How to Install And Use A Linux Firewall

Linux is one of the most secure desktop and server platforms on the planet. Out of the box, you’ll find most Linux distributions far more secure than either Windows or macOS. In fact, for most desktop use-cases, the security offered in most Linux distributions will serve you well. That doesn’t mean, however, you should completely ignore the security of the operating system for which you’ve entrusted your data. In fact, it would behoove you to know how to work with a Linux firewall.

Simply put, a firewall is a subsystem on a computer that blocks certain network traffic from going into or out of your computer. Firewalls can be created to be very restrictive (allowing very little in and/or out) or very permissive (allowing quite a bit in and/or out). Firewalls come in two different types:

• Hardware—physical devices that only serve the purpose of protecting your network (and the computers on your network).
• Software—subsystems on individual computers that protect only the hosting machine. 

Most home networks depend upon a combination of the two. The hardware solution is generally the modem/router deployed by your ISP. Many times these devices are setup to be very restrictive. On the software end of things, your desktop computer makes use of a software firewall. One such firewall, that can be installed and used on many Linux distributions (such as Ubuntu and its derivatives), is Uncomplicated Firewall (UFW). Uncomplicated Firewall is exactly what it sounds like. It's a simple tool that makes managing the blocking/allowing of network traffic fairly simple. UFW is a command-line only tool that does an outstanding job of helping to secure your Linux computer.

On both Ubuntu and most Ubuntu derivatives, UWF is already installed. To find out if UFW is installed on your computer, open a terminal window and issue the command:

sudo ufw status

This command will (most likely) report that UFW is inactive. If you find UFW isn’t installed, issue the command

sudo apt-get install ufw -y

Because UFW is inactive by default, you’ll want to activate it. To do so, issue the command

Most users won’t have to worry too much about the default policy. However, it’s best to at least understand the basics of these policies.

A default policy is a set of rules rules that control how to handle traffic that does not explicitly match any other rules. There are four default policies:

• INPUT—traffic coming into the computer.
• OUTPUT—traffic going out of the computer.
• FORWARD—traffic that is forwarded from one destination to another.
• APPLICATION POLICY—traffic that is defined by application (and not network port).

For most users, only the INPUT and OUTPUT policies will be of concern.

The default UFW policies are set in the file /etc/default/ufw. Issue the command

• sudo nano /etc/default/ufw

  and look for these four lines:
  DEFAULT_INPUT_POLICY="DROP"
• DEFAULT_OUTPUT_POLICY="ACCEPT"
• ​DEFAULT_FORWARD_POLICY="DROP"
• ​DEFAULT_APPLICATION_POLICY="SKIP"

It's important to know that each of the above policies can be adjusted with a slightly different default.

• INPUT/OUTPUT/FORWARD can be set to ACCEPT, DROP, or REJECT
• APPLICATION can be set to ACCEPT, DROP, REJECT, or SKIP

The difference between ACCEPT, DROP, and REJECT are:

• ACCEPT—Allow traffic through the firewall.
• REJECT—Do not allow traffic through the firewall and send an ICMP destination-unreachable message back to the sending source.
• DROP—Prohibit a packet from passing through the firewall and send no response.

You can adjust the default policies to suit your needs. If you change the policies in the file, reload the UFW rules with the command:

sudo ufw reload 

Since you probably won’t need to alter the default outgoing traffic policy, let’s focus on allowing incoming traffic. Say, for example, you want to be able to secure shell into your desktop (using the ssh command) from another machine. For this, you’d need instruct UFW to allow incoming traffic on the standard SSH port (port 22). The command for this would be:

sudo ufw allow ssh

The above command would allow any machine on your network (or even beyond your network, if your router is configured to allow external traffic in) to access your computer, via port 22.

That’s all fine and good, unless you only want to allow specific computers on your network in. Say, for example, you want to allow only one computer in—a computer with the IP address of 192.168.1.162. For this, the command would be:

sudo ufw allow from 192.168.1.162 to any port 22

The allow from statement instructs UFW that what follows is the address to allow traffic from. The to any port instructs UFW to allow traffic the port specified. In the example above, the only computer on your network that would be allowed to secure shell into your computer would be the one at IP address 192.168.1.162.

You can also deny traffic to a specified network interface. Say, for example, your machine has two network interfaces:

• INTERNAL—using network interface ens5 with IP address scheme 192.168.1.x.
• EXTERNAL—using network interface enp0s3 with IP address scheme 172.217.1.x

What if you want to leave the rule allowing incoming ssh traffic on 192.168.1.162, but deny all incoming traffic from the external interface? For this, the command would be:

sudo ufw deny in on enp0s3 to any port ssh

Issue the command

If you find you’ve created rules that are causing issue with computers connecting to your machine, it’s possible to delete the rules you’ve created. The first thing you want to do is have UFW list your rules by number. To do this, issue the command:

sudo ufw status numbered

Say you want to delete rule number 1. To do this, issue the command:

sudo ufw delete 1

You will be prompted to verify the deletion of the rule. Type y and use Enter/Return on your keyboard to confirm. Issue the command

sudo ufw status