To add a firewall on 🔥🛡️a Raspberry Pi or a Debian server should be more less mandatory no matter the NIC is direct connected to the internet, or a school solution with hundreds of clients and thereby nasty net-traffic, or simply just a home or small office solution: Get protected. Uncomplicated FireWall can help you within few minutes.
UFW works as a layer between the command line and iptables in the kernel and I have tested on RasPi Os, Debian up to Bullseye and Ubuntu and it work like a charm. If you use nftables this is not the right tool so far. I’ll keep you posted.
How to install ufw
#apt install ufw
Add access to yourself before your start and enable UFW. Otherwise be physical on the server on the terminal. If you are over SSH you might become locked out and access might then require physical presence.
#ufw allow ssh
#ufw enable
If you have changed your ssh port to something else you should add that port instead and delete access to port 22.
That’s more or less it 🙂
Out of the box the good guys make “all traffic in drop and all out allowed” settings. If your want to harden that for full controlled server or LAN you can easily change it.
Configure and Customization
To your UFW firewall your need a few tricks that comes you handy. From the command line I added my Raspberry Pi config on my internal network as example:
#ufw allow from 192.168.0.0/16 to any port 22 proto tcp // ssh
#ufw allow from 192.168.0.0/16 to any port 8080 proto tcp //monitorix
#ufw allow from 192.168.0.0/16 to any port 5900 proto tcp //VNC
use port 5938 tcp/udp for Teamviewer
#ufw allow to any port 53 //DNS (this opens op from the world on port 53)
#ufw allow from 224.0.0.1 to any port 5353 proto udp //multastDNS from router
#ufw allow to any port 123 proto udp //NTP
#ufw allow from ***.***.***.*** to any port 22 proto tcp //your external IP for VPN etc.
How to give everyone access to specific port:
#ufw allow from ::/128 to any port 123 proto udp // IPv6 udp 123 fra alle adr.
#ufw allow to any port 8999 proto tcp //qbittorrent
#ufw allow proto ipv6 from x.x.xx
Disable answers on ping:
#nano /etc/ufw/before.rules
-A ufw-before-forward -p icmp –icmp-type echo-request -j DROP
A specific IP address may also be used:
#ufw allow from 111.222.333.444
Options:
Change IP at the file
#nano /etc/ufw/before.rules
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.1 –dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.1 –dport 1900 -j ACCEPT
Delete UFW rules
#ufw status numbered
#ufw delete <the number of your choice>
as example
# ufw delete 5
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
UFW GUI Graphic User Interface
I have tried the GUI for Raspberry Pi desktop but to be honest it didn’t passed my test. Too slow, too unhandy, and moreover it locks the Pi and steal it resources very often so I had to restart the Pi.
References
https://www.raspberrypi.org/forums/viewtopic.php?f=26&t=47115 https://help.ubuntu.com/community/UFW https://wiki.ubuntu.com/UncomplicatedFirewall
Very smart 🙂