Security

Raspberry Pi Firewall Command Line Configuration Step-by-Step

Master the setup and management of the Raspberry Pi firewall. Dive into firewall configurations, troubleshooting tips, and network security.

Highlights

  • UFW provides a simpler way to configure the firewall on Linux systems, especially for those not well-versed in the intricacies of IPtables, and is an easy firewall on Raspberry Pi OS, which is a Debian-based operating system.
  • The UFW comes with application profiles that alow you to have a friendly and easy way to add firewall entries for default behavior of apps without having to know specific ports and protocols.
  • UFW firewall, which stands for Uncomplicated Firewall, is a user-friendly interface for managing iptables, the default tool for setting up firewalls on Linux kernel systems.

Raspberry Pi OS is an extremely popular self-hosting platform many use for running services. Let’s set the tone for Raspberry Pi firewall configuration via the command line and see what we will learn.

Raspberry pi os
Raspberry pi os

What: A step-by-step how-to guide for UFW (Uncomplicated Firewall) on your Raspberry Pi

Where: You can use this on native Raspberry Pi devices or other platforms like virtual machines running on Raspberry Pi OS

Why:

Introduction to UFW firewall

UFW firewall, which stands for Uncomplicated Firewall, is a user-friendly interface for managing iptables, the default tool for setting up firewalls on Linux kernel systems.

UFW provides a simpler way to configure the firewall on Linux systems, especially for those not well-versed in the intricacies of IPtables, and is an easy firewall on Raspberry Pi OS, which is a Debian-based operating system.

Note the different command line parameters in the screenshot below:

Looking at ufw commands
Looking at ufw commands

Installing UFW on Raspberry Pi OS and verifying with sudo ufw status

Before we can configure the Raspberry Pi firewall, we need to ensure it is installed. In Raspberry Pi OS, the installation of the ufw package is simple using the following command:

sudo apt update && sudo apt install ufw
Installing raspberry pi firewall with ufw
Installing raspberry pi firewall with ufw

After installation, ensure UFW is inactive:

sudo ufw status

The output should be “inactive”, indicating that UFW isn’t yet regulating your network traffic.

Checking the status of ufw
Checking the status of ufw

Application profiles

The UFW comes with application profiles that alow you to have a friendly and easy way to add firewall entries for default behavior of apps without having to know specific ports and protocols. If you want to see the default list of application profiles, you can use the command:

sudo ufw app list
Getting the list of application profiles for ufw
Getting the list of application profiles for ufw

Now, you can use these apps in the list to add specific rules to your Raspberry Pi firewall entries.

Basic Configuration and Enabling UFW Firewall Rules using sudo ufw

Once installed, the firewall needs to be properly set up to balance accessibility and protection. Before enabling UFW, make sure it’s properly configured to prevent disrupting existing ssh connections. To allow SSH and not disrupt existing SSH connections you may have, you can configure the following firewall rule for the SSH port.

sudo ufw allow ssh
Allowing ssh traffic through the raspberry pi firewall
Allowing ssh traffic through the raspberry pi firewall

Now, with SSH access secured, enable UFW:

sudo ufw enable
Enabling the ufw firewall
Enabling the ufw firewall

After this command, your Raspberry Pi firewall will become active. You can always check the status using:

sudo ufw status
Getting the status of ufw
Getting the status of ufw

Adding Firewall Rules for incoming traffic

Crafting firewall rules is at the heart of a firewall’s functionality. Here’s how to set basic rules:

To allow HTTP traffic:

sudo ufw allow http
Allowing http through the ufw firewall
Allowing http through the ufw firewall

You can limit connections using SSH, which is useful against brute force attacks:

sudo ufw limit ssh
Limit ssh connections through the ufw
Limit ssh connections through the ufw

To specify rules for a particular IP address, you can use the following command. Here, we are allowing access for a subnet.

sudo ufw allow from [specific ip]
Allowing specific hosts in ufw
Allowing specific hosts in ufw

Monitoring and Adjusting UFW Rules

Keeping an eye on all the rules ensures your firewall remains robust and efficient.

For a detailed view:

sudo ufw status verbose
Getting detailed status of ufw
Getting detailed status of ufw

If a rule needs removal, first list them with numbers:

sudo ufw status numbered
Getting a numbered list of raspberry pi firewall rules
Getting a numbered list of raspberry pi firewall rules

Then, to delete a rule:

sudo ufw delete [rule number]
Deleting a specific raspberry pi firewall rule
Deleting a specific raspberry pi firewall rule

Advanced UFW Features

The Uncomplicated Firewall goes beyond basic rule settings. Some advanced features can optimize your Raspberry Pi’s security system further:

If you’re running a web server, you can specify which ports to open:

sudo ufw allow 80,443/tcp
Allowing specific ports to connect through the raspberry pi firewall
Allowing specific ports to connect through the raspberry pi firewall

For more granular control, setting default policies is crucial:

sudo ufw default deny incoming sudo ufw default allow outgoing

This ensures only outbound traffic is allowed by default, protecting your Raspberry Pi from unsolicited incoming connections.

The Virtual Private Network (VPN) Consideration

Integrating a VPN with your Raspberry Pi can further encrypt and secure your internet connection. When setting up UFW, it’s important to ensure VPN ports, such as the commonly used port 1194 for OpenVPN, are open.

How to disable UFW firewall

You may want to permanently turn off your UFW firewall. Let’s look at a few ways to do this. If you want to turn off the firewall and disable it the next time you boot up your Raspberry Pi, follow these steps:

Open the command line and enter the following command:

sudo ufw disable
Disabling ufw firewall
Disabling ufw firewall

To verify that UFW is indeed inactive, use:

sudo ufw status
Checking the status of ufw after disabling
Checking the status of ufw after disabling

The response should be “inactive”, confirming that UFW is turned off.

