Skip to content

Firewall setup⚓︎

How to setup the UFW Ubuntu Firewall Configure after installing your application?

Ufw (uncomplicated firewall)⚓︎

list of ports

sudo ufw status
You should see this message, if you have it installed. We will activate it later on in the process.
Status: inactive
if it's not installed, use the following to install it
apt install ufw

check ports in use⚓︎

check ports used
sudo ss -tunlp

-t TCP ports

-u UDP ports

-n numerical addresses instead of hosts

-l listening ports

-p PID and name of listener's process

This list will show you which ports are being used. Seeing port 80 & 443 are common. In the case of Ditto, it also uses port 53, but only locally, so it doesn't need access from the outside.

source: check listening ports

setup your firewall⚓︎

sudo ufw default deny incoming
message from terminal
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
let your server access the internet
sudo ufw default allow outgoing
message from terminal
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
allow your custom port to log in to your server
sudo ufw allow 2140/tcp
allow http
sudo ufw allow 80/tcp
allow https & ssl certificate
sudo ufw allow 443/tcp
allow port server uses, only locally
sudo ufw allow from 127.0.0.1 to any port 53
allow port for database, or choose your own, this only needs to run locally
sudo ufw allow from 127.0.0.1 to any port 5432
allow port for ditto, or choose your own
sudo ufw allow from 127.0.0.1 to any port 4036

enable ufw⚓︎

So far, the ufw has been disabled. As long as the port you use to access the server is allowed, you should be ok to log back in.

However, you can test if you can log in by opening a separate terminal window, without closing the one you are in.

Once you are sure of your settings: 

sudo ufw enable
message from terminal
Command may disrupt existing ssh connections. Proceed with operation (y|n)

y
message from terminal
Firewall is active and enabled on system startup
check if it's running
systemctl status ufw

it should be green and active
 ufw.service - Uncomplicated firewall
     Loaded: loaded (/.../ufw.service; enabled; vendor preset: e>
     Active: active 
     ...
Close with Ctrl + C

deeper dive on configuring firewall rules with UFW

configured ports list⚓︎

This command will list all the ports you have configured and where they are allow. Review it to make sure you have all the ones liste above. 

sudo ufw status

To                         Action      From
--                         ------      ----
4036                       ALLOW       127.0.0.1                 
5432                       ALLOW       127.0.0.1                 
53                         ALLOW       127.0.0.1                 
443/tcp                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
2140/tcp                     ALLOW       Anywhere                  
443/tcp (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
2140/tcp (v6)                ALLOW       Anywhere (v6)

to delete a rule⚓︎

This command will display your list of ports, with a number next to it. You can use that number to delete specific items. If you are deleting more than one port, beware that you should run this command after deleting, as the numbers will change and shift upward. 

sudo ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 111                         ALLOW IN    Anywhere                  
[ 2] 53                         DENY IN     Anywhere                  
[ 3] 4036                       ALLOW IN    127.0.0.1                 
[ 4] 5432                       ALLOW IN    127.0.0.1                 
...

sudo ufw delete 111

     To                         Action      From
     --                         ------      ----

[ 1] 53                         DENY IN     Anywhere                  
[ 2] 4036                       ALLOW IN    127.0.0.1                 
[ 3] 5432                       ALLOW IN    127.0.0.1                 
...