Raspberry Pi OS is an extremely popular self-hosting platform many use for running services. Let’s set the tone for Raspberry Pi firewall configuration via the command line and see what we will learn.
What: A step-by-step how-to guide for UFW (Uncomplicated Firewall) on your Raspberry Pi
Where: You can use this on native Raspberry Pi devices or other platforms like virtual machines running on Raspberry Pi OS
Security: Better security for your Raspberry Pi to control network traffic
Control: Configure incoming and outgoing traffic to control who can connect to what
Optimization: Filter out unneeded or port scanning from attackers
How: Using UFW, along with understanding its core features and best practices
Raspberry Pi firewall contents
- Introduction to UFW firewall
- Installing UFW on Raspberry Pi OS and verifying with sudo ufw status
- Application profiles
- Basic Configuration and Enabling UFW Firewall Rules using sudo ufw
- Adding Firewall Rules for incoming traffic
- Monitoring and Adjusting UFW Rules
- Advanced UFW Features
- How to disable UFW firewall
- Permanently Disabling UFW using systemctl
- Troubleshooting Raspberry Pi Firewall
- Why install a firewall on my Raspberry Pi?
- Can I manage UFW from a remote location?
- Why would someone choose UFW over other firewall solutions?
- Does UFW work with other Linux distributions besides Raspberry Pi OS?
- How do I modify existing rules in UFW?
- I’ve heard about iptables. How does it relate to UFW?
- Is it possible to set rules for specific IP addresses with UFW?
- I have a web server on my Raspberry Pi. How can I secure it with UFW?
- Key Takeaways
- Other posts you may like
Introduction to UFW firewall
UFW firewall, which stands for Uncomplicated Firewall, is a user-friendly interface for managing iptables, the default tool for setting up firewalls on Linux kernel systems.
UFW provides a simpler way to configure the firewall on Linux systems, especially for those not well-versed in the intricacies of IPtables, and is an easy firewall on Raspberry Pi OS, which is a Debian-based operating system.
Note the different command line parameters in the screenshot below:
Installing UFW on Raspberry Pi OS and verifying with sudo ufw status
Before we can configure the Raspberry Pi firewall, we need to ensure it is installed. In Raspberry Pi OS, the installation of the ufw package is simple using the following command:
sudo apt update && sudo apt install ufw
After installation, ensure UFW is inactive:
sudo ufw status
The output should be “inactive”, indicating that UFW isn’t yet regulating your network traffic.
The UFW comes with application profiles that alow you to have a friendly and easy way to add firewall entries for default behavior of apps without having to know specific ports and protocols. If you want to see the default list of application profiles, you can use the command:
sudo ufw app list
Now, you can use these apps in the list to add specific rules to your Raspberry Pi firewall entries.
Basic Configuration and Enabling UFW Firewall Rules using sudo ufw
Once installed, the firewall needs to be properly set up to balance accessibility and protection. Before enabling UFW, make sure it’s properly configured to prevent disrupting existing ssh connections. To allow SSH and not disrupt existing SSH connections you may have, you can configure the following firewall rule for the SSH port.
sudo ufw allow ssh
Now, with SSH access secured, enable UFW:
sudo ufw enable
After this command, your Raspberry Pi firewall will become active. You can always check the status using:
sudo ufw status
Adding Firewall Rules for incoming traffic
Crafting firewall rules is at the heart of a firewall’s functionality. Here’s how to set basic rules:
To allow HTTP traffic:
sudo ufw allow http
You can limit connections using SSH, which is useful against brute force attacks:
sudo ufw limit ssh
To specify rules for a particular IP address, you can use the following command. Here, we are allowing access for a subnet.
sudo ufw allow from [specific ip]
Monitoring and Adjusting UFW Rules
Keeping an eye on all the rules ensures your firewall remains robust and efficient.
For a detailed view:
sudo ufw status verbose
If a rule needs removal, first list them with numbers:
sudo ufw status numbered
Then, to delete a rule:
sudo ufw delete [rule number]
Advanced UFW Features
The Uncomplicated Firewall goes beyond basic rule settings. Some advanced features can optimize your Raspberry Pi’s security system further:
If you’re running a web server, you can specify which ports to open:
sudo ufw allow 80,443/tcp
For more granular control, setting default policies is crucial:
sudo ufw default deny incoming sudo ufw default allow outgoing
This ensures only outbound traffic is allowed by default, protecting your Raspberry Pi from unsolicited incoming connections.
The Virtual Private Network (VPN) Consideration
Integrating a VPN with your Raspberry Pi can further encrypt and secure your internet connection. When setting up UFW, it’s important to ensure VPN ports, such as the commonly used port 1194 for OpenVPN, are open.
How to disable UFW firewall
You may want to permanently turn off your UFW firewall. Let’s look at a few ways to do this. If you want to turn off the firewall and disable it the next time you boot up your Raspberry Pi, follow these steps:
Open the command line and enter the following command:
sudo ufw disable
To verify that UFW is indeed inactive, use:
sudo ufw status
The response should be “inactive”, confirming that UFW is turned off.
