xTom - How to Easily Set Up a Firewall on Debian with Uncomplicated Firewall (UFW)

Securing your Debian server doesn't have to be complicated... at least, not with Uncomplicated Firewall (UFW), that is.

In this article, we'll explore what UFW is, how it works with iptables/nftables, and walk you through setting it up on your Debian system. Let's dive in.

Understanding UFW

Originally developed for Ubuntu, Uncomplicated Firewall (UFW) is designed to make configuring network traffic filtering more accessible.

Under the hood, UFW translates your commands into iptables or nftables rules, which are integral parts of the Linux kernel responsible for packet filtering and network traffic management. These tools are powerful but can be complex to configure directly. UFW simplifies this process, allowing you to implement firewall rules with straightforward commands.

For example, on nftables to allow SSH connections you could run:

sudo nft add rule inet filter input tcp dport 22 ct state new,established accept

But that same command on UFW is just:

sudo ufw allow ssh

Big difference, huh?

iptables: A traditional firewall framework that filters packets and manages network traffic.
nftables: A modern replacement for iptables, offering improved performance and a more unified approach to packet filtering.

Starting from Debian 10 (Buster), nftables is the default backend. UFW ensures compatibility by automatically translating its commands into the appropriate iptables or nftables rules based on your system's configuration (it flawlessly works with either).

Prerequisites

Before we begin, make sure you have the following:

A Debian-based system (We recommend Debian 12, Ubuntu also works, though it's installed by default)
A user account with sudo privileges

Installing UFW on Debian

First, update your system's package list:

sudo apt update

Then, install UFW:

sudo apt install ufw

Basic UFW commands

Here are some basic UFW commands that you'll find useful:

Enable UFW: sudo ufw enable
Disable UFW: sudo ufw disable
Check UFW status: sudo ufw status or sudo ufw status verbose
Allow connection: sudo ufw allow [port/service]
Deny connection: sudo ufw deny [port/service]
Delete rule: sudo ufw delete [allow/deny] [port/service]

Configuring UFW

Setting default policies

It's a good practice to start by setting your firewall to deny all incoming connections and allow all outgoing connections.

This ensures that only traffic you explicitly allow can reach your server.

sudo ufw default deny incoming
sudo ufw default allow outgoing

This configuration blocks all unsolicited incoming traffic while allowing your server to initiate outgoing connections.

Allowing SSH connections

To prevent yourself from being locked out of your server, it's important to allow SSH connections, which you can do with the same command as mentioned above:

sudo ufw allow ssh

If your SSH service is running on a non-standard port (e.g., 2222), specify it like this:

sudo ufw allow 2222

Allowing specific ports

If you're running services like a web server, you'll need to allow HTTP and HTTPS traffic:

sudo ufw allow 80    # HTTP
sudo ufw allow 443   # HTTPS

Enabling UFW

After configuring your rules, you can enable UFW:

sudo ufw enable

You'll receive a warning that enabling the firewall might disrupt existing SSH connections. Since we've already allowed SSH, it's safe to proceed. Type 'y' and press Enter.

Advanced UFW configuration

Application profiles

UFW includes profiles for common applications, making it even easier to manage firewall rules based on application names.

List available profiles:

sudo ufw app list

Allow an application by name, for example:

sudo ufw allow 'Deluge'

This command allows traffic for Deluge.

IPv6 support

If your server uses IPv6, ensure that UFW is configured to handle IPv6 traffic.

Edit the UFW configuration file:

sudo nano /etc/default/ufw

Set the following line:

IPV6=yes

Save and close the file, then reload UFW:

sudo ufw reload

Checking UFW status and rules

To view the current status and active rules, use:

sudo ufw status verbose

This command provides detailed information about your firewall configuration.

Disabling or resetting UFW

To temporarily disable UFW:

sudo ufw disable

To reset UFW to its default state, deleting all custom rules:

sudo ufw reset

Conclusion

With this article, you've learned how to set up a basic firewall that you can customize further to meet the specific needs of your environment.

It's safe to say UFW is an excellent choice for securing Debian-based systems in various scenarios, from personal servers to production environments.

It allows anyone, with little to no complexities, to set up and configure a firewall.

Why not give it a shot? Worst case scenario if you hate it, you can give nftables or iptables a go.

Note: For a full comparison of the best Linux firewalls, give this article here a read.

Looking for hosting?

If you're looking for practically any kind of digital infrastructure, xTom would love to help.

We provide anything from dedicated servers to colocation, and more through our xTom brand.

Over at our V.PS brand, we provide... well, VPS. Scalable, reliable, and affordable NVMe VPS. Great for developing, hobby, or production.

Give us a look, and don't be afraid to reach out! Thanks for reading :).

Frequently asked questions (FAQs)

Is UFW suitable for production servers?

Yes, UFW is suitable for both development and production environments. It simplifies firewall management without sacrificing control or security.

How do I remove a rule in UFW?

Use the delete command followed by the rule. For example:

sudo ufw delete allow 22

Can I use UFW with other firewall tools?

It's recommended to use one firewall management tool at a time to avoid conflicts. If you prefer another tool (outside of nftables), disable UFW before proceeding.