Uncomplicated FireWall Configurations and Commands

Scope: I had to learn a bit about firewalls when it came to port forwarding for my plex server. Luckily for me, I had a beautiful GUI with my Asus router that made it super easy to use via a website. As I started to get more into the popular distributions of Liunx I realized that most of them either shipped with GUFW or UFW that were not turned on by default. (G)raphical (U)ncomplicated (F)ire(W)all, where UFW is GUFW without the Graphical interface…kinda easy to remember that way. Anyway, the more I tried to do with apps and programs, the more I realized that I had to keep changing these settings in GUFW. The real beef came to play when I built an RPI and had to start enabling ports without using an interface. Like my friend Jon said, “Use the command line as much as possible and Lunix will be a much better experience”.

Getting started by loading UFW if you dont have it. Im using Manjaro so pacman is my “apt”.

sudo pacman -S ufw

You can see the status, which should be disabled by default

sudo ufw status

You should see

[andrewdelorey@andrew-pc ~]$ sudo ufw status
Status: inactive

We want to enable the service and and start it… but if this a remote machine, you want ssh to remain open. I set that rule first

sudo ufw allow ssh

That will give you

[andrewdelorey@andrew-pc ~]$ sudo ufw allow ssh
Rules updated
Rules updated (v6)

To which now you start and enable the service.

sudo systemctl start ufw && sudo systemctl enable ufw

On my system, this didn’t actually start my firewall, I had to type

sudo ufw enable

Then it started with the feedback

[andrewdelorey@andrew-pc ~]$ sudo ufw enable
Firewall is active and enabled on system startup

Type

sudo ufw status

and you should see

[andrewdelorey@andrew-pc ~]$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             

Now from what I understand, you arent supposed to allow more than what you think is going to be in contact with your machine as well as limiting protocols. Where I am at, I will never use Ipv6 or UDP for my ssh connection. If you are on remote, lets look at our firewall rules listed and determine which ones we do not need. You have to do this before disabling UFW as it will not return values once it is disabled

sudo ufw show numbered

Then lets look at our numbered list of rules

[andrewdelorey@andrew-pc ~]$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         DENY IN     Anywhere                  
[ 2] 22 (v6)                    DENY IN     Anywhere (v6)             

As you can see, we have 2 rules that are numbered accordingly.

Note: Always delete the highest number first

I accidently found out that when you delete a rule, it renumbers any rule that is higher than the ruled you deleted. For example, if I delete rule 1 first, rule 2 now becomes rule 1. Seems pretty simple until you have 15-20 rules then it gets eight shades of crazy.

Moving on, lets disable the firewall, delete the rules, and start fresh

sudo ufw disable

then

sudo ufw delete 2

You should see

[andrewdelorey@andrew-pc ~]$ sudo ufw delete 2
Deleting:
 allow 22
Proceed with operation (y|n)? 

Type

y

Then hit enter. You should see

Rules updated (v6)

Now we delete rule 1, which is for ipv4.

sudo ufw delete 1

And you should see

Deleting:
 allow 22
Proceed with operation (y|n)? 

Type

y

Then hit enter and there should be no more rules left. Now we can not check since the firewall is disabled and if we enable it, we might lose connection. For my personal use, I only want ssh with ipv4 and tcp allowed through my firewall. Here is what that looks like:

sudo ufw allow ssh/tcp

That allows only tcp access on port 22, but ipv6 is still enabled. Lets start UFW then see which line number is ipv6

sudo ufw enable

Then

sudo ufw status numbered

And you should see this

[andrewdelorey@andrew-pc ~]$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)     

As you can see, the table now has (TCP) as where it did not before. Also ipv6 is there but we know we can delete it or deny. Thats up to you. Here I am going to delete it.

sudo ufw delete 2

Type y, then enter and let’s do another check

sudo ufw status numbered

output

[andrewdelorey@andrew-pc ~]$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  

Perfect! The Machine is now limited to port 22, tcp, and ipv4 access. You can also limit the ip address access too but that will be added later.