 I've always been a little surprised that most Linux desktop users don't have a firewall enabled. They're not running any kind of firewall. Why is that? I think part of the problem is that most desktop Linux distributions, although they ship with a firewall program installed, they don't have it enabled out of the box. They leave that up to the user to enable the firewall and set up the firewall rules and everything, which makes sense, but at the same time, most users are not going to know that that's even an option for them because nobody ever told them that firewall program is already there. Nobody showed them how to set it up. Well, we're going to correct some of that today because I'm going to talk to you guys about probably the most popular firewall program out there for Linux. It's called the uncomplicated firewall, also called UFW. It's actually the package name on Debian and Ubuntu-based distributions. You could sudo apt install UFW, but you don't have to on most of those because again, Ubuntu and most Ubuntu-based distributions, UFW is already on your system. It's just not enabled yet. On Arch and Arch-based systems, you can find UFW in the Pacman repository. So do a sudo pacman dash capital S UFW and that's what I did on my Arch-based system. And today I pulled up the Arch Wiki page for the uncomplicated firewall and you can actually read this to figure out exactly all the commands you need to use with UFW. It doesn't matter what distribution you run, the page here for UFW here in the Arch Wiki is well written and it's applicable to whatever distribution you happen to be running. Now what UFW is, it's really kind of a front end to IP tables. It's an easier thing to use than IP tables. It's designed to be very easy to use. It's a command line program, but it really just has a handful of commands you'll use on a regular basis. There's also a graphical front end to UFW to make it even easier to use called GUFW for graphical UFW. And I may show you the graphical program, but really the command line based UFW program is the one you're probably going to want to use because it's just dead simple to use and you could incorporate it into, you know, scripting, I mean, I could make a demon use script for all my UFW commands if I really wanted to take the time to do that. So let me pull up a terminal and let's get started with some of the basics. So assuming that you've already got UFW installed on your system, the first thing you need to do is actually enable the service with SystemD. And I'm assuming you're on a SystemD distribution. If you're not, you'll have to check with whatever init system you run to get the command to actually enable a service. But on SystemD, you would run sudo systemctl enable, if I can type, ufw.service. And that will enable the UFW service. Then you need to start the service. So if I just up arrow here to get to that last command, I'm going to go and change this to sudo systemctl start UFW.service. Get enter and now we have started the service. You actually can combine those commands into one command. If you know you're going to both enable and start a service, what you could do is sudo systemctl enable UFW service space and then give it this flag here dash dash now. And that is basically a combination of the first two commands. It's just a way to do it in one command. Now once you've got all of that done, the next thing we need to do is run this UFW command. So sudo, you're going to need sudo privileges to do most things with your firewall. So sudo UFW enable. And it says firewall is active and enabled on system startup. Now if you wanted to verify this, you can run a status check. You could actually run a status check with SystemD or you could run a status check with the UFW program itself. If you wanted to run it with SystemD, you could do a systemctl status UFW and it will tell you that it's active and running. Let me quit out of that. If you wanted to run a status with UFW, you could do sudo UFW status and it says status active. So our firewall is active. Now let me clear the screen here. The next command I want to show you guys is now that we've got it active, I'm going to do a sudo UFW app list. Now UFW has a bunch of applications associated with it and it'll list out these applications for us if I run this command. And it's going to list out a whole bunch of applications for me because I have a bunch of stuff installed on my system. On a brand new server install, which is a lot of times what you'll be using UFW on, you know, like web server, cloud server or something, you won't have all this crap installed on those systems. Typically this will be a much smaller list. But my machine here, my desktop, is heavily bloated. And these are all the applications that are available in the UFW app list. These are applications that I can allow the firewall to actually pass data through. It's essentially, I can enable these through UFW if I wanted to. So by default, when you enable UFW, we should talk about this. By default, it disables everything. It's not going to allow any incoming traffic. It's