10.23.13

Configure Uncomplicated Firewall – UFW on apache web server host

Posted in apache2, Linux, Security, Ubuntu at 6:12 pm by

Uncomplicated Firewall – UFW

This article will introduce to you the concept of the securing your linux environment by setting up a firewall. The firewall I’ll use in this article is the Uncomplicated Firewall, UFW for short. The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD’s Packet Filter. It is particularly well-suited as a host-based firewall. In this example I’m doing it on Ubuntu 12.04 although this article probably also works for any debian based system.

Install UFW

First we have to install the package.


#sudo apt-get update
#sudo apt-get install ufw

Configure UFW on apache web server host

This section will show you how to configure UFW on a remote server which hosts an apache2 web server.

Once the installation is done you run ufw status verbose to check the status of UFW.

#sudo ufw status verbose
Status: inactive

It’s quite good that it’s turned off by default as else you might be locked out of your host. Before you turn your firewall on you want to enable the SSH protocol to be able to pass through the firewall as this is the protocol you use to remotely administer your server.

#sudo ufw allow ssh

You now enable UFW:

#sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

We allowed ssh to pass through the firewall, the following command will block all other incoming connections.

#sudo ufw default deny

To allow your Apache server to function as a web server you have to open up extra ports. Apache by default uses port 80 for http and 443 for https.

#sudo ufw allow 80/tcp
Rule added
#sudo ufw allow 443/tcp
Rule added

Voila you have configured your host to allow connections for ssh so you can administer it and it can still serve
web pages. All other traffic gets blocked.

Delete Existing Rule

To delete a rule, you can prefix the original rule with delete. Or you can delete by using numbered rules. Personally I find deleting rules on a number way the easiest and safest way.

First we’ll ask for all the rules in a numbered way.


#sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere

We want to get rid of the port 80 rule.

You could use the prefix way:
#sudo ufw delete allow 80/tcp

Or you could use the numbered way:

#sudo ufw delete 1

Advanced example.
You have a server on your LAN at home and you want to only allow ssh connections from your LAN. While denying connections from 192.168.0.1

The syntax for the deny command:

#sudo ufw deny from to port

We put the rules in place to allow our LAN access, while denying 192.168.0.1:

#sudo ufw deny from 192.168.0.1 to any port 22
#sudo ufw allow from 192.168.0.0/24 to tcp port 23 proto tcp

Check the rules that were created.

#sudo ufw status
Status: active

To Action From
-- ------ ----
22 DENY 192.168.0.1
22 ALLOW 192.168.0.0/24

The order is in which we add these rules is important, once a rule is matched no other rules will be evaluated. So if we had put the rule for whole subnet first connections from 192.168.0.1 would still succeed as that rule would never be reached.

More information
More detailed information can be retrieved by:
man ufw