Here is a quick tutorial for how to migrate from FirewallD, the default firewall in Fedora and CentOS, to the Uncomplicated Firewall (UFW). UFW is the default firewall in Ubuntu and has more intuitive commands that require less typing.
Both UFW and FirwallD are front-ends for the Linux kernel’s
iptables firewall system. The goal of such front-end programs is to make the underlying program easier to manage. I’ve compared UFW and FirewallD in more detail in the past.
However, as I reflected on in my article on silencing mDNS: UFW does a better job at making
iptables accessible than FirewallD. Its commands are more intuitive and are easier to memorize.
The first thing you need to do is to install the
ufw package on your system. Here is the command needed for Fedora:
The next thing you’ll want to do to prepare the migration is to export the current FirewallD ruleset. For most systems, all you need to is to take note of the services that are exposed to the internet. The following command will show you a summary of your FirewallD ruleset:
The last thing you’ll do to prepare before we make any system changes it to review the open listening sockets. These are the services that can be reached over the internet if the firewall doesn’t block access to them. The following command will give you a list of all listening internet sockets:
The sockets listening on any of your public IP addresses, or the special
:: addresses are the once that are publicly accessible. Make a plan for which services should be available and which you want to block access to. You may also want to temporarily disable some sensitive services while changing the system firewall.
You’re ready to proceed once you’ve figured out what ports/services you want to allow past the firewall.
The first step is to disable the FirewallD service. Having two services trying to manage
iptables at the same time can cause you a heap of issues. The following command stops FirewallD and disables the service at boot time:
You should then add a minimal set of rules to your Uncomplicated Firewall before enabling that service. The following are firewall rules created by issuing them as commands. The first rule configures the firewall to block every incoming connection except those specifically whitelisted by other firewall rules:
The second rule allows six incoming connections to the SSH service on port 22 from the same source IP per 30-second interval:
You can’t tweak the rate-limiting settings in UFW. However, the default is sensible for a lot of commons services including SSH, SMTP, XMPP, and minimal HTTP services. Note that the
man ufw page says that
limit rules only work for IPv4. This hasn’t been the case since version 0.33. I’ve confirmed that the only IPv6 issue with
limit rules in version 0.35 is that the documentation hasn’t been updated. This issue is fixed in an upcoming version of UFW.
comment argument used in the second rule command is optional, but I recommend always entering a comment. You’ll thank yourself for putting in the work now when you review your firewall rules in another six months.
The third rule allows VNC connections from the private
10.0.0.0/8 IP subnet:
UFW always allows some essential incoming connections by default — like DHCP and IPv6 RA and for network auto-configuration — unless explicitly blocked with
You can now enable the UFW service using the following command:
The status command is optional but will give you an overview of the current active firewall configuration.
You can then add more rules based on your notes about what services to allow through the firewall. The
man ufw documentation is excellent and much easier to read than its
man firewall-cmd equivalent.
Worried you’ve blocked something you shouldn’t? The following command will list any blocked connections with information about where it came from and the destination port:
Note that you won’t need to reload the firewall configuration, FirewallD style, for changes to take effect. Changes in UFW are applied immediately.