Uncomplicated Firewall... be careful
If like me, you enjoy the simplicity of
(Uncomplicated Firewall) on your Ubuntu servers be careful when you turn it on.
doesn’t have any default rules to allow
inbound by default, if you aren’t careful when turning it on you could find yourself locked out! If you don’t have direct console access to the server that could mean being locked out forever! Not a conversation you want to have with a client, or your boss,… or tech support at your friendly cloud provider.
So before turning
on for the first time here are couple quick tips.
The easy way
Build your allow rule first.
sudo ufw allow 22/tcp sudo ufw show added
Then, after seeing the output which confirms the rule has been added, go ahead enable
sudo ufw enable
The less easy way - edit the file directly
Why would you want to use the less easy way!? Well, you may have a need to copy this file over to a newly built server. Maybe because you like to know where configuration files hide. Or maybe just because you like to do things a different way. Anyway whatever your reasons may be here you go.
sudo vim /usr/lib/ufw/user.rules
Add the following lines directly under the section that says RULES
### RULES ### ### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp --dport 22 -j ACCEPT
I’d like to say that I didn’t learn this the hard way but alas I seem to have locked myself out one too many times!
Be careful with the “easy” tools. They will bite you if you aren’t paying close attention!