#15 Installing ufw Firewall on My Pi…

If you are opening your Raspberry Pi to the internet, then security should be a concern/part of your project design.

I’m going to install a software firewall called ufw on to My Pi.

1. Installing ufw

Installing this firewall on the Raspberry Pi is accomplished easily via the terminal and the following line:

sudo apt install ufw

The above installs the firewall. Before enabling it though, it is recommend to think about what ports you need to have open to access your Raspberry Pi. I’ve bolded your at this point as what ports you need depends on what you are doing on your Pi.

2. Allowing Ports

Ports are very important, different services uses different ports and it is worth knowing what some of them are. Popular ports include:

  • Port 80 – HTTP (for serving web pages)
  • Port 443 – HTTPS (for serving secure web pages)
  • Port 22 – SSH (needed if you SSH to your Pi)

More information on ports can be found at:
https://en.wikipedia.org/wiki/Port_(computer_networking)

Allowing a port is done via:

sudo ufw allow Port_Number

For example sudo ufw allow 443 allows connections to port 443 (HTTPS).

3. Denying Ports

Just as it is important to allow ports, it is also important to deny ports. Denying a port stops connections to the port, so make sure you don’t deny access to a port you need access to (i.e. if you SSH to your Pi do not deny port 22).

Denying a port is very similar to allowing a port:

sudo ufw deny Port_Number

For example sudo ufw deny 443 would deny 443 (HTTPS).

4. Firewall status

To view the status of your firewall (e.g. what is allowed, denyed or limited) enter:

sudo ufw status

UFW will then list all the ports it is allowing/denying/limiting. Note that the (v6) is the IPv6 port. An internet connection generally uses IPv4 but at some point IPv6 should become the standard. I write “at some point” because the transition from IPv4 to IPv6 is a long process. For more information see: https://en.wikipedia.org/wiki/IPv6

5. Limiting Ports

Limiting is a great function if you want to allow a port but also want a little security on the port. Limiting allows the port but if multiple connections (6 or more) are attempted in a time frame (30 seconds) then UFW denies the connections. Note: Limiting currently only works on IPv4.

sudo ufw limit ssh/tcp

The above will limit access to ssh.

6. Log files

To enable logging (recommended) enter:

sudo ufw logging on

UFW stores the log under /var/log/ufw.log , if your working on a project and having issues connecting then I recommend viewing the logs to see if your project is using an unexpected port (in which case you may need to allow the port).

7. Enabling ufw

After configuring UFW it needs turning on using the line:

sudo ufw enable

8. Extra configuration notes

After installing, configuring and running ufw, I discovered that some of the applications I run on My Pi, suddenly stopped working. Below are some examples of ufw allow/limit/deny commands that may help you out fixing connection issues.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in to 192.168.x.0/24
sudo ufw allow out to 192.168.x.0/24
sudo ufw allow 80/tcp					
sudo ufw allow 443/tcp
sudo ufw limit ssh/tcp
sudo ufw allow 10000/tcp (For Webmin)
sudo ufw allow 666/tcp   (For clamav)
sudo ufw allow 3389/tcp  (For XRDP)
sudo ufw allow 8080/tcp  (For Domoticz)
sudo ufw allow 8118/tcp  (For Privoxy)
sudo ufw allow 9981/tcp  (For TVheadend)
sudo ufw limit 8081/tcp  (For Motion)
sudo ufw allow 5900/tcp  (For VNC)
sudo ufw deny telnet
sudo ufw allow samba
sudo ufw logging on
sudo ufw default deny outgoing (For OpenVPN)
sudo ufw allow 943/tcp         (For OpenVPN)
sudo ufw allow 1194/udp        (For OpenVPN)
sudo ufw default allow FORWARD (For OpenVPN)
sudo ufw allow out on tun0 from any to any (For OpenVPN)
sudo ufw allow in on tun0 from any to any  (For OpenVPN)

9. Installing gufw

If you prefer to use a gui for ufw via the Raspberry Pi desktop, then you should install gufw using the following:

sudo apt-get install gufw

10. Limiting IPv6

If you need to limit IPv6 through the new firewall on your Pi, you can make the following change to the ufw config file:

sudo nano /etc/default/ufw

Replace:

IPV6=yes

with:

IPV6=no

Enjoy!

Original article that helped me:
https://geektechstuff.com/2019/06/22/installing-a-firewall-basics-raspberry-pi/

One thought on “#15 Installing ufw Firewall on My Pi…

Comments are closed.