UFW (Uncomplicated Firewall) is a tool designed to simplify firewall management on Unix and Linux systems. Its main goal is to make firewall administration accessible to users without networking or firewall experience.
UFW is a simplified user interface for iptables, which is the underlying firewall tool in most Linux distributions.
Unlike iptables, which can be complicated to configure due to its extensive syntax, UFW provides a simpler command-line interface.
Features of UFW,
- Simple interface: Designed to be easy to use, providing simple commands for firewall configuration.
- IP-based rules: Allows configuring rules to allow or block traffic based on IP, ports, and protocols.
- Event logging: Can log events to monitor firewall activity.
Installing UFW on Raspberry Pi
UFW is available in the default Raspbian repositories, so its installation is quite straightforward. Let’s see the steps to install and enable UFW on your Raspberry Pi.
First, make sure your system’s package list is up to date:
sudo apt update
Now install UFW using the following command:
sudo apt install ufw
Once installed, you can enable UFW with the following command:
sudo ufw enable
This command will activate the firewall with the default configuration, which is to block all incoming traffic and allow all outgoing traffic.
Basic UFW Configuration
After enabling UFW, the next step is to configure the firewall rules. UFW allows adding rules to allow or deny traffic based on different criteria.
Some of the most common commands are:
| Command | Description |
|---|---|
sudo ufw enable | Enables UFW and activates it on boot. |
sudo ufw disable | Disables UFW. |
sudo ufw status | Shows the current status of the firewall. |
sudo ufw allow <port> | Allows incoming traffic on a specific port. |
sudo ufw deny <port> | Denies incoming traffic on a specific port. |
sudo ufw reset | Resets all UFW rules to their default values. |
Let’s look at some common configuration examples.
Allow SSH Access
To ensure you can access your Raspberry Pi via SSH, you must allow traffic on port 22. You can do this with the following command:
sudo ufw allow ssh
You can also specify the port explicitly if you prefer:
sudo ufw allow 22/tcp
To allow all outgoing traffic (not recommended):
sudo ufw allow outgoing
Block Traffic on a Specific Port
To block traffic on a port, you can use the following command. For example, to block port 23 (Telnet):
sudo ufw deny 23/tcp
To deny all incoming traffic (not recommended)
sudo ufw deny incoming
Check UFW Status
To check the current rules and the overall status of UFW, use the command:
sudo ufw status verbose
This command will show a detailed list of the configured rules and the firewall status.
Delete Rules
If you need to delete a specific rule, first check the active rules with:
sudo ufw status numbered
Then, delete the corresponding rule using its number:
sudo ufw delete
Allow or Deny Traffic from a Specific IP
To allow traffic from a specific IP, use the following command. For example, to allow SSH access only from IP 192.168.1.100:
sudo ufw allow from 192.168.1.100 to any port 22
To allow traffic from a range of IPs, use:
sudo ufw allow from 192.168.1.0/24 to any port 80
To allow traffic from a specific network:
sudo ufw allow from 10.0.0.0/16 to any port 3306
The same would apply to block, using allow instead of deny
Be careful not to play around recklessly with UFW, or you might leave the Raspberry Pi without a connection and have to physically connect a keyboard and mouse to access it.
Monitoring and Logging
UFW also allows enabling event logging, which can be useful for monitoring access attempts and suspicious activity.
To enable logging, use the following command:
sudo ufw logging on
You can review the logs in the /var/log/ufw.log file.
