Configuration UFW
Advanced UFW configuration.
Advanced UFW configuration allows you to create more sophisticated firewall rules. Learn how to set up IP-based rules, implement rate limiting, and manage IPv6 traffic. These techniques create a more secure network environment.
Working with IP addresses and subnets
UFW lets you control traffic from specific IP addresses or entire networks. This feature helps create precise security policies for your server. Here's how to allow traffic from a specific IP address (in this case your IP address):
sudo ufw allow from 3.149.243.29To control traffic from an entire subnet, use CIDR notation:
sudo ufw allow from 192.168.1.0/24Setting up rate limiting
Rate limiting helps prevent brute-force attacks by restricting connection attempts. It's especially useful for protecting services like SSH. Enable rate limiting with this command:
sudo ufw limit sshThis limits SSH connections to 6 or fewer per 30 seconds from a single IP. You can apply rate limiting to any port:
sudo ufw limit 3306/tcpConfiguring IPv6 support
Modern networks often use both IPv4 and IPv6. UFW can protect both protocols simultaneously. Check your IPv6 configuration status:
sudo nano /etc/default/ufwLook for "IPV6=yes" in the configuration file. If you change this setting, restart UFW:
sudo ufw disable
sudo ufw enableCreating custom rule combinations
UFW allows you to combine multiple conditions in a single rule. This flexibility helps create precise access controls. Here's an example that combines port, protocol, and IP range restrictions:
sudo ufw allow from 192.168.1.0/24 to any port 5432 proto tcpThis rule allows PostgreSQL connections only from your local network. It demonstrates how to combine IP ranges, ports, and protocols effectively.
Application profiles
UFW includes pre-configured profiles for common applications. These profiles simplify firewall configuration for standard services. View available profiles with:
sudo ufw app listApply a profile using:
sudo ufw allow 'Nginx Full'