After you’ve changed the default username and password on our Raspberry Pi or BeagleBone Black, the next step to securing it is to install and configure a firewall. A firewall will help keep your device secure by limiting or blocking connections to the services running on your device, creating a far smaller attack surface that can be exploited.
Linux devices use the iptables firewall, however it is regarded as difficult to configure and not for the faint of heart. To help remedy this tools were created to make it easier to work with iptables, and the most popular tool for configuring iptables is UFW (which stands for uncomplicated firewall). UFW makes installing or configuring a firewall on your Raspberry Pi or Beaglebone Black a breeze.
Caution: When you’re configuring a firewall it’s strongly recommended to have physical access to the device you are working on. If you’re accessing the device over a network, misconfiguring the firewall could lead to being locked out of the system.
Installing UFW
We’ll be working from the terminal, so start a shell if you aren’t already working from the command line.
To install UFW on your system, all you need to do is install it using apt:
sudo apt-get update
sudo apt-get install ufwThese commands will install UFW, but it still needs to be configured before it can be used.
Configuring UFW
These steps will walk you through the basic steps to block, limit, and allow traffic through your newly installed firewall. In UFW you need to configure each port individually, blocking or providing access to specific daemons running on your Raspberry Pi or BeagleBone Black.
Allowing traffic through the firewall
By default, all traffic through the firewall is blocked so you need to tell the firewall to allow traffic to reach the ports that you want kept open. To allow traffic to reach a port, you use the ufw allow command followed by the port number.
One important port if you are administering systems remotely is SSH which runs on port 22. To allow SSH access to your system, you would run the following command:
sudo ufw allow 22Repeat this process for all the ports that you want open on your system. For example, if you are running a webserver on your Raspberry Pi or BeagleBone Black and want people to be able to access it over the network, you’d allow access to port 80 like so:
sudo ufw allow 80If you want to look up which ports are used by certain daemons or services, Wikipedia has a comprehensive list.
Limiting traffic through the firewall
In addition to allowing traffic, you can also limit it. The limit feature of UFW watches for users which are repeatedly accessing ports, for example trying to guess SSH passwords through a brute force attack, and will block users which attempt to create six or more connections within a thirty second window.
Just like the allow command, you can configure UFW to limit traffic using the ufw limit command followed by the port number. If you wanted to limit the incoming SSH connections to your system, you would run the following command:
sudo ufw limit 22Enabling UFW
Once all your firewall rules have been added, it’s time to enable the firewall and turn it on.
Before turning on your firewall, it’s helpful to review all the rules you’ve added to make sure everything looks correct and you haven’t made any mistakes. Remember, mistakes have the potential to lock you out of your system if you’re using it over the network.
To see a list of the firewall rules, use the ufw show added command like so:
sudo ufw show addedOnce you run this, you’ll see the status of your firewall and a list of all the rules based on the port numbers. Check the firewall and make sure that any ports you need to access are listed.
If you’re happy with your new rules, you can enable the firewall by running the ufw enable command like so:
sudo ufw enableWhen you turn on the firewall, you’ll get a message that any existing SSH connections might be terminated (depending on the firewall rules).
Command may disrupt existing ssh connections. Proceed with operation (y|n)?To continue enabling the firewall, press Y then press Enter.
Once the firewall is up and running, you’ll get the following message letting you know that it’s running:
Firewall is active and enabled on system startupConclusion
You’ve finished installing and configuring a firewall on your Raspberry Pi or BeagleBone Black. Having a properly configured firewall goes a long way towards limiting the risk from network attacks on your devices, and UFW is one of the easiest ways to maintain your firewall and keep it running correctly.
Ran into issues with UFW, or have any questions? Leave a comment below or use the contact form and I’d be happy to hear from you.