UFW rules

Basic UFW rules for Ubuntu web servers.

Configuring basic firewall rules is crucial for securing your web server. UFW makes this process straightforward and manageable. In this chapter, we'll set up essential rules for common web services.

We'll cover allowing HTTP, HTTPS, and SSH traffic. You'll learn how to secure your server while keeping it functional. These rules form the foundation of a secure web server configuration.

Understanding web server ports

Web servers typically use specific ports for different services. Knowing these ports is essential for proper firewall configuration. Here are the most common ports for web services:

  • Port 80: Used for HTTP traffic (unsecured web browsing)
  • Port 443: Used for HTTPS traffic (secured web browsing)
  • Port 22: Used for SSH (secure remote access)

These ports are the primary targets for your initial UFW rules. Properly configuring them ensures basic web server functionality and security.

Allowing HTTP traffic (port 80)

HTTP is the foundation of web browsing. To allow HTTP traffic, you need to open port 80. Here's the command to allow incoming connections on port 80: 

sudo ufw allow 80/tcp

This rule allows all incoming HTTP connections to your server. It's essential if you're hosting a website or web application. Remember, HTTP traffic is unencrypted, so use it cautiously.

Securing with HTTPS (port 443)

HTTPS provides encrypted connections for secure web browsing. It's crucial for handling sensitive information like passwords or payment details. To allow HTTPS traffic, open port 443 with this command: 

sudo ufw allow 443/tcp

This rule enables encrypted web traffic to your server. It's a must-have for any modern, secure web server. Always prioritize HTTPS over HTTP when possible.

Enabling SSH access (port 22)

SSH provides secure remote access to your server. It's typically used on port 22. To allow SSH connections, use this command: 

sudo ufw allow 22/tcp

This rule is crucial if you manage your server remotely. Without it, you might lock yourself out of your own server. Always ensure SSH access is configured before enabling the firewall.

Allowing multiple ports at once

UFW allows you to configure multiple ports in a single command. This can be useful for setting up all your web server ports at once. Here's how to allow HTTP, HTTPS, and SSH in one command: 

sudo ufw allow 80,443,22/tcp

This command opens ports 80, 443, and 22 for TCP traffic. It's a quick way to set up basic web server access. Always double-check the ports you're opening to ensure security.

Restricting access by IP address

For enhanced security, you can restrict access to certain ports by IP address. This is particularly useful for administrative services like SSH. Here's how to allow SSH access only from a specific IP address: 

sudo ufw allow from 18.117.152.156 to any port 22

Replace 18.117.152.156 (this is your current IP address) with the actual IP address you want to allow. This rule significantly enhances security for sensitive services. It's a good practice for services that don't need public access.

Verifying your rules

After setting up your rules, it's important to verify them. Use the following command to check your UFW configuration: 

sudo ufw status verbose

This command displays all active UFW rules. Review the output to ensure all desired ports are open. Check that no unintended ports have been accidentally opened.