A man swirling a torch in front of him forming a wall of fire.

How to switch firewalls from FirewallD to UFW

Here is a quick tutorial for how to migrate from FirewallD, the default firewall in Fedora and CentOS, to the Uncomplicated Firewall (UFW). UFW is the default firewall in Ubuntu and has more intuitive commands that require less typing.

Both UFW and FirwallD are front-ends for the Linux kernel’s iptables firewall system. The goal of such front-end programs is to make the underlying program easier to manage. I’ve compared UFW and FirewallD in more detail in the past.

However, as I reflected on in my article on silencing mDNS: UFW does a better job at making iptables accessible than FirewallD. Its commands are more intuitive and are easier to memorize.

The first thing you need to do is to install the ufw package on your system. Here is the command needed for Fedora:

dnf install ufw

The next thing you’ll want to do to prepare the migration is to export the current FirewallD ruleset. For most systems, all you need to is to take note of the services that are exposed to the internet. The following command will show you a summary of your FirewallD ruleset:

firewall-cmd --permanent --list-all

The last thing you’ll do to prepare before we make any system changes it to review the open listening sockets. These are the services that can be reached over the internet if the firewall doesn’t block access to them. The following command will give you a list of all listening internet sockets:

netstat -lpn --inet6
netstat -lpn --inet

The sockets listening on any of your public IP addresses, or the special 0.0.0.0 and :: addresses are the once that are publicly accessible. Make a plan for which services should be available and which you want to block access to. You may also want to temporarily disable some sensitive services while changing the system firewall.

You’re ready to proceed once you’ve figured out what ports/services you want to allow past the firewall.

The first step is to disable the FirewallD service. Having two services trying to manage iptables at the same time can cause you a heap of issues. The following command stops FirewallD and disables the service at boot time:

systemctl disable --now firewalld.service

You should then add a minimal set of rules to your Uncomplicated Firewall before enabling that service. The following are firewall rules created by issuing them as commands. The first rule configures the firewall to block every incoming connection except those specifically whitelisted by other firewall rules:

ufw default deny incoming

The second rule allows six incoming connections to the SSH service on port 22 from the same source IP per 30-second interval:

ufw limit in 22/tcp comment "rate-limit SSH"

You can’t tweak the rate-limiting settings in UFW. However, the default is sensible for a lot of commons services including SSH, SMTP, XMPP, and minimal HTTP services. Note that the man ufw page says that limit rules only work for IPv4. This hasn’t been the case since version 0.33. I’ve confirmed that the only IPv6 issue with limit rules in version 0.35 is that the documentation hasn’t been updated. This issue is fixed in an upcoming version of UFW.

The comment argument used in the second rule command is optional, but I recommend always entering a comment. You’ll thank yourself for putting in the work now when you review your firewall rules in another six months.

The third rule allows VNC connections from the private 10.0.0.0/8 IP subnet:

ufw allow proto tcp from 10.0.0.0/8 to any port 5900

UFW always allows some essential incoming connections by default — like DHCP and IPv6 RA and for network auto-configuration — unless explicitly blocked with deny rules.

You can now enable the UFW service using the following command:

systemctl enable --now ufw.service
ufw status

The status command is optional but will give you an overview of the current active firewall configuration.

You can then add more rules based on your notes about what services to allow through the firewall. The man ufw documentation is excellent and much easier to read than its man firewall-cmd equivalent.

Worried you’ve blocked something you shouldn’t? The following command will list any blocked connections with information about where it came from and the destination port:

journalctl -t kernel -fag "UFW BLOCK"

Note that you won’t need to reload the firewall configuration, FirewallD style, for changes to take effect. Changes in UFW are applied immediately.

Sources

  • ufw manpage, , Jamie Strandboge, Ubuntu Manpage Repository, Canonical