Manage Firewall Rules with UFW on Red Hat Enterprise Linux 8

UFW stands for Uncomplicated FireWall — and as the name implies, it makes firewall management very easy. UFW was developed by Canonical and is available by default on all recent Ubuntu versions. 

A Linux firewall used to protect your workstation or server from unwanted traffic. You can set up rules to either block traffic or allow through. RHEL 8 comes with a dynamic, customizable host-based firewall with a D-Bus interface. 

You can add or delete or update firewall rules without restarting the firewall daemon or service.

firewall-cmd act as a frontend for the nftables.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to secure their Linux Server via firewalld.

In this context, we shall look into how to install UFW on Red Hat Enterprise Linux (RHEL) 8 through Snaps.

How to install Snapd on Red Hat Enterprise Linux 8 ?

Snaps can be likened to containers for packaging applications with everything that they require to run successfully across multiple Linux distributions. 

To use snaps, you must install snapd.

Snapd is a background process that manages snaps. 

i. To install snapd on RHEL 8, you would first need to add the Extra Packages for Enterprise Linux (EPEL) repository as follows:

$ sudo dnf install

When prompted, enter y to continue. 

ii. Once the EPEL installation completes successfully, run the next command to update packages to the latest version.

$ sudo dnf upgrade

iii. You may now install snapd as follows:

$ sudo yum install snapd

When prompted, enter y to proceed with the installation.

iv. After the snapd installation completes successfully, run the next command to enable snapd.socket which manages snap communications:

$ sudo systemctl enable --now snapd.socket

You will see a message indicating that a symlink was created.

You may now log out and log in again so that snap's paths can be updated.

How to install UFW on Red Hat Enterprise Linux 8 ?

i. The following command will install UFW on RHEL 8:

$ sudo snap install ufw

ii. Once installed, run the next command to check the status of UFW:

$ sudo ufw status

Note: If you get an error saying, "ufw: command not found", it may be a problem with ufw's paths. 

As a workaround, run the command below to create a symbolic link to /var/lib/snapd/snap/bin/ufw from /usr/bin/ufw

iii. After that, try to check the status of ufw again and it should work fine:

$ sudo ln -s /var/lib/snapd/snap/bin/ufw /usr/bin/ufw

To enable UFW and configure it to always start at system boot, run:

$ sudo ufw enable

If your goal is to replace the built-in firewalld in RHEL 8 with UFW, then you may want to disable firewalld by running the following commands:

$ sudo systemctl stop firewalld 
$ sudo systemctl disable firewalld

By default, UFW denies all incoming traffic and allows outgoing traffic. However, you can change this default behavior if you wish. To deny outgoing traffic for example, run:

$ sudo ufw default deny outgoing

Run the next command to list UFW application profiles:

$ sudo ufw app list

For instance, to deny access to Bonjour, the following command would suffice:

$ sudo ufw deny Bonjour

You could also specify port numbers to allow or deny traffic on as follows:

$ sudo ufw deny 25
$ sudo ufw allow 22

Here's another example that allows traffic on TCP port 80.

$ sudo ufw allow 80/tcp

After adding your firewall rules, you may run the next command to see detailed information about the status of UFW:

$ sudo ufw status verbose

To view additional usage information for UFW, run:

$ ufw --help

You could also review the official UFW manual pages at the following link:

[Need urgent assistance in fixing security in Red Hat Linux Servers? We can help you.  ]

This article covers how to secure Red Hat Enterprise Linux 8 with UFW. UFW may not be intended to provide complete firewall functionality, but it does provide an easy way to create and manage simple firewall rules.

A firewall is a way to protect machines from any unwanted traffic from outside. 

It enables users to control incoming network traffic on host machines by defining a set of firewall rules. 

These rules are used to sort the incoming traffic and either block it or allow through.

Note that firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option.

How to start, stop, restart firewalld service on an RHEL 8?

By now you know about firewalld zones, services, and how to view the defaults. It is time to activate and configure our firewall.

1. Start and enable firewalld

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

2. Stop and disable firewalld

$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld

3. Check the firewalld status

$ sudo firewall-cmd --state

4. Command to reload a firewalld configuration when you make change to rules

$ sudo firewall-cmd --reload

5. Get the status of the firewalld service

$ sudo systemctl status firewalld

When to use firewalld, nftables, or iptables:

1. firewalld: Use the firewalld utility for simple firewall use cases. The utility is easy to use and covers the typical use cases for these scenarios.

2. nftables: Use the nftables utility to set up complex and performance critical firewalls, such as for a whole network.

3. iptables: The iptables utility on Red Hat Enterprise Linux 8 uses the nf_tables kernel API instead of the legacy back end. 

The nf_tables API provides backward compatibility so that scripts that use iptables commands still work on Red Hat Enterprise Linux 8. For new firewall scripts, Red Hat recommends to use nftables.

Related Posts