Work and Technology‎ > ‎Security‎ > ‎Firewalls‎ > ‎


Ubuntu doesn't ship with a firewall turned on. You can configure iptables long-hand, but 'ufw' is the choice for simple control of iptables

(you may need to apt-get it )

Turning it on for ssh

You can use the built-in rule set for secure shell, specify where you want to allow connections from and turn on ufw as follows

$ sudo ufw allow from to any app openssh
$ sudo ufw enable

To break that down: 
    sudo ufw    allow from xxx/xx       to any               app openssh                                         
         |                        |                            |                            |
        +- You must be root to add rules   |                           +- The application openssh
                                 + -This is who you are letting connect in    
                                                               +- To any ethernet interface 

Turning it on for other applications

Other rule sets exist as well. To see what you can do, list them like so:

$ sudo ufw app list
Available applications:
  Lighttpd Full
  Lighttpd HTTP
  Lighttpd HTTPS
  Postfix Submission

You turn these on the same way as above

Creating your own app rule sets

The existing rule sets can be found in the /etc/ufw/applications.d/ folder. 

cd /etc/ufw/applications.d
lighttpd  openssh-server  postfix  samba

Viewing one shows they look like so 

title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.

You can create your own after the same pattern

description=A XMPP server

To specify a port range, use a colon

description=Simple FTP and FTPS Server

You turn on such a rule set just like in the first example, or to allow connections from anywhere

$ sudo ufw allow pure-ftpd

Removing Rules

To remove a  rule, simply prefix the original rile with the delete parameter.

sudo ufw delete allow from to any app openssh

If you don't know what rule it is exactly you need to delete, you can list them and then remove them, but it requires a little analysis

$ sudo ufw status 
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW

And based on that

sudo ufw delete allow from to any app openssh

Adding an Arbitrary Port

You can of course, skip setting up app definitions and add a port directly

sudo ufw allow from to any port 1804

Changing the log location

ufw can log a lot of data when you're in a DMZ. To stop it cluttering up your kern and dmesg logs, exit it's config file that contains instructions on what to do (i.e. log to it's own file and prevent ufw log messages from going to other files)

$ vi /etc/rsyslog.d/20-ufw.conf