Configuring Firewall Rules using UFW on Raspberry Pi
Ensuring the security of your Raspberry Pi is essential, especially if it is exposed to the internet. Uncomplicated Firewall (UFW) is a user-friendly interface for managing iptables firewall rules and is a great tool for securing your Raspberry Pi by controlling incoming and outgoing traffic. This guide will walk you through the steps to configure firewall rules using UFW on your Raspberry Pi.
Equipment Needed
- Raspberry Pi with Raspberry Pi OS installed
- Internet connection
- Access to the command line
Install UFW
UFW is not installed by default on Raspberry Pi OS, so you will need to install it first.
- Update your system:
sudo apt update
sudo apt upgrade
- Install UFW:
sudo apt install ufw
Enable UFW
By default, UFW is disabled. You need to enable it to start using it.
- Enable UFW:
sudo ufw enable
- Check the status:
sudo ufw status
The output should show that UFW is active, but with no rules configured yet.
Basic UFW Commands
Before configuring specific rules, it's helpful to understand some basic UFW commands:
- Enable UFW:
sudo ufw enable
- Disable UFW:
sudo ufw disable
- Check UFW status:
sudo ufw status
- Allow a connection:
sudo ufw allow <port/service>
- Deny a connection:
sudo ufw deny <port/service>
- Delete a rule:
sudo ufw delete allow <port/service>
sudo ufw delete deny <port/service>
Configuring Basic Firewall Rules
Step 1: Allow SSH Connections
If you access your Raspberry Pi via SSH, you need to allow SSH connections before enabling UFW, otherwise, you could lock yourself out.
- Allow SSH:
sudo ufw allow ssh
Step 2: Allow Specific Ports
To allow traffic on specific ports, use the following commands. For example, to allow HTTP (port 80) and HTTPS (port 443) traffic:
- Allow HTTP:
sudo ufw allow 80/tcp
- Allow HTTPS:
sudo ufw allow 443/tcp
Step 3: Allow Specific Services
UFW recognizes service names defined in the /etc/services file. For example, to allow OpenSSH:
- Allow OpenSSH:
sudo ufw allow OpenSSH
Step 4: Deny Specific Ports
To deny traffic on specific ports, use the following commands. For example, to deny all traffic on port 23 (Telnet):
- Deny Telnet:
sudo ufw deny 23/tcp
Advanced UFW Configuration
Step 1: Allow Connections from Specific IP Addresses
To allow connections only from a specific IP address, use:
- Allow from specific IP:
sudo ufw allow from <IP_ADDRESS>
- Allow from specific IP to a specific port:
sudo ufw allow from <IP_ADDRESS> to any port <PORT_NUMBER>
Step 2: Deny Connections from Specific IP Addresses
To deny connections from a specific IP address, use:
- Deny from specific IP:
sudo ufw deny from <IP_ADDRESS>
- Deny from specific IP to a specific port:
sudo ufw deny from <IP_ADDRESS> to any port <PORT_NUMBER>
Step 3: Limit Connections
To protect against brute-force attacks, you can use the limit rule, which allows a limited number of connections over a period of time.
- Limit SSH connections:
sudo ufw limit ssh
Step 4: Default Policies
Setting default policies is crucial to ensure the firewall behaves as expected. By default, you can deny all incoming connections and allow all outgoing connections.
- Deny all incoming connections:
sudo ufw default deny incoming
- Allow all outgoing connections:
sudo ufw default allow outgoing
Checking and Managing Rules
Step 1: Check UFW Status and Rules
To view the current status and list of rules:
- Check UFW status:
sudo ufw status verbose
Step 2: Deleting Rules
To delete a rule, you need to specify the rule exactly as it was added:
- Delete an allow rule:
sudo ufw delete allow <port/service>
- Delete a deny rule:
sudo ufw delete deny <port/service>
Conclusion
Configuring firewall rules using UFW on your Raspberry Pi is a straightforward process that significantly enhances your device's security. By controlling incoming and outgoing traffic, you can protect your Raspberry Pi from unauthorized access and potential attacks. Whether you are using your Raspberry Pi for personal projects, as a server, or in a networked environment, implementing UFW helps ensure a secure and reliable setup.