1 00:00:00,000 --> 00:00:09,440 In this video, you'll learn about UFW. 2 00:00:09,440 --> 00:00:16,160 UFW is uncomplicated firewall, and it was developed to work with an intuitive syntax. 3 00:00:16,160 --> 00:00:19,160 It's a default that you will find on Ubuntu. 4 00:00:19,160 --> 00:00:23,000 Let's go to an Ubuntu server where I can show you how to work with it. 5 00:00:23,000 --> 00:00:27,200 So for this demo, as you can see, we are on an Ubuntu server. 6 00:00:27,200 --> 00:00:32,360 And a fun, complicating part is that I'm on SSH. 7 00:00:32,360 --> 00:00:35,160 So yeah, what are we going to do? 8 00:00:35,160 --> 00:00:47,959 Well, I want to check if UFW is currently available, so I'm using sudo ufw status. 9 00:00:47,959 --> 00:00:50,599 And there we can see that UFW is inactive. 10 00:00:50,599 --> 00:00:56,639 Well, I want to enable it, so sudo ufw enable. 11 00:00:56,639 --> 00:00:59,799 Oh boy, may disrupt existing SSH connection. 12 00:00:59,799 --> 00:01:01,400 Proceed with operation. 13 00:01:01,400 --> 00:01:10,720 Let's not do that, and let's do the smart thing and first use sudo ufw allow ssh. 14 00:01:10,720 --> 00:01:15,760 I want to make sure that we have a rule for SSH before I'm going to enable the firewall. 15 00:01:15,760 --> 00:01:21,680 And then I'm going to reset, and now we can see firewall is active and enabled on system startup. 16 00:01:21,680 --> 00:01:24,800 UFW status should show us that at this moment. 17 00:01:24,800 --> 00:01:32,320 As you can see, port 22 is allowed over IPv4 as well as v6. 18 00:01:32,320 --> 00:01:38,000 Next, do I really want to sudo ufw reject out SSH? 19 00:01:38,000 --> 00:01:39,720 No, I don't want to do that. 20 00:01:39,720 --> 00:01:45,239 I want sudo ufw reject out FTP. 21 00:01:45,239 --> 00:01:48,320 No FTP outgoing traffic. 22 00:01:48,320 --> 00:01:52,279 I'm not going to try to cut off the branch on which I'm sitting. 23 00:01:52,320 --> 00:01:56,239 So that is why I'm using FTP as I'm not using it anyway. 24 00:01:56,239 --> 00:02:01,599 So sudo ufw status is showing the reject out for FTP. 25 00:02:01,599 --> 00:02:09,039 And if you regret, you can always use sudo ufw delete reject out FTP. 26 00:02:09,039 --> 00:02:12,160 As you can see, the syntax is quite straightforward. 27 00:02:12,160 --> 00:02:17,839 But even if the syntax is straightforward, you can do pretty advanced things as well, 28 00:02:17,839 --> 00:02:28,240 like sudo ufw deny proto TCP from 10.0.0.10 to any port 22. 29 00:02:28,240 --> 00:02:30,160 So what is that doing? 30 00:02:30,160 --> 00:02:34,639 Well, let's go back to sudo ufw status. 31 00:02:34,639 --> 00:02:40,440 And we can see that we have denied to port 22 for 10.0.0.10. 32 00:02:40,440 --> 00:02:44,000 So that is how you can deny one IP address, 33 00:02:44,000 --> 00:02:49,559 or if you want to an entire network access to a specific port. 34 00:02:49,559 --> 00:02:54,279 Next, I'm going to show you sudo ufw app list, 35 00:02:54,279 --> 00:02:57,800 because ufw can work with applications. 36 00:02:57,800 --> 00:03:00,639 But this application needs to be installed. 37 00:03:00,639 --> 00:03:02,720 And well, we see one only. 38 00:03:02,720 --> 00:03:13,880 And I can request information about it using sudo ufw app info open SSH. 39 00:03:13,880 --> 00:03:17,440 And there we can see what it is doing its short description. 40 00:03:17,440 --> 00:03:20,800 So you can work with apps and you can work with ports. 41 00:03:20,800 --> 00:03:26,839 And if you want more information, sudo ufw logging on might be convenient. 42 00:03:26,839 --> 00:03:30,679 That is going to enable logging so that you can find extensive information 43 00:03:30,679 --> 00:03:36,039 about firewall access, as well as blocks that might be helpful in troubleshooting. 44 00:03:36,039 --> 00:03:43,960 Finally, the man page for ufw is giving all the information about what you can do. 45 00:03:43,960 --> 00:03:48,960 Now, man ufw is giving information about all the different syntax components. 46 00:03:48,960 --> 00:03:53,320 And based on that, you should be able to build yourself a pretty serious firewall.