Although optional, it is often recommended to run the update before installing a package.
$ apt-get update
It is quite straightforward to install a firewall.
$ apt-get intsall ufw
Setting firewall will take some effort on the contrary. Below are a few examples. To allow a subnet of IP addresses to access all ports inwards to this unit:
$ ufw allow from 192.168.1.0/24
To allow to access all ports outwards to an IP.
$ ufw allow out to 192.168.1.175
$ ufw allow out from 192.168.1.0/24 to any
To allow a specific port inwards or outwards:
$ ufw allow https
$ ufw allow 80
To allow for a specific IP to access ports
$ ufw allow from 192.168.1.175 to any port 21:22 proto tcp
After setting up, please check the configuration before enabling the firewall.
$ ufw status
$ ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 192.168.1.0/24 ALLOW OUT Anywhere (out)
[ 2] 25 ALLOW OUT Anywhere (out)
[ 3] 80 ALLOW IN Anywhere
[ 4] 443 ALLOW IN Anywhere
[ 5] Anywhere ALLOW IN 192.168.1.77
[ 6] Anywhere ALLOW IN 192.168.1.175
[ 7] 25 (v6) ALLOW OUT Anywhere (v6) (out)
[ 8] 80 (v6) ALLOW IN Anywhere (v6)
[ 9] 443 (v6) ALLOW IN Anywhere (v6)
Add any rules until all requirements met. Delete any unwanted rules if necessary, for example, rule
[ 5]:
$ ufw delete 5
Deleting:
allow from 192.168.1.77
Proceed with operation (y|n)?
Hit
y to confirm the deletion. The rules can also be manually edited, though not recommended, in the configuration file:
$ nano /etc/ufw/user.rules
To verify whether the rule meets the requirement via the
nc command:
$ nc -vz 192.168.1.77 port_number
In particular, absolutely make sure SSH or telnet port(s) be accessible from the IP where you log in. If otherwise, the firewall might disrupt active/live connection to the unit. Enable first if disabled before active the firewall. Reload if previously enabled.
$ ufw enable
$ ufw reload
It might be a good practice to set default rule to
deny rather than
allow for all other connections.
$ ufw default deny
