Vesta Control Panel - Forum

Install UFW

Uncomplicated Firewall should be installed by default in Ubuntu 18.04, but if it is not installed on your system, you can install the package by typing:
Check UFW Status

Once the installation is completed you can check the status of UFW with the following command:
UFW is disabled by default and if you just installed or never activated UFW before, the output will look like this:
If UFW is activated, the output will look similar to the following:



UFW Default Policies

By default, UFW will block all of the incoming connections and allow all outbound connections. This means that anyone trying to access your server will not be able to connect unless you specifically open the port, while all applications and services running on your server will be able to access the outside world.

The default polices are defined in the /etc/default/ufw file and can be changed using sudo ufw default <policy> <chain>

Firewall policies are the foundation for building more detailed and user-defined rules. In most cases the initial UFW Default Policies are a good starting point.
Application Profiles

When installing a package with apt it will add an application profile to /etc/ufw/applications.d directory that describes the service and contain UFW settings.

You can list all application profiles available on your server by typing:
Depending on the packages installed on your system the output will look similar to the following:
If you want to find more information about a profile and included rules you can use the following command:
As you can see from the output above the ‘Nginx Full’ profile opens port 80 and 443,
Allow SSH Connections

Before enabling the UFW firewall we need to add a rule which will allow incoming SSH connections. If you’re connecting to your server from a remote location, which is almost always the case and you enable the UFW firewall before explicitly allow incoming SSH connections you will no longer be able to connect to your Ubuntu server.

To configure your UFW firewall to allow incoming SSH connections, type the following command:
If you changed the SSH port to a custom port instead of the port 22, you will need to open that port. If for example your ssh daemon listens on port 4422, then you can use the following command to allow connections on that port:
Enable UFW

Now that your UFW firewall is configured to allow incoming SSH connections, we can enable it by typing:
You will be warned that enabling the firewall may disrupt existing ssh connections, just type y and hit Enter.

Allow connections on other ports

Depending on the applications that run on your server and your specific needs you need to allow incoming access to other ports.

Below we will show you a few examples of how to allow incoming connections to some of the most common services:

Open port 80 - HTTP

HTTP connections can be allowed with the following command:
instead of http you can use the port number, 80:
or you can use the application profile, in this case ‘Nginx HTTP’:
Open port 443 - HTTPS

HTTP connections can be allowed with the following command:
To achieve the same instead of https you can use the port number, 443:
or you can use the application profile, in this case ‘Nginx HTTPS’:
Copy
Open port 8080

If you run Tomcat or any other application that listens on port 8080 to allow incoming connections type:
Allow Port Ranges

Instead of allowing access to single ports UFW allows us to allow access to port ranges. When allowing port ranges with UFW, you must specify the protocol, either tcp or udp. For example if you want to allow ports from 7100 to 7200 on both tcp and udp then run the following command:
Allow Specific IP Addresses

If you want to allow access on all ports from your home machine with IP address of 64.63.62.61, then you need to specify from before the IP address:
Allow Specific IP Addresses on Specific port

To allow access on a specific port lets say port 22 from your work machine with IP address of 64.63.62.61, then you need to specify to any port and the port number after the IP address:
Allow Subnets

The command for allowing connection to a subnet of IP addresses is same as when using a single IP address, the only difference is that you need to specify the netmask. For example if you want to allow access for IP addresses ranging from 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL) you can use this command:
Allow Connections to a Specific Network Interface

To allow access on a specific port let’s say port 3360 only to specific network interface eth2, then you need to specify to allow in on and the name of the network interface:

sudo ufw allow in on eth2 to any port 3306

Deny connections

The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you specifically open the connection.

Let’s say you opened the ports 80 and 443 and your server is under attack from the 23.24.25.0/24 network. To deny all connections from 23.24.25.0/24 you can use the following command:
If you only want to deny access to ports 80 and 443 you can use the following command:
Writing deny rules is same as writing allow rules, you only need to replace allow with deny.

Delete UFW Rules

There are two different ways to delete UFW rules, by rule number and by specifying the actual rule.

Deleting UFW rules by rule number is easier especially if you are new to UFW. To delete a rule by a rule number first you need to list rules by numbers, you can do that with the following command:
To delete rule number 3, the rule that allows connections to port 8080, you can use the following command:
The second method is to delete a rule by specifying the actual rule, for example if you added a rule to open port 8069 you can delete it with:
Disable UFW

If for any reason you want to stop UFW and deactivate all rules you can use:
later if you want to re-enable UTF and activate all rules just type:
Reset UFW

Reseting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh.

To reset UFW simply type in the following command: