1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
---
title: "Using UFW as a Firewall"
date: 2021-06-30
tags: ['server']
---
**Uncomplicated Firewall** (UFW) is a front-facing program for the more
involved `iptables` firewall program installed in most GNU/Linux
distributions. We can use `ufw` to restrict machines on the internet to
only access the services (SSH, websites etc) you want them to, but it
can also be used to prevent programs on the computer itself from
accesing parts of the internet it shouldn\'t.
## How to Get It
Log into your server by pulling up a terminal and typing:
```sh
ssh root@example.org
```
This command will attempt to log into your server and run a remote
shell. If you leave the settings default, it should prompt you for your
password, and you can just copy or type in the password from Vultr\'s
site.
Some VPS providers automatically install `ufw`, but if you do not have
it installed already, install it in the typical way:
```sh
apt install ufw
```
## First-Time Setup
You can check the status of `ufw` right now by running:
```sh
ufw status
```
Without any changes, it should report back `Status: inactive`. Let\'s
set it up so that only connections to SSH (standardized at port 22) are
allowed in, and then enable the firewall:
**Careful!** Enabling `ufw` without allowing SSH will block you from
remoting to your server. Double-check that you have allowed SSH, and if
you have changed the default SSH port, put in *that* number instead.
```sh
ufw default deny incoming # block all incoming connections by default
ufw allow in ssh # or: ufw allow in 22
ufw enable
```
`ufw` has an internal list of protocols applications, and the ports used
by them. In this case, it knows SSH is on port 22. We\'ll go more in
detail how to view all protocols `ufw` knows about. By default, when you
allow an incoming port, it allows that port both on IPv4 and IPv6.
With the firewall enabled and allowing only SSH in, all other ports are
protected from incoming requests. To view all your rules, run:
```sh
ufw status verbose
```
A firewall that allows to connect to SSH and their website may look
like:
```txt
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 (SSH) ALLOW IN Anywhere
80,443/tcp (WWW Full) ALLOW IN Anywhere
22 (SSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (WWW Full (v6)) ALLOW IN Anywhere (v6)
```
If you want to delete e.g. the \'WWW Full\' rule, run:
```sh
ufw delete allow in 'WWW Full'
ufw reload
```
## Enabling Common Services
You have blocked all incoming ports but SSH, which means no outsiders
would be able to access other services, like an email server or your
website. You should look at the ports your services are open on and
enable them individually. Here is a list of a few common services:
### Opening Port Numbers
Suppose you install [a Gemini server](/gemini), which must broadcast
on port 1965. By default `ufw` blocks all incoming connections on all
ports, so whenever you install a new service like this you will have to
tell `ufw` to enable the desired port:
```sh
ufw allow 1965
```
### Websites: HTTP and HTTPS
HTTP uses port 80 and HTTPS uses port 443. We can enable them like this:
```sh
ufw allow 80
ufw allow 443
```
But `ufw` additionally knows the typical ports of common serives, so you
can also run this:
```sh
ufw allow http
ufw allow https
```
And that will do the same thing. There are also other abbreviations for
common port lists:
```sh
ufw allow in 'WWW Full'
```
To see these other \"apps\" that `ufw` knows by default, run
`ufw app list`
### Email: IMAP, POP3, and SMTP
```sh
ufw allow in IMAPS
ufw allow in POP3
ufw allow in SMTP
ufw allow in 'Postfix SMTPS'
ufw allow in 'Mail Submission'
```
## Fine-Tuning Rules
Instead of denying all ports by default, you may want to deny (ignores
incoming requests) or reject (explicitly tells requests they\'re not
allowed):
```sh
ufw default allow in
ufw deny in PORT
ufw reject in PORT
ufw reload
```
You can add rules to comments to remember what they are there for:
```sh
ufw allow in PORT comment 'Secret SSH'
ufw reload
ufw status verbose
```
Output:
```txt
To Action From
-- ------ ----
PORT ALLOW IN Anywhere # Secret SSH
PORT (v6) ALLOW IN Anywhere (v6) # Secret SSH
```
To deny outgoing ports:
```sh
ufw deny out PORT
```
Ratelimiting is useful to protect against brute-force login attacks,
like in SSH. Only IPv4 is supported for now. Enable it by running:
```sh
ufw limit PORT/tcp
```
To blocklist IP addresses:
```sh
ufw deny from IP_ADDRESS
```
To read more what you can do with `ufw`, run:
```sh
man ufw
```
## Recovering SSH {#recovering-from-losing-ssh}
If you have accidentally firewalled yourself from logging on your
computer, you can recover access by using your VPS\'s virtual console.
On Vultr, this is on your VPS\'s menu. To the right of the server name,
It is the leftmost icon that looks like a monitor.
{{< img src="/pix/ssh-01.png" link="/pix/ssh-01.png" alt="View Console" >}}
Log in through there, and disable ufw by typing:
```sh
ufw disable
```
## Further Reading
- `man ufw` 👈
- [Ubuntu Wiki:
UncomplicatedFirewall](https://wiki.ubuntu.com/UncomplicatedFirewall)
- [Gufw (Graphical UFW)](https://help.ubuntu.com/community/Gufw)
**Contributor** - [shunter.xyz](https://shunter.xyz)
|
