UFW (Uncomplicated Firewall) adalah frontend yang user-friendly untuk iptables di Ubuntu. Dirancang untuk memudahkan pengguna dalam mengkonfigurasi firewall tanpa harus memahami syntax iptables yang kompleks.
1. Instalasi dan Setup Dasar UFW
Install UFW
# UFW biasanya sudah terinstall di Ubuntu
# Tapi jika belum:
sudo apt update
sudo apt install ufw -y
Verifikasi instalasi
sudo ufw version
Check status
sudo ufw status
sudo ufw status verbose
sudo ufw status numbered
Konfigurasi Default
# Default: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
Atau untuk setup yang lebih strict:
sudo ufw default deny incoming
sudo ufw default deny outgoing
Allow specific outgoing
sudo ufw allow out 80/tcp # HTTP
sudo ufw allow out 443/tcp # HTTPS
sudo ufw allow out 53 # DNS
Enable UFW
# Pastikan Anda punya akses SSH sebelum enable!
sudo ufw allow ssh
# atau
sudo ufw allow 22/tcp
Enable firewall
sudo ufw enable
Confirm dengan 'y'
Verifikasi
sudo ufw status
2. Aturan Firewall yang Umum
Allow Services Penting
# SSH (penting untuk akses remote)
sudo ufw allow ssh
sudo ufw allow 22/tcp
sudo ufw allow 2222/tcp # Jika menggunakan custom port
HTTP dan HTTPS
sudo ufw allow http # Port 80
sudo ufw allow https # Port 443
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
FTP
sudo ufw allow ftp # Port 21
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp # FTPS
sudo ufw allow 40000:50000/tcp # Passive FTP range
Mail server
sudo ufw allow smtp # Port 25
sudo ufw allow 587/tcp # Submission
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow imap # Port 143
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow pop3 # Port 110
sudo ufw allow 995/tcp # POP3S
Database
sudo ufw allow 3306/tcp # MySQL/MariaDB
sudo ufw allow 5432/tcp # PostgreSQL
sudo ufw allow 27017/tcp # MongoDB
sudo ufw allow 6379/tcp # Redis
DNS
sudo ufw allow 53
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
Allow dari IP Spesifik
# Allow dari IP tertentu (semua port)
sudo ufw allow from 192.168.1.100
Allow dari subnet
sudo ufw allow from 192.168.1.0/24
Allow ke port spesifik dari IP
sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw allow from 192.168.1.0/24 to any port 3306
Allow dari IP ke port range
sudo ufw allow from 10.0.0.0/8 to any port 1000:2000/tcp
Deny Aturan
# Deny semua dari IP tertentu
sudo ufw deny from 192.168.1.200
Deny subnet
sudo ufw deny from 10.0.0.0/8
Deny port tertentu
sudo ufw deny 3306/tcp
Deny dari IP ke port
sudo ufw deny from 192.168.1.200 to any port 22
3. Advanced UFW Configuration
Application Profiles
# List available profiles
sudo ufw app list
Contoh output:
Available applications:
Apache
Apache Full
Apache Secure
CUPS
OpenSSH
Info tentang profile
sudo ufw app info 'Apache Full'
Allow profile
sudo ufw allow 'Apache Full'
sudo ufw allow 'OpenSSH'
sudo ufw allow 'Nginx Full'
Buat profile custom
sudo nano /etc/ufw/applications.d/custom-app
Isi file custom profile:
[Node.js]
title=Node.js Server
description=Node.js application server
ports=3000/tcp|4000/tcp|5000/tcp
[MySQL Remote]
title=MySQL Remote Access
description=Allow remote MySQL connections
ports=3306/tcp
Rate Limiting
# Limit connection rate (6 connections per 30 seconds)
sudo ufw limit ssh/tcp
sudo ufw limit 22/tcp
Limit untuk SSH dengan port custom
sudo ufw limit 2222/tcp
Verifikasi limit rules
sudo ufw status verbose
Logging
# Enable logging
sudo ufw logging on
sudo ufw logging high # Log level: off, low, medium, high, full
View logs
sudo tail -f /var/log/ufw.log
Disable logging
sudo ufw logging off
4. Manajemen dan Troubleshooting
Delete Aturan
# List dengan nomor
sudo ufw status numbered
Delete by number
sudo ufw delete 3
Delete by rule
sudo ufw delete allow 80/tcp
sudo ufw delete allow from 192.168.1.100
Delete profile rule
sudo ufw delete allow 'Apache Full'
Insert dan Reorder Rules
# Insert at position 1 (top priority)
sudo ufw insert 1 allow from 192.168.1.100
Insert before specific rule
sudo ufw insert 2 allow from 10.0.0.0/8
Reset UFW
# Reset semua aturan ke default
sudo ufw reset
Konfirmasi dengan 'y'
Backup dan Restore
# Export konfigurasi
sudo ufw show added > ufw-rules.txt
Export full config dengan comments
sudo ufw status verbose > ufw-backup.txt
Restore rules
while read rule; do
sudo ufw $rule
done < ufw-rules.txt
5. UFW untuk Server Spesifik
Web Server (LAMP/LEMP)
#!/bin/bash
# setup-webserver-ufw.sh
echo "Setting up UFW for web server..."
Reset
sudo ufw --force reset
Default
sudo ufw default deny incoming
sudo ufw default allow outgoing
SSH
sudo ufw allow ssh
Web
sudo ufw allow http
sudo ufw allow https
FTP (opsional)
sudo ufw allow ftp
Database (opsional, only if remote access needed)
sudo ufw allow from 192.168.1.0/24 to any port 3306
Enable
sudo ufw --force enable
echo "UFW configured for web server"
sudo ufw status verbose
Mail Server
# Allow mail services
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 587/tcp # Submission
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow 143/tcp # IMAP
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 110/tcp # POP3
sudo ufw allow 995/tcp # POP3S
Allow webmail (Roundcube, etc)
sudo ufw allow http
sudo ufw allow https
Database Server
# Strict: Only allow database dari subnet internal
sudo ufw allow from 192.168.0.0/16 to any port 3306 # MySQL
sudo ufw allow from 192.168.0.0/16 to any port 5432 # PostgreSQL
sudo ufw allow from 192.168.0.0/16 to any port 27017 # MongoDB
Allow SSH dari mana saja (opsional: restrict juga)
sudo ufw allow ssh
Block all other
sudo ufw default deny incoming
Kesimpulan
UFW adalah cara termudah untuk mengkonfigurasi firewall di Ubuntu. Dengan profile applications dan syntax yang intuitif, UFW menjembatani gap antara keamanan dan usability.
Checklist Keamanan UFW:
– Always allow SSH sebelum enable UFW
– Use rate limiting untuk public-facing SSH
– Restrict database ports ke internal network
– Regularly review dan audit rules
– Backup configuration sebelum major changes
– Test rules di staging environment
Best Practices:
1. Default deny all incoming
2. Whitelist sebelum blacklist
3. Gunakan application profiles
4. Monitor logs secara berkala
5. Document setiap rule yang unusual
Troubleshooting:
– Jika locked out: Boot rescue mode atau akses console provider
– Check logs: sudo tail /var/log/ufw.log
– Verifikasi rules: sudo ufw status verbose
– Disable jika emergency: sudo ufw disable
Ditulis oleh
Hendra Wijaya