UFW (Uncomplicated Firewall) was originally released for Ubuntu as a simple way to manage netfilter rules. It makes managing your Linux server firewall extremely easy and is now also available for CentOS.
If you’d prefer a managed server, with the power of a VPS – check out our web hosting.
How to setup UFW
First, ensure you’ve enabled the EPEL repo.
Install the UFW package using yum:
[user@server] sudo yum -y install ufw
Check it’s installed successfully:
[user@server] sudo ufw status
Which should show ‘Status: inactive’
In a basic firewall, denying all incoming traffic and allowing outgoing traffic is a good place to start. So we can set the default rules with these two commands:
[user@server] sudo ufw default deny incoming [user@server] sudo ufw default allow outgoing
Next, you want to open up any services you wish to be available to the internet. At it’s simplest, you can simply open up the firewall for specific services, for example:
[user@server] sudo ufw allow ssh
or
[user@server] sudo ufw allow https
For non-standard or unusual ports you can specify the port number rather than the service:
[user@server] sudo ufw allow 2222
You can further narrow this down to protocol too by adding it to the end:
[user@server] sudo ufw allow 2222/tcp
To add a range of ports, for passive FTP maybe, the following syntax is available:
[user@server] sudo ufw allow 3000:4000/tcp
If you have a static IP and wish to allow all traffic from your network you can add it as such:
[user@server] sudo ufw allow from 123.123.123.123
In the event you wish to block traffic from an IP, you can do the reverse:
[user@server] sudo ufw deny from 123.123.123.123
Before you enable the firewall, you may want to check on the rule status:
[user@server] sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere [ 2] Anywhere ALLOW IN 123.123.123.123 [ 3] 25 ALLOW IN Anywhere [ 4] 80 ALLOW IN Anywhere [ 5] 443 ALLOW IN Anywhere [ 6] 465 ALLOW IN Anywhere [ 7] 993 ALLOW IN Anywhere [ 8] 995 ALLOW IN Anywhere [ 9] ff02::fb mDNS ALLOW IN Anywhere (v6) [10] 25 (v6) ALLOW IN Anywhere (v6) [11] 80 (v6) ALLOW IN Anywhere (v6) [12] 443 (v6) ALLOW IN Anywhere (v6) [13] 465 (v6) ALLOW IN Anywhere (v6) [14] 993 (v6) ALLOW IN Anywhere (v6) [15] 995 (v6) ALLOW IN Anywhere (v6)
If you need to remove any of these rules you can reference them with their number
[user@server] sudo ufw delete <number>
Once you’re happy, enable the firewall:
[user@server] sudo ufw enable
We’ve not yet set the firewall to start on boot, so if you’ve messed up and locked yourself out, reboot your server and you’re back. If everything is working well and you’re happy with the rules, now just set the firewall to start on boot:
[user@server] sudo systemctl enable ufw
You can add or delete rules at a later date with the same syntax.
To disable the firewall, issue the command:
[user@server] sudo ufw disable
and if you want to reset your rules and start again:
[user@server] sudo ufw reset
Finally
UFW gives you plenty of options to create a secure firewall for your server of VPS. If you have any other tips, please share them with us in the comments.
Recent Posts
Recent Comments
- anonymous1024 on Pi-hole vs AdGuard Home
- Konrad on Add https to Pi-hole with caddy
- jolu on Add LetsEncrypt SSL certificate to Pi-hole
- Mike on Add https to Pi-hole with caddy
- Kamyar on Pi-hole vs AdGuard Home