<strong>Uncomplicated Firewall</strong> (UFW) is a front-facing program for the more involved <code>iptables</code> firewall program installed in most GNU/Linux distributions.
We can use <code>ufw</code> to restrict machines on the internet to only access the services (SSH, websites etc) you want them to, but it can also be used to prevent programs on the computer itself from accesing parts of the internet it shouldn't.
<p>You can check the status of <code>ufw</code> right now by running:</p>
<pre><code>ufw status</code></pre>
<p>Without any changes, it should report back <code>Status: inactive</code>. Let's set it up so that only connections to SSH (standardized at port 22) are allowed in, and then enable the firewall:</p>
<aside>
<strong>Careful!</strong> Enabling <code>ufw</code> without allowing SSH will block you from remoting to your server.
Double-check that you have allowed SSH, and if you have changed the default SSH port, put in <em>that</em> number instead.
</aside>
<pre><code>ufw default deny incoming # block all incoming connections by default
ufw allow in ssh # or: ufw allow in 22
ufw enable</code></pre>
<aside>
<code>ufw</code> has an internal list of protocols applications, and the ports used by them.
<p>Suppose you install <ahref="gemini.html">a Gemini server</a>, which must broadcast on port 1965. By default <code>ufw</code> blocks all incoming connections on all ports, so whenever you install a new service like this you will have to tell <code>ufw</code> to enable the desired port:</p>
<p>Instead of denying all ports by default, you may want to deny (ignores incoming requests) or reject (explicitly tells requests they're not allowed):</p>
<pre><code>ufw default allow in
ufw deny in <strong>PORT</strong>
ufw reject in <strong>PORT</strong>
ufw reload</code></pre>
<p>You can add rules to comments to remember what they are there for:</p>
<pre><code>ufw allow in <strong>PORT</strong> comment 'Secret SSH'
ufw reload
ufw status verbose</code></pre>
<p>Output:</p>
<pre><code>To Action From
-- ------ ----
<strong>PORT</strong> ALLOW IN Anywhere # Secret SSH
<strong>PORT</strong> (v6) ALLOW IN Anywhere (v6) # Secret SSH</pre></code>
<p>To deny outgoing ports:</p>
<pre><code>ufw deny out <strong>PORT</strong></code></pre>
<p>Ratelimiting is useful to protect against brute-force login attacks, like in SSH. Only IPv4 is supported for now. Enable it by running:</p>