How to Install and Configure UFW Firewall on Arch Linux

UFW, also called “Uncomplicated Firewall,” is a tool for managing a Netfilter firewall designed to be easy to use. It provides a user-friendly interface compared to other firewall management utilities. With UFW, you can block incoming and outgoing connections to and from the server. You can also block ports, IPs, or even entire subnets using UFW.

In this post, we will show you how to install and configure UFW firewall on Arch Linux.

Step 1 – Configure Repository

By default, the default repository is outdated in Arch Linux, so you will need to modify the default mirror list. You can do it by editing the mirrorlist configuration file:

nano  /etc/pacman.d/mirrorlist

Remove all lines and add the following lines:

## Score: 0.7, United States
Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.8, United States
Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.9, United Kingdom
Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
## Score: 1.5, United Kingdom
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch
## Score: 6.6, United States
Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
## Score: 6.7, United States
Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
## Score: 6.8, United States
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
## Score: 7.1, India
Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
## Score: 10.1, United States
Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch

Save and close the file, then update all the package indexes with the following command:

pacman -Syu

Step 2 – Install UFW on Arch Linux

First, you will need to install the latest kernel to your system. You can install it using the following command:

pacman -Sy linux

Once installed, you can install the UFW tool with the following command:

pacman -Sy ufw

Step 3 – Enable UFW Firewall

Before enabling the UFW firewall, you will need to allow incoming SSH connections to your server. Otherwise, you will lose SSH access to your server.

To allow the SSH connection, run the following command:

ufw allow ssh/tcp

Next, enable the UFW firewall using the following command:

systemctl status ufw
ufw enable

You can now check the status of UFW with the following command:

systemctl status ufw

You should get the following output:

● ufw.service - CLI Netfilter Manager
     Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; preset: disabled)
     Active: active (exited) since Fri 2022-10-28 07:50:40 UTC; 4s ago
    Process: 84145 ExecStart=/usr/lib/ufw/ufw-init start (code=exited, status=0/SUCCESS)
   Main PID: 84145 (code=exited, status=0/SUCCESS)

Oct 28 07:50:40 archlinux systemd[1]: Starting CLI Netfilter Manager...
Oct 28 07:50:40 archlinux ufw-init[84149]: Skip starting firewall: ufw (not enabled)
Oct 28 07:50:40 archlinux systemd[1]: Finished CLI Netfilter Manager.

Step 4 – View UFW Application Profile

UFW has a built-in application profile that helps you to manage UFW rules easily. You can list all of them using the following command:

ufw app list

You will get the following output:

  AIM
  Bonjour
  CIFS
  DNS
  Deluge
  IMAP
  IMAPS
  IPP
  KTorrent
  Kerberos Admin
  Kerberos Full
  Kerberos KDC
  Kerberos Password
  LDAP
  LDAPS
  LPD
  MSN
  MSN SSL
  Mail submission
  NFS
  POP3
  POP3S
  PeopleNearby
  SMTP
  SSH
  Socks
  Telnet
  Transmission
  Transparent Proxy
  VNC
  WWW
  WWW Cache
  WWW Full
  WWW Secure

To see detailed information on specific application profiles, run the following command:

ufw app info 'SSH'

You should get the following output:

Profile: SSH
Title: SSH server
Description: SSH server

Port:
  22/tcp

Step 5 – Allow HTTP and HTTPS Connections Using UFW

To allow HTTP connection by application profile, run the following command:

ufw allow 'WWW Full'

To allow HTTP connection by service, run the following command:

ufw allow http

To allow HTTP connection by port, run the following command:

ufw allow 80/tcp

To allow HTTPS connection by application profile, run the following command:

ufw allow 'WWW Secure'

To allow HTTPS connection by service, run the following command:

ufw allow https

To allow HTTPS connection by port, run the following command:

ufw allow 443/tcp

Step 6 – Allow Port Range and IP Address Using UFW

You can also allow specific port ranges using the UFW firewall.

To allow a specific TCP port range, run the following command:

ufw allow 6500:6800/tcp

To allow a specific UDP port range, run the following command:

ufw allow 6500:6800/udp

To allow specific IP address, run the following command:

ufw allow from 192.168.0.10

To allow a specific IP address on a specific port, run the following command:

ufw allow from 192.168.0.10 to any port 8800

To allow a specific subnet, run the following command:

ufw deny from 192.168.10.0/24

Step 7 – How to Remove UFW Rules

To remove the UFW rules, you will need to list the rule numbers first. You can do it with the following command:

ufw status numbered

Output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] WWW Full                   ALLOW IN    Anywhere                  
[ 4] 80                         ALLOW IN    Anywhere                  
[ 5] 80/tcp                     ALLOW IN    Anywhere                  
[ 6] WWW Secure                 ALLOW IN    Anywhere                  
[ 7] 443                        ALLOW IN    Anywhere                  
[ 8] 6500:6800/tcp              ALLOW IN    Anywhere                  
[ 9] 6500:6800/udp              ALLOW IN    Anywhere                  
[10] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[11] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[12] WWW Full (v6)              ALLOW IN    Anywhere (v6)             
[13] 80 (v6)                    ALLOW IN    Anywhere (v6)             
[14] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
[15] WWW Secure (v6)            ALLOW IN    Anywhere (v6)             
[16] 443 (v6)                   ALLOW IN    Anywhere (v6)             
[17] 6500:6800/tcp (v6)         ALLOW IN    Anywhere (v6)             
[18] 6500:6800/udp (v6)         ALLOW IN    Anywhere (v6)             

Now, remove the third rule using the following command:

ufw delete 3

You will get the following output:

Deleting:
 allow 'WWW Full'
Proceed with operation (y|n)? y
Rule deleted

Step 8 – Enable and Disable UFW Logs

You can also enable the UFW logging to see the UFW logs.

To set the UFW logging to low, run the following command:

ufw logging low

To set the UFW logging to medium, run the following command:

ufw logging medium

To set the UFW logging to high, run the following command:

ufw logging high

To disable the UFW logging, run the following command:

ufw logging off

Step 9 – How to Remove and Disable UFW Firewall

To reset all UFW rules, run the following command:

ufw reset

You will get the following output:

Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y

To disable the UFW firewall, run the following command:

ufw disable

To remove the UFW firewall, run the following command:

pacman -R ufw

Conclusion

In this post, we explained how to install the UFW firewall on Arch Linux. We also explained how to allow specific ports and services with UFW. You can now easily use the UFW firewall to allow and deny specific ports based on your requirements. Try UFW on dedicated server hosting from Atlantic.Net!