Uncomplicated Firewall… be careful

By: Luke Rawlins Dec 9, 2016 | 2 minutes read
Share this:

Tags: Linux Firewall, UFW, Ubuntu

If like me, you enjoy the simplicity of UFW (Uncomplicated Firewall) on your Ubuntu servers be careful when you turn it on. UFW doesn’t have any default rules to allow ssh inbound by default, if you aren’t careful when turning it on you could find yourself locked out, and if you don’t have direct console access to the server that could mean being locked out forever! Not a conversation you want to have with a client, or your boss,… or tech support at your friendly cloud provider.

So before turning UFW on for the first time here are couple quick tips.

Build your allow rule first.

sudo ufw allow 22/tcp
sudo ufw show added

Only then after seeing the output which confirms the rule is added, should you turn on ufw.

sudo ufw enable

Why would you want to use the less easy way!? Well, you may have need to copy this file over to a newly built server. Maybe because you like to know where configuration files hide. Or maybe just because you like to do things a different way. Anyway whatever your reasons may be here you go.

Edit the user.rules file at /lib/ufw

sudo vim /lib/ufw/user.rules

Add the following lines directly under the section that says RULES

### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in

-A ufw-user-input -p tcp --dport 22 -j ACCEPT

I’d like to say that I didn’t learn this the hard way but alas I seem to have locked myself out one too many times!

Be careful with the “easy” tools. They will bite you if you aren’t paying close attention!

Related Posts


Find services that require a restart

Ubuntu offers a live patching utility that allows kernel patches to be installed without requiring a system restart to be applied. Read more about online patching in this post about patching. That said, in many cases other services or processes on your system may need to be restarted after an upgrade. Finding services that need to be restarted in Ubuntu Install debian-goodies sudo apt update sudo apt install debian-goodies Now just run Read more

Change the Default Text Editor in Ubuntu

Change the Default Text Editor in Ubuntu So I’m a huge advocate of Ubuntu. It has long term support releases, more packages than you would ever need, free online unattended patching, and you always have an in-place upgrade path to the next LTS version. What more could you ask for? I’d like to ask that nano lose its privileged status as the default text editor! When making changes to sudoers, passwd, or group files you should really be using the built-in tools visudo, vipw, and vigr. Read more

Free SSL Certificate with Let’s Encrypt

Free SSL Certificate with Let’s Encrypt If you have ever installed an SSL certificate you know that it can be a tedious process. Let’s Encrypt makes this easy. Just call the letsencrypt command from the terminal and point it at your domain. Securing your website with a valid ssl certificate from a recognized and trusted vendor shows your website visitors that information transmitted between your site and their browser is encrypted. Read more


Contact

If you’d like to get in touch, contact with me via email - or follow on Twitter.

[email protected]