colour" style="color: rgb(0, 0, 0);">To turn UFW off, use the following command:</span>

```
sudo ufw disable

```

## Reset Everything

<span class="colour" style="color: rgb(0, 0, 0);">If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:</span>

```
sudo ufw reset

```

## Conclusion

<span class="colour" style="color: rgb(0, 0, 0);">You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.</span>
	Introduction
	<span class="colour" style="color: rgb(0, 0, 0);">One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">To this end, UFW is a considerably easier-to-use alternative.</span><br>
	<br>


	## What is UFW?

	<span class="colour" style="color: rgb(0, 0, 0);">UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.</span><br>
	<br>


	## Before We Get Started

	<span class="colour" style="color: rgb(0, 0, 0);">First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:</span>

	```
	sudo aptitude install ufw

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo apt-get install ufw

	```

	## Check the Status

	<span class="colour" style="color: rgb(0, 0, 0);">You can check the status of UFW by typing:</span>

	```
	sudo ufw status

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:</span>

	```
	Status: active

	To Action From
	-- ------ ----
	22 ALLOW Anywhere

	```

	## Using IPv6 with UFW

	<span class="colour" style="color: rgb(0, 0, 0);">If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:</span>

	```
	sudo vi /etc/default/ufw

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Then make sure "IPV6" is set to "yes", like so:</span>

	```
	IPV6=yes

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Save and quit. Then restart your firewall with the following commands:</span>

	```
	sudo ufw disable
	sudo ufw enable

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.</span><br>
	<br>


	## Set Up Defaults

	<span class="colour" style="color: rgb(0, 0, 0);">One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:</span>

	```
	sudo ufw default deny incoming

	```

	<span class="colour" style="color: rgb(0, 0, 0);">and</span>

	```
	sudo ufw default allow outgoing

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:</span>

	```
	sudo ufw default deny outgoing

	```

	## Allow Connections

	<span class="colour" style="color: rgb(0, 0, 0);">The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:</span>

	```
	sudo ufw allow ssh

	```

	<span class="colour" style="color: rgb(0, 0, 0);">As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:</span>

	```
	sudo ufw allow 22/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:</span>

	```
	sudo ufw allow 2222/tcp

	```

	### Other Connections We Might Need

	<span class="colour" style="color: rgb(0, 0, 0);">Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:</span>
	<span class="colour" style="color: rgb(0, 0, 0);">`sudo ufw allow www` or `sudo ufw allow 80/tcp` `sudo ufw allow ftp` or `sudo ufw allow 21/tcp`</span>
	<span class="colour" style="color: rgb(0, 0, 0);">You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.</span>

	### Port Ranges

	<span class="colour" style="color: rgb(0, 0, 0);">You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:</span>

	```
	sudo ufw allow 1000:2000/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">If you want UDP:</span>

	```
	sudo ufw allow 1000:2000/udp

	```

	### IP Addresses

	<span class="colour" style="color: rgb(0, 0, 0);">You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:</span>

	```
	sudo ufw allow from 192.168.255.255

	```

	## Denying Connections

	<span class="colour" style="color: rgb(0, 0, 0);">Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:</span>

	```
	sudo ufw allow 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">would allow access to port 80 while:</span>

	```
	sudo ufw deny 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">would deny access to port 80.</span><br>
	<br>


	## Deleting Rules

	<span class="colour" style="color: rgb(0, 0, 0);">There are two options to delete rules. The most straightforward one is to use the following syntax:</span>

	```
	sudo ufw delete allow ssh

	```

	<span class="colour" style="color: rgb(0, 0, 0);">As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:</span>

	```
	sudo ufw delete allow 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo ufw delete allow 1000:2000/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">This can get tricky when you have rules that are long and complex.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">A simpler, two-step alternative is to type:</span>

	```
	sudo ufw status numbered

	```

	<span class="colour" style="color: rgb(0, 0, 0);">which will have UFW list out all the current rules in a numbered list. Then, we issue the command:</span>

	```
	sudo ufw delete [number]

	```

	<span class="colour" style="color: rgb(0, 0, 0);">where “[number]” is the line number from the previous command.</span><br>
	<br>


	## Turn It On

	<span class="colour" style="color: rgb(0, 0, 0);">After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):</span>

	```
	sudo ufw enable

	```

	<span class="colour" style="color: rgb(0, 0, 0);">You should see the command prompt again if it all went well. You can check the status of your rules now by typing:</span>

	```
	sudo ufw status

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo ufw status verbose

	```

	<span class="colour" style="color: rgb(0, 0, 0);">for the most thorough display.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">To turn UFW off, use the following command:</span>

	```
	sudo ufw disable

	```

	## Reset Everything

	<span class="colour" style="color: rgb(0, 0, 0);">If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:</span>

	```
	sudo ufw reset

