Securing your Debian server doesn't have to be complicated... at least, not with Uncomplicated Firewall (UFW), that is.
In this article, we'll explore what UFW is, how it works with iptables/nftables, and walk you through setting it up on your Debian system. Let's dive in.
Understanding UFW
Originally developed for Ubuntu, Uncomplicated Firewall (UFW) is designed to make configuring network traffic filtering more accessible.
Under the hood, UFW translates your commands into iptables or nftables rules, which are integral parts of the Linux kernel responsible for packet filtering and network traffic management. These tools are powerful but can be complex to configure directly. UFW simplifies this process, allowing you to implement firewall rules with straightforward commands.
For example, on nftables to allow SSH connections you could run:
sudo nft add rule inet filter input tcp dport 22 ct state new,established accept
But that same command on UFW is just:
sudo ufw allow ssh
Big difference, huh?
- iptables: A traditional firewall framework that filters packets and manages network traffic.
- nftables: A modern replacement for iptables, offering improved performance and a more unified approach to packet filtering.
Starting from Debian 10 (Buster), nftables is the default backend. UFW ensures compatibility by automatically translating its commands into the appropriate iptables or nftables rules based on your system's configuration (it flawlessly works with either).
Prerequisites
Before we begin, make sure you have the following:
- A Debian-based system (We recommend Debian 12, Ubuntu also works, though it's installed by default)
- A user account with
sudo
privileges
Installing UFW on Debian
First, update your system's package list:
sudo apt update
Then, install UFW:
sudo apt install ufw
Basic UFW commands
Here are some basic UFW commands that you'll find useful:
- Enable UFW:
sudo ufw enable
- Disable UFW:
sudo ufw disable
- Check UFW status:
sudo ufw status
orsudo ufw status verbose
- Allow connection:
sudo ufw allow [port/service]
- Deny connection:
sudo ufw deny [port/service]
- Delete rule:
sudo ufw delete [allow/deny] [port/service]
Configuring UFW
Setting default policies
It's a good practice to start by setting your firewall to deny all incoming connections and allow all outgoing connections.
This ensures that only traffic you explicitly allow can reach your server.
sudo ufw default deny incomingsudo ufw default allow outgoing
This configuration blocks all unsolicited incoming traffic while allowing your server to initiate outgoing connections.
Allowing SSH connections
To prevent yourself from being locked out of your server, it's important to allow SSH connections, which you can do with the same command as mentioned above:
sudo ufw allow ssh
If your SSH service is running on a non-standard port (e.g., 2222), specify it like this:
sudo ufw allow 2222
Allowing specific ports
If you're running services like a web server, you'll need to allow HTTP and HTTPS traffic:
sudo ufw allow 80 # HTTPsudo ufw allow 443 # HTTPS
Enabling UFW
After configuring your rules, you can enable UFW:
sudo ufw enable
You'll receive a warning that enabling the firewall might disrupt existing SSH connections. Since we've already allowed SSH, it's safe to proceed. Type 'y' and press Enter.
Advanced UFW configuration
Application profiles
UFW includes profiles for common applications, making it even easier to manage firewall rules based on application names.
List available profiles:
sudo ufw app list
Allow an application by name, for example:
sudo ufw allow 'Deluge'
This command allows traffic for Deluge.
IPv6 support
If your server uses IPv6, ensure that UFW is configured to handle IPv6 traffic.
Edit the UFW configuration file:
sudo nano /etc/default/ufw
Set the following line:
IPV6=yes
Save and close the file, then reload UFW:
sudo ufw reload
Checking UFW status and rules
To view the current status and active rules, use:
sudo ufw status verbose
This command provides detailed information about your firewall configuration.
Disabling or resetting UFW
To temporarily disable UFW:
sudo ufw disable
To reset UFW to its default state, deleting all custom rules:
sudo ufw reset
Conclusion
With this article, you've learned how to set up a basic firewall that you can customize further to meet the specific needs of your environment.
It's safe to say UFW is an excellent choice for securing Debian-based systems in various scenarios, from personal servers to production environments.
It allows anyone, with little to no complexities, to set up and configure a firewall.
Why not give it a shot? Worst case scenario if you hate it, you can give nftables or iptables a go.
Note: For a full comparison of the best Linux firewalls, give this article here a read.
Looking for hosting?
If you're looking for practically any kind of digital infrastructure, xTom would love to help.
We provide anything from dedicated servers to colocation, and more through our xTom brand.
Over at our V.PS brand, we provide... well, VPS. Scalable, reliable, and affordable NVMe VPS. Great for developing, hobby, or production.
Give us a look, and don't be afraid to reach out! Thanks for reading :).
Frequently asked questions (FAQs)
- Is UFW suitable for production servers?
Yes, UFW is suitable for both development and production environments. It simplifies firewall management without sacrificing control or security.
- How do I remove a rule in UFW?
Use the delete command followed by the rule. For example:
sudo ufw delete allow 22
- Can I use UFW with other firewall tools?
It's recommended to use one firewall management tool at a time to avoid conflicts. If you prefer another tool (outside of nftables), disable UFW before proceeding.