How to Configure a Firewall with UFW on Debian 9

In this tutorial, we will show you how to install and use the UFW firewall system on a Linux VPS running Debian 9. Security is a very important thing to consider when you run your own server.

UFW (Uncomplicated Firewall) is a simple and user-friendly front-end for managing iptables firewall rules – UFW aims to provide an easy to use interface for the user, making a secure server more accessible to more users. It is specially designed for beginner users who are unfamiliar with firewall concepts.

Let’s begin with the installation.

Prerequisites

  • For the purposes of this tutorial, we will use a Debian 9 VPS.
  • Full SSH root access or a user with sudo privileges is also required.

Step 1: Connect via SSH and Update the OS

Connect to your server via SSH as the root user using the following command:

ssh root@IP_ADDRESS -p PORT_NUMBER

Remember to replace “IP_ADDRESS” and “PORT_NUMBER” with your server’s respective IP address and SSH port number.

Before starting with the installation, you will need to update your OS packages to their latest versions. It’s easy to do, and it won’t take more than a few minutes.

You can do this by running the following command:

apt-get update 
apt-get upgrade

Once the updates are completed, we can move on to the next step.

Step 2: Install UFW

By default, UFW is not installed on Debian 9. We can install UFW by running the following command:

apt-get install ufw

Once the installation is complete, we can check the status of UFW using the following command:

ufw status verbose

The output should be similar to the one below:

Status: inactive

UFW is disabled by default to avoid a lockout from the server.

Step 3: Allow SSH Connections

By default, all incoming connections to your Debian VPS are blocked by UFW – nobody can connect to it. Therefore, we will need to allow incoming SSH connections before enabling the UFW firewall.

ufw allow ssh

or

ufw allow 22/tcp

Step 4: Enable UFW

To enable UFW, we can use the command below:

ufw enable

Once enabled, UFW will block all of the incoming connections and allow all outbound connections. To check the default configuration, we can use the following command:

ufw show raw

Or

grep 'DEFAULT_' /etc/default/ufw

The output will looks like this:

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"

That’s it! Your server now has UFW installed and enabled. As you can see, by default, every incoming connection is denied. We specifically need to open a port if we want to access the server remotely.

Allowing Other Services

We may also need to allow some other incoming connections.

ufw allow 21/tcp
ufw allow 80/tcp
ufw allow 443/tcp

We can check the UFW status using the following command:

ufw status

The output should be similar to one below:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
21/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

If we want to deny access to port 80 for example, we have to run the following command:

ufw deny 80/tcp

To delete the rule that allows the incoming connections on port 21, run the following command:

ufw delete allow 21/tcp

Allowing Connections from Specific IP addresses and Port Ranges

We can also allow connections from a specific IP address with the following command:

ufw allow 192.168.10.100

We can use a subnet mask to widen the range:

ufw allow 192.168.10.0/24

We can also combine the IP address, port, and protocol with a single command. For example, in order to allow the connection only from the IP 192.168.10.100, protocol tcp, and to port 22, we have to run the following command:

ufw allow from 192.168.10.100 proto tcp to any port 22

We can also specify port ranges with UFW. For example, to allow TCP ports 1100 to 1200, run the following command:

ufw allow 1100:1200/tcp

If we want to allow UDP on ports 1100 to 1200, for example, we have to use the following command:

ufw allow 1100:1200/udp

Rejecting Incoming Connections

The UFW with deny syntax just ignores traffic. To let the sender know when traffic is being denied, run the command below:

ufw reject 443

If somebody tries to connect to port 443 they will get the following reject message:

telnet: Unable to connect to remote host: Connection refused

Displaying UFW Reports

We can list of rules as they were added with the following command:

ufw show added

The output should be similar to one below:

Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow 21/tcp
ufw allow 80/tcp
ufw allow 443/tcp

Disabling UFW

If for some reason we need to disable UFW, we can run the following command:

ufw disable

In order to reset all rules to their default settings, use the following command:

ufw reset

We can use the –help flag for more usage commands:

ufw --help

That’s all – in this tutorial, we learned how to install and enable the UFW firewall system, and we also covered how to add and remove rules on it, with varying levels of criteria.


Of course, you don’t have to configure a firewall with UFW on Debian 9 if you use one of our managed Debian VPS Hosting Services, in which case you can simply ask our expert Linux admins to install and configure UFW on Debian 9 for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to Configure a Firewall with UFW on Debian 9, please share it with your friends on the social networks using the share shortcuts below, or simply leave a comment down in the comments section. Thanks.

Leave a Comment