Setup UFW on CentOS 7

UFW (Uncomplicated Firewall) was originally released for Ubuntu as a simple way to manage netfilter rules.  It makes managing your Linux server firewall extremely easy and is now also available for CentOS.

If you’d prefer a managed server, with the power of a VPS – check out our web hosting.

How to setup UFW

First, ensure you’ve enabled the EPEL repo.

Install the UFW package using yum:

[user@server] sudo yum -y install ufw

Check it’s installed successfully:

[user@server] sudo ufw status

Which should show ‘Status: inactive’

In a basic firewall, denying all incoming traffic and allowing outgoing traffic is a good place to start.  So we can set the default rules with these two commands:

[user@server] sudo ufw default deny incoming
[user@server] sudo ufw default allow outgoing

Next, you want to open up any services you wish to be available to the internet.  At it’s simplest, you can simply open up the firewall for specific services, for example:

[user@server] sudo ufw allow ssh

or

[user@server] sudo ufw allow https

For non-standard or unusual ports you can specify the port number rather than the service:

[user@server] sudo ufw allow 2222

You can further narrow this down to protocol too by adding it to the end:

[user@server] sudo ufw allow 2222/tcp

To add a range of ports, for passive FTP maybe, the following syntax is available:

[user@server] sudo ufw allow 3000:4000/tcp

If you have a static IP and wish to allow all traffic from your network you can add it as such:

[user@server] sudo ufw allow from 123.123.123.123

In the event you wish to block traffic from an IP, you can do the reverse:

[user@server] sudo ufw deny from 123.123.123.123

Before you enable the firewall, you may want to check on the rule status:

[user@server] sudo ufw status numbered

Status: active
     To                         Action      From
     --                         ------      ----
[ 1] 224.0.0.251 mDNS           ALLOW IN    Anywhere                  
[ 2] Anywhere                   ALLOW IN    123.123.123.123               
[ 3] 25                         ALLOW IN    Anywhere                  
[ 4] 80                         ALLOW IN    Anywhere                  
[ 5] 443                        ALLOW IN    Anywhere                  
[ 6] 465                        ALLOW IN    Anywhere                  
[ 7] 993                        ALLOW IN    Anywhere                  
[ 8] 995                        ALLOW IN    Anywhere                  
[ 9] ff02::fb mDNS              ALLOW IN    Anywhere (v6)             
[10] 25 (v6)                    ALLOW IN    Anywhere (v6)             
[11] 80 (v6)                    ALLOW IN    Anywhere (v6)             
[12] 443 (v6)                   ALLOW IN    Anywhere (v6)             
[13] 465 (v6)                   ALLOW IN    Anywhere (v6)             
[14] 993 (v6)                   ALLOW IN    Anywhere (v6)             
[15] 995 (v6)                   ALLOW IN    Anywhere (v6)   

If you need to remove any of these rules you can reference them with their number

[user@server] sudo ufw delete <number>

Once you’re happy, enable the firewall:

[user@server] sudo ufw enable

We’ve not yet set the firewall to start on boot, so if you’ve messed up and locked yourself out, reboot your server and you’re back.  If everything is working well and you’re happy with the rules, now just set the firewall to start on boot:

[user@server] sudo systemctl enable ufw

You can add or delete rules at a later date with the same syntax.

To disable the firewall, issue the command:

[user@server] sudo ufw disable

and if you want to reset your rules and start again:

[user@server] sudo ufw reset

Finally

UFW gives you plenty of options to create a secure firewall for your server of VPS.  If you have any other tips, please share them with us in the comments.