Setting up ufw for a web server
Once you have a secure server - as described in the previous installment - the next step is to set up a firewall so that only expected traffic is allowed. The high ceremony approach to this is to use
iptables. I never learned this and once I found
ufw (stands for uncomplicated firewall) there seem to be no need for trivial use cases like mine.
My needs are simple - I want to accept:
- ssh traffic on a port that is not 22
- http on port 80
- https on port 443
And that is all.
ufw comes with a set of predefined apps. They are located in
/etc/ufw/applications.d/ and grouped into typcial uses. So the ssh rule is in the file
ufw-loginserver along with other rules related to login. And web server rules are in
I start with adding a rule that denies everything
> ufw default deny
on the command line. Almost everything happens on the command line….
WWW Full rule in
ufw-webserver is exactly what I want for http and https so:
> ufw allow "WWW Full"
There is a SSH rule in
ufw-loginserver but it defaults to port 22. I can either change it or create a new rule. The latter seems better and will probably survive new versions of
ufw better. So I add a file called
ufw-loginserver-custom and copy the ssh rule with just a change to the port:
[CUSTOMSSH] title=SSH server description=SSH server ports=667/tcp
and allow it on the command line:
> ufw allow CUSTOMSSH
Enabling the firewall
Now all that is left is to enable the firewall:
> ufw enable > systemctl enable ufw
and you have a secure server. Next is probably to get
nginx up and running. I already posted about getting unicorn and SSL to work with nginx so I probably want add anything about that at this time.