Ubuntu Server 18.04 – Setting up a firewall

Initial Configurations of Windows server 2019

Firewalls are a very important aspect to include in your network and security design. Firewalls are extremely easy to implement, but sometimes hard to implement well. The problem with firewalls is that they can sometimes offer a false sense of security to those who aren’t familiar with the best ways to manage them. Sure, they’re good to have, but simply having a firewall isn’t enough by itself. The false sense of security comes when someone thinks that they’re protected just because a firewall is installed and enabled, but they’re also often opening traffic from any network to internal ports. Take into consideration the firewall that was introduced with Windows XP and enabled by default with Windows XP Service Pack 2. Yes, it was a good step but users simply clicked the “allow” button whenever something wanted access, which defeats the entire purpose of having a firewall. Windows implements this better nowadays, but the false sense of security it created remains. Firewalls are not a “set it and forget it” solution!

Firewalls work by allowing or disallowing access to a network port from other networks. Most good firewalls block outside traffic by default. When a user or administrator enables a service, they open a port for it. Then, that service is allowed in. This is great in theory, but where it breaks down is that administrators will often allow access from everywhere when they open a port. If an administrator does this, they may as well not have a firewall at all. If you need access to a server via OpenSSH, you may open up port 22 (or whatever port OpenSSH is listening on) to allow it through the firewall. But if you simply allow the port, it’s open for everyone else as well.

When configured properly, a firewall will enable access to a port only from specific places. For example, rather than allowing port 22 for OpenSSH to your entire network, why not just allow traffic to port 22 from specific IP addresses or subnets? Now we’re getting somewhere! In my opinion, allowing all traffic through a port is usually a bad idea, though some services actually do need this (such as web traffic to your web server). If you can help it, only allow traffic from specific networks when you open a port. This is where the use case for a firewall really shines.

In Ubuntu Server, the Uncomplicated Firewall (UFW) is a really useful tool for configuring your firewall. As the name suggests, it makes firewall management a breeze. To get started, install the ufw package:

sudo apt install ufw

By default, the UFW firewall is inactive. This is a good thing, because we wouldn’t want to enable a firewall until after we’ve configured it. The ufw package features its own command for checking its status:

sudo ufw status

Unless you’ve already configured your firewall, the status will come back as inactive.

With the ufw package installed, the first thing we’ll want to do is enable traffic via SSH, so we won’t get locked out when we do enable the firewall:

sudo ufw allow from 192.168.1.156 to any port 22

You can probably see from that example how easy UFW’s syntax is. With that example, we’re allowing the 192.168.1.156 IP address access to port 22 via TCP as well as UDP. In your case, you would change the IP address accordingly, as well as the port number if you’re not using the OpenSSH default port. The any option refers to any protocol (TCP or UDP).

You can also allow traffic by subnet:

sudo ufw allow from 192.168.1.0/24 to any port 22

Although I don’t recommend this, you can allow all traffic from a specific IP to access anything on your server. Use this with care, if you have to use it at all:

sudo ufw allow from 192.168.1.50

Now that we’ve configured our firewall to allow access via OpenSSH, you should also allow any other ports or IP addresses that are required for your server to operate efficiently. If your server is a web server, for example, you’ll want to allow traffic from ports 80 and 443. This is one of those few exceptions where you’ll want to allow traffic from any network, assuming your web server serves an external page on the internet:

sudo ufw allow 80
sudo ufw allow 443

There are various other use patterns for the ufw command; refer to the main page (http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html) for more. In a nutshell, these examples should enable you to allow traffic through specific ports, as well as via specific networks and IP addresses. Once you’ve finished configuring the firewall, we can enable it:

sudo ufw enable
Firewall is active and enabled on system startup

Just as the output suggests, our firewall is active and will start up automatically whenever we reboot the server.

The UFW package is basically an easy-to-use frontend to the iptables firewall, and it acts as the default firewall for Ubuntu. The commands we executed so far in this section trigger the iptables command, which is a command administrators can use to set up a firewall manually. A full walk-through of iptables is outside the scope of this chapter, and it’s essentially unnecessary, since Ubuntu features UFW as its preferred firewall administration tool and it’s the tool you should use while administering a firewall on your Ubuntu server. If you’re curious, you can see what your current set of iptables firewall rules look like with the following command:

sudo iptables -L

With a well-planned firewall implementation, you can better secure your Ubuntu Server installation from outside threats. Preferably, each port you open should only be accessible from specific machines, with the exception being servers that are meant to serve data or resources to external networks. Like all security solutions, a firewall won’t make your server invincible, but it does represent an additional layer attackers would have to bypass in order to do harm.

Comments are closed.