Permanently Disabling UFW using systemctl

To prevent UFW from starting on boot, disable the UFW service. The command might differ depending on your Raspberry Pi OS version and its services manager. If it uses systemctl, enter:

sudo systemctl disable ufw

Remember to re-enable UFW or another firewall solution if you want to make sure of your Raspberry Pi’s security in the future. Always be cautious about the potential vulnerabilities when your firewall is off.

Disabling with systemctl
Disabling with systemctl

Troubleshooting Raspberry Pi Firewall

Encountering issues with your Raspberry Pi firewall? Here are some common problems and quick solutions:

  • Can’t Connect Remotely:

Allowing ssh traffic through the raspberry pi firewall 1
Allowing ssh traffic through the raspberry pi firewall in troubleshooting
  • Service Not Accessible:

    • Ensure the required port for the service is allowed in UFW.

    • Restart the service and check its binding port.

Get the status of ufw using systemctl
Get the status of ufw using systemctl
  • UFW Not Responding:

    • Restart the UFW service: sudo service ufw restart.

    • If persistent, consider reinstalling UFW: sudo apt install ufw –reinstall.

  • Unexpected Rule Behavior:

    • Check rules with sudo ufw status to confirm configurations.

    • Reset rules to default: sudo ufw reset.

  • UFW Installation Issues on Raspberry Pi OS:

    • Ensure your package list is updated: sudo apt update.

    • Try installing again: sudo apt install ufw.

FAQs

Why install a firewall on my Raspberry Pi?

While many use the Raspberry Pi for self-hosting and playing around with self-hosted services, it is like any other computer. It is vulnerable to attack, especially if you have ports exposed to the Internet.

A firewall acts as the first line of defense, monitoring incoming and outgoing traffic. The UFW firewall provides a user-friendly way to shield your Raspberry Pi from potential risks.

Can I manage UFW from a remote location?

Yes, with SSH enabled on your Raspberry Pi, you can access and manage UFW remotely. Make sure that you’ve allowed SSH through the firewall rules to maintain connection without disruptions.

Limiting SSH connections is a good idea with sudo ufw limit ssh. This helps safeguard against brute force attacks by limiting connection attempts.

Why would someone choose UFW over other firewall solutions?

UFW stands out due to its simplicity. It serves as a frontend to iptables, offering a less complex interface for those who might not be familiar with in-depth Linux kernel-based firewall configurations.

It makes it easy for beginners or those who want straightforward firewall management.

Does UFW work with other Linux distributions besides Raspberry Pi OS?

Yes, UFW is not exclusive to Raspberry Pi OS. It’s compatible with most Debian-based operating systems and other Linux distributions.

If you’re using a different Linux system, you can usually install UFW via the package manager specific to that distribution.

How do I modify existing rules in UFW?

To modify a rule in UFW, you’ll typically delete the existing rule and then create a new one. You can list all the rules with their corresponding numbers using sudo ufw status numbered.

Then, use sudo ufw delete [rule number] to remove a specific rule. Once the rule is deleted, you can add the new configuration as needed.

I’ve heard about iptables. How does it relate to UFW?

iptables is the default tool on Linux systems for managing network traffic. It’s a powerful tool but can be complex for some users. UFW is a frontend to iptables, providing an easier interface to manage firewall rules. Think of UFW as the easy-to-use mask over the powerful yet intricate world of iptables.

Is it possible to set rules for specific IP addresses with UFW?

Absolutely. UFW allows you to configure rules for specific IP addresses, ensuring more granular control over your network traffic. Commands like sudo ufw allow from [specific ip] let you define rules for individual IP addresses. This is useful if you have known devices or services you wish to give special access to.

I have a web server on my Raspberry Pi. How can I secure it with UFW?

By default, UFW will block all incoming traffic unless explicitly allowed. You’ll often need ports 80 (for HTTP) and 443 (for HTTPS) open for a web server.

Use commands like sudo ufw allow 80,443/tcp to permit traffic to these specific ports. However, always be cautious and only open necessary ports to reduce potential vulnerabilities.

Key Takeaways

Take note of the following key takeaways from this post as to why you benefit from knowing how to update your Raspberry Pi firewall from the command line:

Increased security: Treat your Raspberry Pi with the same security measures as any device. Especially if you are hosting services that are Internet-facing, having your Raspberry Pi firewall configured to only allow traffic that you want to allow helps to tighten down access and security.

Advantage of using UFW: It is a user-friendly tool to tweak and configure the IPtables firewall in Raspberry PI OS. Using it to your advantage is an easy way to add and remove rules to allow or disallow traffic.

Status Checks: Use sudo ufw status regularly to oversee your firewall’s activity and understand the status of whether your firewall is allowing or blocking traffic.

Rule Changes: Adjust UFW rules carefully. Blocking essential services can lead to issues or locking yourself out of the Raspberry Pi device. Especially if you are updating your UFW rules remotely, it is extremely important to understand your changes and ensure they won’t cause issues or disrupt your connection for management.

SSH Access: Ensure SSH is allowed if you’re using it for remote access. SSH is a common way to administer and remotely connect to Linux systems. Allow SSH access if you want to connect remotely using the protocol.

Granular rules: UFW lets you set rules for particular IP addresses or port ranges. You can allow or disallow connections by being specific in your rules. You can block a certain type of traffic in general and then allow that specific traffic for a certain host or client.

Port security: Only open necessary ports, like 80 or 443 for web servers.

UFW vs. iptables: UFW is a simpler interface to the Linux-native iptables.

Stay Updated: Periodically update UFW with sudo apt install ufw for security and enhancements.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.