====== UFW (Firewall) Cheat Sheet ======


ufw => //U//ncomplicated //F//ire//W//all

===== Display Rules in force =====


  root@s6-mc:~# ufw status numbered
  Status: active
  
       To                         Action      From
       --                         ------      ----
  [ 1] 22                         ALLOW IN    83.244.144.48/28
  [ 2] 11211                      ALLOW IN    192.168.177.183
  [ 3] 11211                      ALLOW IN    192.168.145.140
  [ 4] 11211                      ALLOW IN    192.168.129.71
  [ 5] 11211                      ALLOW IN    83.244.144.48/28
  [ 6] 11211                      ALLOW IN    192.168.130.221
  [ 7] 11211/tcp                  ALLOW IN    84.45.105.145
  
  root@s6-mc:~#


===== Allow packets from source to specific port =====

  root@host:~# ufw allow from 84.45.105.145 to any port 11211
  Rule added
  root@host:~#


===== Specify protocol =====

  root@host:~# ufw allow proto tcp from 84.45.105.145 to any port 11211
  Rule added                                                                                                                                      
  root@host:~#


===== Delete Rule by number position =====

<code>
root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.181
[11] Anywhere                   DENY IN     185.130.5.209
[12] 80/tcp                     ALLOW IN    Anywhere
[13] 443/tcp                    ALLOW IN    Anywhere
[14] 443/tcp                    ALLOW IN    Anywhere (v6)

root@host02:~# ufw delete 14
Deleting:
 allow 443/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

</code>

===== Show ufw activity =====

  root@host:~# tail -f /var/log/ufw.log
  May 27 15:37:56 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:69:a0:d7:84:78:ac:0d:8f:41:08:00 SRC=84.45.105.145 DST=212.71.251.190 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=27358 DF PROTO=TCP SPT=58028 DPT=11211 WINDOW=14600 RES=0x00 SYN URGP=0 
  May 27 15:37:58 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:69:a0:d7:84:78:ac:0d:8f:41:08:00 SRC=84.45.105.145 DST=212.71.251.190 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=27359 DF PROTO=TCP SPT=58028 DPT=11211 WINDOW=14600 RES=0x00 SYN URGP=0 
  
  
===== Blocking one IP address - At the end of the rules set =====

The below rules, add a deny rule at the end of the ufw numbered rules.

<code>
root@host02:~# ufw deny from 185.130.5.180
Rule added
root@host02:~# ufw deny from 185.130.5.209
Rule added
</code>

But the IP addresses were not blocked because there was a precedent rule allowing all traffic to port 80 (rule #4):

<code>

root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 80                         ALLOW IN    Anywhere
[ 5] 443                        ALLOW IN    Anywhere
[ 6] 22/tcp                     ALLOW IN    31.54.202.43
[ 7] 22/tcp                     ALLOW IN    86.163.124.91
[ 8] 22/tcp                     ALLOW IN    109.170.140.10
[ 9] 22/tcp                     ALLOW IN    79.77.60.164
[10] 161/udp                    ALLOW IN    83.244.144.52
[11] Anywhere                   DENY IN     185.130.5.180
[12] Anywhere                   DENY IN     185.130.5.209

</code>


This can be done removing the Allow 80 and 443 rules and adding them again, but a better solution is the below, insert the new rule in the right position:

===== Blocking one IP address - Inserting rule in a specific position / order =====

The below command insert a new rule in a specific position.

<code>
### before:

root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.209
[11] 80/tcp                     ALLOW IN    Anywhere
[12] 443/tcp                    ALLOW IN    Anywhere
[13] 80/tcp                     ALLOW IN    Anywhere (v6)
[14] 443/tcp                    ALLOW IN    Anywhere (v6)


### command
root@host02:~# ufw insert 10 deny from 185.130.5.181
Rule inserted


### After
root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.181
[11] Anywhere                   DENY IN     185.130.5.209
[12] 80/tcp                     ALLOW IN    Anywhere
[13] 443/tcp                    ALLOW IN    Anywhere
[14] 80/tcp                     ALLOW IN    Anywhere (v6)
[15] 443/tcp                    ALLOW IN    Anywhere (v6)

</code>


===== Extra documentation =====

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server