Obsidian/05.02 Networks/Configuring UFW.md

---

Alias: ["UFW"]
Tag: ["🖥️", "Firewall"]
Date: 2021-10-04
DocType: "Personal"
Hierarchy: "NonRoot"
TimeStamp:
location: [51.514678599999996, -0.18378583926867909]
CollapseMetaTable: true

---

Parent:: [[Selfhosting]], [[Server Alias]], [[Server Cloud]], [[Server Tools]], [[Server VPN]]

---

 ^Top

 

```button
name Save
type command
action Save current file
id Save
```
^button-UFWSave

 

# Configuring UFW

 

```ad-abstract
title: Summary
collapse: open
Description of basic commands for UFW
```

 

```toc
style: number
```

 

---

 

### Installation and activation

 

UFW should be installed by default in Ubuntu servers. If not, see below.

 

#### Installation of UFW

```ad-command
~~~bash
sudo apt install ufw
~~~
```

 

#### Activation of UFW

```ad-command
~~~bash
sudo ufw status
~~~
```

If disabled:

```ad-command
~~~bash
sudo ufw enable
~~~
```

 

---

 

### Basic commands

 

#### UFW rules status

```ad-command
~~~bash
sudo ufw status
~~~
```

Commands can be appended:
- `verbose`: details incoming/outgoing rules
- `numbered`: display rule numbers

 

#### UFW rule management

##### Allow / Deny

```ad-command
~~~bash
sudo ufw allow/deny
~~~
```

Then:

| Type to allow | Syntax
|--------------|--------
**IP** | from (ip address/range)
**Port** | (portnumber)/(protocol)
**Service** | (service name)
**Protocol** | proto (protocol name)

 

##### Rule priority

Certain rules like IP denial need to be put on top of the rule stack as UFW reads rules in order one after another. Insert the following in the command to force insertion:

```ad-command
~~~bash
insert 1 (or any place in the pecking order)
~~~
```

 

##### Complex rule syntax

Finer rules can be defined with the following syntax.

| rule condition | syntax
|--------------|--------
**connecting IP** | from (ip or any)
**internal IP** | to (ip or any)
**protocol** | proto (protocol or any)
**port** | port (port or any)
**outgoing traffic** | out

 

##### Delete a rule

```ad-command
~~~bash
sudo ufw delete <rule number>
~~~
```

&emsp;

---

&emsp;

### UFW not working

&emsp;

It can happen that UFW does not work. In that case, check the open ports as per below:

```ad-command
~~~bash
netstat -lntu
~~~
```

&emsp;

If required, force-open the port:

```ad-command
~~~bash
sudo nc -l -p <port #>
~~~
```

&emsp;

---

&emsp;

### Ban List management

&emsp;

#### Ban List Folder

```ad-path
/etc/addip4ban/
```

&emsp;

#### Ban List Script

```ad-code
title: addip4ban.sh
~~~bash
#!/bin/bash

INPUT="/etc/addip4ban/blocked.ip.list"

while IFS= read -r block
do
    sudo ufw insert 1 deny from "$block"
done < "$INPUT"
~~~
```

&emsp;

Once written, the script needs to be executed. To prepare:

```ad-command
~~~bash
sudo chmod +x /etc/addip4ban/addip4ban.sh
~~~
```

&emsp;

#### Ban List Document

```ad-code
title: blocked.ip.list
~~~bash
< ip1 >
< ip2/range >
< ip3 >
~~~
```

&emsp;

#### Ban list Update Process

Copy/paste the new ban list into `blocked.ip.list` and run:

```ad-command
~~~bash
sudo bash /etc/addip4ban/addip4ban.sh
~~~
```

&emsp;

#### Ban List Tasks

- [ ] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2025-01-18
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2025-01-11 ✅ 2025-01-10
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2025-01-04 ✅ 2025-01-03
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-12-28 ✅ 2024-12-28
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-12-21 ✅ 2024-12-21
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-12-14 ✅ 2024-12-13
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-12-07 ✅ 2024-12-09
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-11-30 ✅ 2024-11-29
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]] Get IP addresses caught by Postfix %%done_del%% 🔁 every week on Saturday 📅 2024-11-23 ✅ 2024-11-23
- [ ] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2025-01-18
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2025-01-11 ✅ 2025-01-10
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2025-01-04 ✅ 2025-01-03
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-12-28 ✅ 2024-12-28
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-12-21 ✅ 2024-12-21
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-12-14 ✅ 2024-12-13
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-12-07 ✅ 2024-12-09
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-11-30 ✅ 2024-11-29
- [x] 🖥 [[Selfhosting]], [[Configuring UFW|Firewall]]: Update the Blocked IP list %%done_del%% 🔁 every month on Saturday 📅 2024-11-23 ✅ 2024-11-23

&emsp;
&emsp;