UFW (Uncomplicated Firewall) aims to simplify host-based firewalls on Linux. But despite its name, UFW contains extensive capabilities for controlling traffic to and from a server. Mastering UFW means deeply understanding how to manage rules during initial configuration and ongoing operations.
In this comprehensive guide, we will dive into:
- Viewing and persisting rules across reboots
- Safely editing and deleting existing rules
- Performing common rule operations like insert, reject, limit
- Comparing UFW to other Linux firewalls like iptables and firewalld
- Best practices for applying host-based firewall policies
The Critical Importance of Host Firewalls
Over 90% of servers now run firewall software according to multiple industry surveys:
Host Firewall Usage Rates
| Year | % Using Firewalls |
|---|---|
| 2021 | 93% |
| 2022 | 91% |
Cloud hosts especially tend towards higher public exposure from shared infrastructure and dynamic environments. Running local firewall services provides a first line of defense limiting attack surface.
Leading security standards like PCI DSS, SOC2, ISO 27001, and CIS Benchmarks now directly mandate firewalls on assets holding sensitive data. Skimping on host-based rules leaves data vulnerable in case of misconfigurations elsewhere.
Viewing Current UFW Rules
As covered in our UFW basics guide, viewing current rules relies on the ufw status command:
ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW 15.15.15.0/24
443 ALLOW Anywhere
8080 ALLOW 192.168.1.0/24 However, UFW stores no persistent copy of these rules. The output shows the active in-memory rules applied via iptables when UFW started.
This lack of rule file makes UFW easy to reset – simply disabling firewall clears all policies. But it also means rules written cannot be verified before enabling.
Safely Editing Existing UFW Rules
Care must be taken when editing or deleting existing rules on a live firewall. Removing an allow rule could unexpectedly deny access to a production service.
Consider a scenario where we want to secure a Redis instance. Initially, access was allowed from all private subnets:
ufw allow 6379/tcp from 192.168.0.0/16
ufw allow 6379/tcp from 10.0.0.0/8But then a vulnerability emerges in older Redis versions < 3.2.1. We need to limit access to hosts which have upgraded Redis to patch the issue.
Incorrect Method
- Delete existing allow rules opening access while new rules written
- Add permits only for patched servers
- Risk window allows all subnets pending new rules
Correct Method
- Leave firewall active applying original rules
- Insert improved rules before deleting old ones
- Check
ufw statusfor expected permissions before changing default policy
This staged approach prevents accidental exposure between rule changes.
Digging Into UFW Rule Syntax
Basic UFW allow/deny policies have several optional parameters for finer control over traffic. For example, to secure SSH access to office subnets:
ufw allow proto tcp from 203.0.113.0/24 to any port 22Breaking this down:
proto tcp– Match only TCP traffic (default allows both TCP + UDP)from 203.0.113.0/24– Permit traffic originating from defined subnet range onlyto any– Allow inbound to all destination addresses/ports on hostport 22– Limit to target destination port 22 for SSH
We can further constrain source ports with from any port 32768:65535 to require eligible client ports.
Inserting Rules at Specific Positions
By default UFW appends allow/deny rules to the end of the rule list. This risks new policies for old services taking effect after outdated ones.
Instead UFW allows inserting rules at priority positions using -I:
ufw insert 1 allow from 10.0.0.0/24 to any port 3306This permits MySQL access from private IPs first before any public rules. Position 1 means evaluate this rule before all others.
Later allowing public SQL access opens no security gap:
ufw allow from any to any port 3306The private network rule already took precedence in slot 1 when added.
Tuning Rule Policy with Limit and Reject
So far we demonstrated binary allow/deny policies. Two other UFW actions provide more nuanced control:
Limit – Restrict number of parallel connections from a source. For example allowing only 3 SSH logins per IP:
ufw limit OpenSSHReject – Block traffic but send an ICMP response unavailable error to clients. Limits leakage about open ports by not ignoring probes.
For example, rejecting upstream HTTP traffic reveals no listening web services:
ufw reject out 80
ufw reject out 443Ads, tracking and scanners hitting these ports see connection closed messages. Unlike DROP this gives no hint that HTTP/S is allowed inbound.
Persisting Rules to Disk
UFW itself stores no firewall state externally. But the ufw enable command called when activating rules sets up automatic persistence.
The key steps ufw enable takes:
- Push active in-memory rules into
iptables - Enable
iptables-persistentservice to start on boot - Run
iptables-savedumping active rules to/etc/iptables
So that first enable bootstraps persistence for the running firewall policies. Any equiva
Comparison to firewalld and iptables
UFW aims for simplicity on top of iptables filter tables. Two other major Linux firewall options take different approaches:
firewalld – Dynamic firewall manager that can load zones rules without restarting service. Requires custom app integration.
iptables – Direct manipulation of netfilter filter/NAT tables. Maximum flexibility and complexity.
Comparing key capabilities across them:
| Feature | UFW | firewalld | iptables |
|---|---|---|---|
| Simple default policies | ✅ | ✅ | ❌ |
| Human readable rules | ✅ | Partial | ❌ |
| Isolated app zones | ❌ | ✅ | Manual |
| Live rule updates | ❌ | ✅ | ✅ |
| NAT policies | ❌ | ✅ | ✅ |
| Familiar chains/hooks | ❌ | ❌ | ✅ |
UFW focuses purely on state tracking filter policies. firewalld improves dynamic behavior and app integration awareness lacking in UFW.
And iptables allows extension of rich netfilter capabilities at expense of approachability.
Choosing amongst them depends on the use case tradeoffs between accessibility, flexibility and performance.
Security Industry Best Practices
Beyond basic allow/deny rules, enterprise firewall best practices recommend:
- Set default deny ingress policies
- Allow only minimum necessary outbound connectivity
- MAC whitelist source IPs when possible
- Log forwarded traffic for incident investigation
- Rate limit connections per client to mitigate DDoS
- Regularly audit rules against vulnerabilities
- Mask open ports by responding with reset packets
Adopting these can significantly harden hosts vs basic permit rules. But care should be taken when applying restrictions, as policies that are too strict risk breaking essential services.
Testing bans with short timeouts before permanenent blocking gives a buffer to fix unexpected denials.
Conclusion
UFW provides a simplified interface to the robust capabilities of iptables and netfilter. While marketed as uncomplicated, mastering UFW management requires understanding default policies, rule persistence, safe editing procedures and advanced rule options.
Combining UFW‘s ease of use with enterprise-level best practices around logging, auditing and strict default postures can raise Linux firewalling to the next level. Relying purely on UFW defaults leaves data vulnerable from lax allow rules.
Learning to leverage UFW as a powerful system hardening tool is a key skill for administering secure Linux infrastructure.