Permanently Disabling UFW using systemctl
To prevent UFW from starting on boot, disable the UFW service. The command might differ depending on your Raspberry Pi OS version and its services manager. If it uses systemctl, enter:
sudo systemctl disable ufw
Remember to re-enable UFW or another firewall solution if you want to make sure of your Raspberry Pi’s security in the future. Always be cautious about the potential vulnerabilities when your firewall is off.
Troubleshooting Raspberry Pi Firewall
Encountering issues with your Raspberry Pi firewall? Here are some common problems and quick solutions:
Can’t Connect Remotely:
Make sure SSH is allowed in UFW: sudo ufw allow ssh.
Check your Raspberry Pi’s IP address; it might have changed on your local network.
Service Not Accessible:
Ensure the required port for the service is allowed in UFW.
Restart the service and check its binding port.
UFW Not Responding:
Restart the UFW service: sudo service ufw restart.
If persistent, consider reinstalling UFW: sudo apt install ufw –reinstall.
Unexpected Rule Behavior:
Check rules with sudo ufw status to confirm configurations.
Reset rules to default: sudo ufw reset.
UFW Installation Issues on Raspberry Pi OS:
Ensure your package list is updated: sudo apt update.
Try installing again: sudo apt install ufw.
Why install a firewall on my Raspberry Pi?
While many use the Raspberry Pi for self-hosting and playing around with self-hosted services, it is like any other computer. It is vulnerable to attack, especially if you have ports exposed to the Internet.
A firewall acts as the first line of defense, monitoring incoming and outgoing traffic. The UFW firewall provides a user-friendly way to shield your Raspberry Pi from potential risks.
Can I manage UFW from a remote location?
Yes, with SSH enabled on your Raspberry Pi, you can access and manage UFW remotely. Make sure that you’ve allowed SSH through the firewall rules to maintain connection without disruptions.
Limiting SSH connections is a good idea with sudo ufw limit ssh. This helps safeguard against brute force attacks by limiting connection attempts.
Why would someone choose UFW over other firewall solutions?
UFW stands out due to its simplicity. It serves as a frontend to iptables, offering a less complex interface for those who might not be familiar with in-depth Linux kernel-based firewall configurations.
It makes it easy for beginners or those who want straightforward firewall management.
Does UFW work with other Linux distributions besides Raspberry Pi OS?
Yes, UFW is not exclusive to Raspberry Pi OS. It’s compatible with most Debian-based operating systems and other Linux distributions.
If you’re using a different Linux system, you can usually install UFW via the package manager specific to that distribution.
How do I modify existing rules in UFW?
To modify a rule in UFW, you’ll typically delete the existing rule and then create a new one. You can list all the rules with their corresponding numbers using sudo ufw status numbered.
Then, use sudo ufw delete [rule number] to remove a specific rule. Once the rule is deleted, you can add the new configuration as needed.
I’ve heard about iptables. How does it relate to UFW?
iptables is the default tool on Linux systems for managing network traffic. It’s a powerful tool but can be complex for some users. UFW is a frontend to iptables, providing an easier interface to manage firewall rules. Think of UFW as the easy-to-use mask over the powerful yet intricate world of iptables.
Is it possible to set rules for specific IP addresses with UFW?
Absolutely. UFW allows you to configure rules for specific IP addresses, ensuring more granular control over your network traffic. Commands like sudo ufw allow from [specific ip] let you define rules for individual IP addresses. This is useful if you have known devices or services you wish to give special access to.
I have a web server on my Raspberry Pi. How can I secure it with UFW?
By default, UFW will block all incoming traffic unless explicitly allowed. You’ll often need ports 80 (for HTTP) and 443 (for HTTPS) open for a web server.
Use commands like sudo ufw allow 80,443/tcp to permit traffic to these specific ports. However, always be cautious and only open necessary ports to reduce potential vulnerabilities.
Take note of the following key takeaways from this post as to why you benefit from knowing how to update your Raspberry Pi firewall from the command line:
Increased security: Treat your Raspberry Pi with the same security measures as any device. Especially if you are hosting services that are Internet-facing, having your Raspberry Pi firewall configured to only allow traffic that you want to allow helps to tighten down access and security.
Advantage of using UFW: It is a user-friendly tool to tweak and configure the IPtables firewall in Raspberry PI OS. Using it to your advantage is an easy way to add and remove rules to allow or disallow traffic.
Status Checks: Use sudo ufw status regularly to oversee your firewall’s activity and understand the status of whether your firewall is allowing or blocking traffic.
Rule Changes: Adjust UFW rules carefully. Blocking essential services can lead to issues or locking yourself out of the Raspberry Pi device. Especially if you are updating your UFW rules remotely, it is extremely important to understand your changes and ensure they won’t cause issues or disrupt your connection for management.
SSH Access: Ensure SSH is allowed if you’re using it for remote access. SSH is a common way to administer and remotely connect to Linux systems. Allow SSH access if you want to connect remotely using the protocol.
Granular rules: UFW lets you set rules for particular IP addresses or port ranges. You can allow or disallow connections by being specific in your rules. You can block a certain type of traffic in general and then allow that specific traffic for a certain host or client.
Port security: Only open necessary ports, like 80 or 443 for web servers.
UFW vs. iptables: UFW is a simpler interface to the Linux-native iptables.
Stay Updated: Periodically update UFW with sudo apt install ufw for security and enhancements.