	```

	## Conclusion

	<span class="colour" style="color: rgb(0, 0, 0);">You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.</span>
	Article Submitted by: Shaun Lewis
	<span class="colour" style="color: rgb(0, 0, 0);">></span><span class="colour" style="color: rgb(0, 0, 0);">Introduction</span><span class="colour" style="color: rgb(0, 0, 0);">One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">To this end, UFW is a considerably easier-to-use alternative.</span><br>
	<br>


	## What is UFW?

	<span class="colour" style="color: rgb(0, 0, 0);">UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.</span><br>
	<br>


	## Before We Get Started

	<span class="colour" style="color: rgb(0, 0, 0);">First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:</span>

	```
	sudo aptitude install ufw

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo apt-get install ufw

	```

	## Check the Status

	<span class="colour" style="color: rgb(0, 0, 0);">You can check the status of UFW by typing:</span>

	```
	sudo ufw status

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:</span>

	```
	Status: active

	To Action From
	-- ------ ----
	22 ALLOW Anywhere

	```

	## Using IPv6 with UFW

	<span class="colour" style="color: rgb(0, 0, 0);">If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:</span>

	```
	sudo vi /etc/default/ufw

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Then make sure "IPV6" is set to "yes", like so:</span>

	```
	IPV6=yes

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Save and quit. Then restart your firewall with the following commands:</span>

	```
	sudo ufw disable
	sudo ufw enable

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.</span><br>
	<br>


	## Set Up Defaults

	<span class="colour" style="color: rgb(0, 0, 0);">One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:</span>

	```
	sudo ufw default deny incoming

	```

	<span class="colour" style="color: rgb(0, 0, 0);">and</span>

	```
	sudo ufw default allow outgoing

	```

	<span class="colour" style="color: rgb(0, 0, 0);">Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:</span>

	```
	sudo ufw default deny outgoing

	```

	## Allow Connections

	<span class="colour" style="color: rgb(0, 0, 0);">The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:</span>

	```
	sudo ufw allow ssh

	```

	<span class="colour" style="color: rgb(0, 0, 0);">As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:</span>

	```
	sudo ufw allow 22/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:</span>

	```
	sudo ufw allow 2222/tcp

	```

	### Other Connections We Might Need

	<span class="colour" style="color: rgb(0, 0, 0);">Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:</span>
	<span class="colour" style="color: rgb(0, 0, 0);">`sudo ufw allow www` or `sudo ufw allow 80/tcp` `sudo ufw allow ftp` or `sudo ufw allow 21/tcp`</span>
	<span class="colour" style="color: rgb(0, 0, 0);">You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.</span>

	### Port Ranges

	<span class="colour" style="color: rgb(0, 0, 0);">You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:</span>

	```
	sudo ufw allow 1000:2000/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">If you want UDP:</span>

	```
	sudo ufw allow 1000:2000/udp

	```

	### IP Addresses

	<span class="colour" style="color: rgb(0, 0, 0);">You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:</span>

	```
	sudo ufw allow from 192.168.255.255

	```

	## Denying Connections

	<span class="colour" style="color: rgb(0, 0, 0);">Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:</span>

	```
	sudo ufw allow 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">would allow access to port 80 while:</span>

	```
	sudo ufw deny 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">would deny access to port 80.</span><br>
	<br>


	## Deleting Rules

	<span class="colour" style="color: rgb(0, 0, 0);">There are two options to delete rules. The most straightforward one is to use the following syntax:</span>

	```
	sudo ufw delete allow ssh

	```

	<span class="colour" style="color: rgb(0, 0, 0);">As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:</span>

	```
	sudo ufw delete allow 80/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo ufw delete allow 1000:2000/tcp

	```

	<span class="colour" style="color: rgb(0, 0, 0);">This can get tricky when you have rules that are long and complex.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">A simpler, two-step alternative is to type:</span>

	```
	sudo ufw status numbered

	```

	<span class="colour" style="color: rgb(0, 0, 0);">which will have UFW list out all the current rules in a numbered list. Then, we issue the command:</span>

	```
	sudo ufw delete [number]

	```

	<span class="colour" style="color: rgb(0, 0, 0);">where “[number]” is the line number from the previous command.</span><br>
	<br>


	## Turn It On

	<span class="colour" style="color: rgb(0, 0, 0);">After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):</span>

	```
	sudo ufw enable

	```

	<span class="colour" style="color: rgb(0, 0, 0);">You should see the command prompt again if it all went well. You can check the status of your rules now by typing:</span>

	```
	sudo ufw status

	```

	<span class="colour" style="color: rgb(0, 0, 0);">or</span>

	```
	sudo ufw status verbose

	```

	<span class="colour" style="color: rgb(0, 0, 0);">for the most thorough display.</span>
	<span class="colour" style="color: rgb(0, 0, 0);">To turn UFW off, use the following command:</span>

	```
	sudo ufw disable

	```

	## Reset Everything

	<span class="colour" style="color: rgb(0, 0, 0);">If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:</span>

	```
	sudo ufw reset

	```

	## Conclusion

	<span class="colour" style="color: rgb(0, 0, 0);">You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.</span>