Cart

    Sorry, we could not find any results for your search querry.

    Uncomplicated Firewall (UFW) in Debian 11

    UFW, or the Uncomplicated Firewall, is a commonly used firewall in Debian and Ubuntu. UFW is a management layer / frontend for iptables which aims to simplify the management of your firewall. In this tutorial we explain the usage of UFW.

    • Connect via SSH / the vps console and use a root user, or sudo when executing the commands in this article.
    • UFW handles configuration changes in real-time.

    Installing UFW

    By default, a Debian 11 installation comes with Iptables but not with UFW. The installation of the Uncomplicated Firewall is straight forward:

    apt -y install ufw

    UFW will not start automatically after installation. You enable UFW with the commands:

    ufw enable
    systemctl start ufw
    ufw logging on

    With logging on, you have UFW create notes in a log (/var/log/messages), which is definitely recommended. This way, you have more information to troubleshoot with if problems occur.


     

    The initial configuration

    After the installation, UFW doesn’t have a default configuration. It is recommended to start by blocking all incoming traffic and allow outgoing traffic, and then open specific ports / services. The first part you do with the following commands:

    ufw default deny incoming
    ufw default allow outgoing

    Check the status of UFW with:

    ufw status verbose

    Opening ports

     

    There are three options for opening ports:

    • Opening tcp and udp ports: 
      ufw allow 22
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw allow 1234:2345
    • Opening a tcp port:
      ufw allow 22/tcp
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw allow 1234:2345/tcp
    • Opening an udp port:
      ufw allow 22/udp
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw allow 1234:2345/udp

    Closing ports

     

    There are also three options for closing ports:

    • Closing tcp and udp ports:
      ufw deny 22
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw deny 1234:2345
    • Closing a tcp port:
      ufw deny 22/tcp
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw deny 1234:2345/tcp
    • Closing a udp port:
      ufw deny 22/udp
      Replace 22 with the desired port number. For a port range you use the syntax:
      ufw deny 1234:2345/udp

    Allowing or denying IP's

    It may be preferable to open or close ports for specific IP addresses. This is for example a useful method for allowing only yourself access to the SSH port.

    Access per IP can be regulated based on: IP's, subnets, ports and IP's, or a combination of IP addresses ports and protocols.

    In the examples below replace 123.123.123.123 by the actual IP address, 1234 by the desired port and TCP by the desired protocol.

    • Allowing / denying IP addresses

      An IP address is given access with the syntax:
      ufw allow from 123.123.123.123
      or denied access with:
      ufw deny from 123.123.123.123
    • Allowing or denying IP subnets

      Subnets are allowed access using:
      ufw allow from 123.123.123.0/24
      or denied access with:
      ufw deny from 123.123.123.0/24
      
    • Allowing / denying per port and IP

      Tip: instead of a specific IP, you can also use an IP subnet.
      Access to a specific port is given using:
      ufw allow from 123.123.123.123 to any port 22
      An IP address is denied access to a specific port with:
      ufw deny from 123.123.123.123 to any port 22
    • Allowing / denying per IP, port and protocol:

      Tip:
      instead of a specific IP, you can also use an IP subnet.
      Access to a specific port and protocol is given using:
      ufw allow from 123.123.123.123 to any port 22 proto tcp
      An IP address is denied access to a specific port and protocol with:
      ufw deny from 123.123.123.123 to any port 22 proto tcp
      Replace TCP with UDP if you'd like to open/close a UDP port instead.

    Allowing services

     

    In addition to opening ports, you can also open specific services with UFW. You add the service in UFW and UFW then opens incoming traffic for one or more ports. There is a side note here:

    You allow services in UFW with the following commands, where you replace SSH with the relevant service name: 

    ufw allow ssh

    UFW uses configuration files (see available services) to determine which ports are associated with services. These ports are opened when the service is added. For example, if you change your SSH port and then opened the SSH service in UFW, the new port will not automatically be open unless you open the port manually or adjust the configuration of the service in UFW. 


    Available services

    UFW gets all its port information for allowing or denying services from thefile /less/services. You can view the content with:

    nano /less/services

    In our nano and vi documentation, we explain how to quickly search for specific words (in this case, the names of services).


    Denying services

     

    Services are just as easy to close in UFW as they are opened:

    ufw deny ssh

    All incoming connections are closed by default, so the specific denying of a service is not immediately necessary. 


    Deleting rules

     

    At the beginning of this article, we have set a deny on all incoming connections as default. Regardless of whether you manually open or close ports or services afterward, these are all considered to be UFW rules. You can delete these rules as follows:

    ufw delete deny ssh
    ufw delete allow 22/tcp
    
    • The first command is an example for deleting a service rule, the second for deleting a port rule.
    • Use deny or allow depending on whether the port/service is open / closed.
    • Replace ssh with the name of the service, or with the port number and protocol as in the second example: 22/tcp, or 22 for tcp and udp.

    To clarify: since all incoming connections are closed by default, it is sufficient to create allow rules for ports and services and to delete those rules if necessary. The closing of specific ports / services should therefore not be necessary.


    Unblocking IPs

     

    Unblocking IPs is very easy in UFW, and you can also use this option as an alternative to removing specific rules (see the 'deleting rules' section). First, check all current lines with the command:

    ufw status numbered

    You then get an output in which all the rules are neatly numbered. You delete a specific line with the command:

    ufw delete 1
    

    Replace 1 with the line number you want to delete. 

    If you use 'ufw delete 1', rule 2 has now become line 1. It is therefore best to use a new ufw status numbered after each delete to prevent you from accidentally deleting the wrong rule.


     

    This concludes our tutorial on UFW in Debian. Do you want to know more about UFW or discuss it with others? Let us know under 'Comments' at the bottom of this article or take a look at UFW's own documentation.

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us