just going to disable everything. But we can enable certain services. So I could enable, for example, SSH, which seems like a one I probably need to enable. VNC is another one I would probably enable on most servers. On my desktop, you know, I've got a couple of different BitTorrent clients. I've got Deluge installed. I've got Transmission installed. And I could enable those particular programs where they don't get called up in the firewall, right? If I want to download the latest Ubuntu ISO through a torrent with Transmission, you know, my firewall won't prevent that, right? If I allow it. So by default, again, the UFW is set up to deny pretty much everything. If you wanted to do this yourself at the command line, you could also do sudo UFW default deny. If I hit enter, it would just deny everything. I'm not going to run that command. But let's talk about what I just talked about a second ago. Let's allow something. So I could allow, well, I talked about the transmission BitTorrent client. I could do a sudo UFW allow transmission. And it says rule added. And then below it, it says rule added v6 because it added two rules. One for IPv4 and another one for IPv6. It's always going to add two rules. So that's how you allow incoming through a specific application. If you wanted to do this with IPs, I could do a sudo UFW allow. And then I could give it an IP address. You know, if I did something like 192.168.0.0 slash 24, let's assume that this is a LAN, a local network here. And what this would do is it would allow everybody that's on the IP addresses 192.168.0.0 to 125. It would enable all 256 of those IPs here on the local network. If I wanted to allow SSH, which is a very common thing. And let's do this because this is one that the command will be a little different. Typically, when you allow something like SSH or Telnet or some kind of communication protocol like that, what you want to do is make sure that it is rate limited. Meaning, hey, if too many people try to connect in a certain time period, I want you to disallow those people from trying to connect. It's a way to basically prevent the people that are trying to hack your machine, right? Because they're just banging on your system all the time. So if somebody starts banging on the SSH port very quickly, just disable it and just disallow them. So this command for SSH really should be sudo ufw. And then instead of allow, do limit for rate limited. And then SSH in my list of apps was SSH all capitalized. So enable that. And again, two rules are added, one for IPv4, one for IPv6. And looking at the ArchWiki page for the uncomplicated firewall, it does clarify the data limit for things like SSH. What it does is, if anybody attempts to initiate six or more connections in under 30 seconds, that user is, I guess, blocked. So that is what that is doing there. You could also just allow certain port numbers. Instead of services, you could just allow a port maybe that a service runs on. So I could do sudo ufw allow. And then I could do a port number, for example, 8080. I could do 1313, I believe, is the port that my Hugo server uses. I mean, I could allow anything. Common port numbers, I mean, 21 is FTP, 22 is SSH. If you want to get into email stuff, 25 is the SMTP protocol, which is your outgoing mail protocol, POP3, I think is 110, IMAP is 143, your common web browser protocols. 80, of course, is HTTP. And HTTPS, I believe, is 443. You can look up a lot of the port numbers, but you could just allow a wide open port. Now, let's verify that we actually did enable these apps here with UFW. So if I did a sudo UFW status once again, I could run that, and it will tell me, hey, I've allowed four things, transmission twice, for IPv4, IPv6, and SSH twice. A better command to run, though, if you're going to actually do something with some of these apps is do sudo UFW status numbered. And it will number everything in the list. Why is this important? Well, maybe I want to disable something in the uncomplicated firewall. For example, maybe I changed my mind. Maybe I don't really want to allow transmission. Well, what I would do is I would sudo UFW, delete, and then give it a number, one, for transmission. And it's going to ask me, do I really want to do that? Yes. And now when I do sudo UFW status numbered, now I only have SSH twice and transmission the one time, IPv6, because I deleted the IPv4. So let me actually go back and delete this time number two out of the list, which is transmission v6. Again, it's going to ask for confirmation. And then if I do the UFW status numbered one more time, the only thing that is there right now is SSH. And that really is covering all the basics that most people would use with UFW as far as the commands is just installing it, enabling it, starting it, and then adding the apps or allowing the apps that you want to be able to pass through the firewall or allowing certain port numbers. And then occasionally, you may want to delete those from the status list. And that's pretty much it. The one thing is we should briefly talk about logs, because