UFW (Uncomplicated Firewall) is a tool designed to simplify the management of a firewall on Unix and Linux systems. Its main goal is to make firewall administration accessible to users without networking and firewall experience.
UFW is a simplified user interface for iptables, which is the underlying firewall tool in most Linux distributions.
Unlike iptables, which can be complicated to configure due to its extensive syntax, UFW provides a simpler command-line interface.
Features of UFW:
- Simple Interface: Designed to be easy to use, providing simple commands for firewall configuration.
- IP-Based Rules: Allows configuring rules to allow or block traffic based on IP, ports, and protocols.
- Event Logging: Can log events to monitor firewall activity.
Installing UFW on Raspberry Pi
UFW is available in the default Raspbian repositories, so its installation is quite straightforward. Let’s go through the steps to install and enable UFW on your Raspberry Pi.
First, make sure your system’s package list is updated:
sudo apt updateNow we install UFW using the following command:
sudo apt install ufwOnce installed, you can enable UFW with the following command:
sudo ufw enableThis command will activate the firewall with the default configuration, which is to block all incoming traffic and allow all outgoing traffic.
Basic UFW Configuration
After enabling UFW, the next step is to configure the firewall rules. UFW allows you to add rules to allow or deny traffic based on different criteria.
Some of the most common commands are:
| Command | Description |
|---|---|
sudo ufw enable | Enables UFW and activates it on boot. |
sudo ufw disable | Disables UFW. |
sudo ufw status | Shows the current status of the firewall. |
sudo ufw allow <port> | Allows incoming traffic on a specific port. |
sudo ufw deny <port> | Denies incoming traffic on a specific port. |
sudo ufw reset | Resets all UFW rules to their default values. |
Let’s look at some common configuration examples.
Be careful when playing around with UFW, or you might leave the Raspberry Pi disconnected and have to physically connect with a keyboard and mouse.
Allow SSH Access
To ensure you can access your Raspberry Pi via SSH, you need to allow traffic on port 22. You can do this with the following command:
sudo ufw allow sshYou can also specify the port explicitly if you prefer:
sudo ufw allow 22/tcpTo allow all outgoing traffic (not recommended):
sudo ufw allow outgoingBlock Traffic on a Specific Port
To block traffic on a port, you can use the following command. For example, to block port 23 (Telnet):
sudo ufw deny 23/tcpTo deny all incoming traffic (not recommended):
sudo ufw deny incomingCheck UFW Status
To check the current rules and the overall status of UFW, use the command:
sudo ufw status verboseThis command will display a detailed list of the configured rules and the firewall status.
Remove Rules
If you need to remove a specific rule, first check the active rules with:
sudo ufw status numberedThen, remove the corresponding rule using its number:
sudo ufw delete <number>Allow or Deny Traffic from a Specific IP
To allow traffic from a specific IP, use the following command. For example, to allow SSH access only from the IP 192.168.1.100:
sudo ufw allow from 192.168.1.100 to any port 22To allow traffic from a range of IPs, use:
sudo ufw allow from 192.168.1.0/24 to any port 80To allow traffic from a specific network:
sudo ufw allow from 10.0.0.0/16 to any port 3306The same applies to blocking, just replace allow with deny.
Monitoring and Logging
UFW also allows enabling event logging, which can be useful for monitoring access attempts and suspicious activity.
To enable logging, use the following command:
sudo ufw logging onYou can review the logs in the file /var/log/ufw.log.