Configuring a basic firewall under Ubuntu 14.04

Under any operating system firewalls provide a basic level of security for any server. These applications are responsible for denying traffic to your server with exceptions for ports/services you have approved.

Ubuntu 14.04 ships with a tool called Uncomplicated Firewall aka UFW. ufw is an interface to iptables that simplifies the procedure for configuring your firewall.

This article provides the steps necesary to set up a firewall with UFW.

UFW is installed by default under Ubuntu 14.04. If for some reason it has been uninstalled, you can simply reinstall it with apt-get

# sudo apt-get install ufw

Firewall status

By default UFW is disabled so you should see something like the following:

% sudo ufw status verbose
Status: inactive

If UFW is active the output will list all rules that have been set

Default policies

By default UFW is set to deny all incoming connections and allow all outgoing connections. If you have already set certain rules and wish to return to the default, you simple execure the following commands:

% sudo ufw default deny incoming
% sudo ufw default allow outgoing

Configuring a basic firewall

Before we enable or reload our firewall, we will create the rules that define the exceptions to our policy. First, we need to create an exception for SSH connections so that we can maintain access for remote administration.

Allowing ssh

The SSH daemon runs on port 22 by default and ufw can implement a rule by name if the default has not been changed. So if you have not modified SSH port, you can enable the exception by typing:

% sudo ufw allow ssh

If you have modified the port that the SSH daemon is listening on, you must specify the new port number, for example if you use port 9999:

% sudo ufw allow 9999/tcp

This is the bare minimum firewall configuration. It will only allow traffic on your SSH port and all other services will be inaccessible. If you plan on running additional services, you will need to open the firewall at each port required.

Access for a web server

If you plan on running a conventional HTTP web server, you will need to allow access to port 80:

% sudo ufw allow http

If you plan to run a web server with SSL/TLS enabled, you should allow traffic to that port as well:

% sudo ufw allow https

Allowing mail services

To allow your server to accept SMTP connections, port 25 will need to be opened:

% sudo ufw allow 25

Allowing for IMAP/IMAPS, port 143 and 993 are needed:

% sudo ufw allow 143
% sudo ufw allow 993

If POP3/POP3S connections are required, then port 110/995 needs to be opened:

% sudo ufw allow 110
% sudo ufw allow 995

FTP services

General unencrypted ftp sessions require port 21, so to enable we'll add the rule:

% sudo ufw allow ftp

Transmission

Transmission is a fast, easy, and free multi-platform BitTorrent client. Transmission sets initial preferences so things "just work", but certain ports need to be added

% sudo ufw allow 6969
% sudo ufw allow 9091
% sudo ufw allow 51413

Enabling firewall

To active your firewall, simple enable ufw using the following command:

% sudo ufw enable

NOTE: You will be asked to confirm your selection, so type "y" if you wish to continue. This will apply the exceptions you made, block all other traffic, and configure your firewall to start automatically at boot.

Remember that you will have to explicitly open the ports for any additional services that you may configure later.