it does mention this in the ArchWiki. UFW does log a lot of information, and it can really pollute your logs. So your kernel logs, the DMESG logs and your message logs can be full of all this UFW stuff logging. So some people sometimes want to turn that off. They don't want to see the UFW logs. So sudo UFW logging off, and it will turn off UFW logging. Now I'm not going to turn logging off because I do want my logs, but if I wanted to see them, we should talk about this. If you're on a system D machine, you could do journal CTL space dash F, and this is a live log. And you will actually see things about UFW, the firewall and your log, if you run that command. I'm not going to bother running that. The last thing I just want to briefly show you guys is GUFW. So if I run that, you do need to have a session manager policy kit running on your system because you're going to have to give a root password here. Just like the command line stuff, you had to do sudo for everything. Same thing with GUFW. If you don't have root privileges, you're not going to be able to use GUFW. So this is the GUI front end, and you can set rules. You see incoming, deny, and I can deny, allow, reject, whatever, incoming, and same thing without going, allow, deny, reject, and I could set up rules, and I could go read the rules that I currently have set up. You see, it recognizes everything that we did at the command line. And if I wanted to, I could do this in the GUI version. I could go click the plus symbol, and I could allow or disallow or whatever it is I want to do, whatever service I want to do. I'll let you guys play with that. I actually haven't played with GUFW too much. Turning your firewall on and off, though, is dead simple with GUFW. You see right now, it's got the check mark. It's turned on. If I wanted to, I could slide that over, and now it would be turned off. And let me do that again. I think I had clicked it twice, yeah. Now it's off, and then click it again. I think now it's back on. Anyway, let me get out of GUFW before I do something that I didn't mean to do. But for the most part, honestly, I would just use the standard command line UFW program. So just a very quick cursory tutorial on how to set up the uncomplicated firewall. I know most Linux desktop users don't use a firewall. Most of you guys probably still are not going to use a firewall even after this video. But you know what? If you use it, it's just a little extra protection, right? It provides a little extra protection against all those outside cyber attackers, right? It kind of shields your machine and really your network here at the house from all those malicious attacks, those network trafficking attacks. People are trying to just bang away at your machine until they finally get in. And of course, once they're in, they can steal sensitive information from you, financial information from your whatever it is they're trying to get. So it is worth turning on the firewall that really doesn't harm anything. There's no downsides other than occasionally you'll have the firewall turned on and then you'll try to open a program. Maybe you forgot to allow transmission, the BitTorrent client, and you go to use transmission and it's not working. And you forgot you even enabled the firewall. So it takes you a minute to realize, oh, the firewall's on. Let me either go allow transmission or just turn the firewall off for a second to do your BitTorrenting and then turn it back on afterwards. The one other downside playing with the firewall, if you are remoting into a machine and trying to turn on UFW on a remote machine, so a remote web server, and I've done this, is you SSH into that machine and then you enable the service for UFW and then you start UFW. You don't set up any rules, you just start UFW. Well, what did we talk about before? UFW by default denies all connections, including SSH, which is your only way into that headless remote server that you just basically locked yourself out in a big way of that machine and then you got to contact whoever your hosting company or whoever can support that kind of request because you're gonna be like, hey man, I locked myself out of the machine, can you let me back in? Because by default, when you turn it on, it's not gonna let you SSH, it's not gonna let you VNC. So make sure you set up your rules for UFW before you start it if you're remoting into a server. Now, before I go, I need to thank a few special people. I need to thank the producers of the show, Michael Gabe Corbinian, Mitchell Devonfran, Arch 5530 at Kami, Chuck, Claudio, Donnie, Dylan, George Gregory, Kellogg, Devils, Lewis, Paul, Scott, and Willie. These guys, they are my highest tiered patrons over on Patreon and they are the producers of this episode. I'd also like to thank each and every one of these ladies and gentlemen. All these fine ladies and gentlemen help support my work over on Patreon because this channel is supported by you guys, the community. If you'd like to support my work, consider doing so. Look for DT Distro Tube over on Patreon. All right guys, peace.