Uncomplicated Firewall… be careful

If like me, you enjoy the simplicity of UFW (Uncomplicated Firewall) on your Ubuntu servers be careful when you turn it on. UFW doesn’t have any default rules to allow ssh inbound by default, if you aren’t careful when turning it on you could find yourself locked out, and if you don’t have direct console access to the server that could mean being locked out forever! Not a conversation you want to have with a client, or your boss,… or tech support at your friendly cloud provider.

So before turning UFW on for the first time here are couple quick tips.

The easy way

Build your allow rule first.

sudo ufw allow 22/tcp
sudo ufw show added

Only then after seeing the output which confirms the rule is added, should you turn on ufw.

sudo ufw enable

The less easy way – edit the file directly

Why would you want to use the less easy way!? Well, you may have need to copy this file over to a newly built server. Maybe because you like to know where configuration files hide. Or maybe just because you like to do things a different way. Anyway whatever your reasons may be here you go.

Edit the user.rules file at /lib/ufw

sudo vim /lib/ufw/user.rules

Add the following lines directly under the section that says RULES

### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in

-A ufw-user-input -p tcp --dport 22 -j ACCEPT

I’d like to say that I didn’t learn this the hard way but alas I seem to have locked myself out one too many times!

Be careful with the “easy” tools. They will bite you if you aren’t paying close attention!

Author: Luke

Linux Systems Administrator RHCSA, LFCS, ITIL v3 Foundations.

One thought on “Uncomplicated Firewall… be careful”

Leave a Reply