ufw vs AWS Security Group
1. ufw
command#
1.1. Commonly used ufw commands#
# ubuntu @ ip-172-31-12-228
$ sudo ufw status
Status: inactive
# ubuntu @ ip-172-31-12-228
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? n
Aborted
Note: use
sudo ufw enable
carefully, because it may disrupt your ssh connection.
ufw enable: Enables the firewall, which starts enforcing the configured rules.
ufw disable: Disables the firewall, allowing all network traffic.
ufw status: Displays the current status of the firewall and the rules that are in effect.
ufw default allow: Sets the default policy to allow all incoming and outgoing traffic.
ufw default deny: Sets the default policy to deny all incoming and outgoing traffic.
ufw allow <port>: Opens a specific port for incoming traffic.
ufw deny <port>: Blocks incoming traffic on a specific port.
ufw delete <rule>: Deletes a specific rule from the firewall.
# e.g., sudo ufw delete allow 80
1.2. ufw app list
#
# ubuntu @ ip-172-31-12-228
$ sudo ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
The output of sudo ufw app list
only shows the available application profiles, not their actual status or whether they have been allowed or denied by ufw
. It simply provides a list of predefined profiles so that you can use conveniently when configuring firewall rules. You don’t need to remember which port for each application, you can simply use like this:
# sudo ufw allow 'Profile Name'
$ sudo ufw allow 'OpenSSH'
Rules updated
Rules updated (v6)
$ sudo ufw allow 'OpenS'
ERROR: Could not find a profile matching 'OpenS'
rather than
sudo ufw allow 22
So the command below will allow both port 80
and 443
:
sudo ufw allow 'Nginx Full'
To check the status of your firewall rules and verify whether Nginx HTTP, Nginx HTTPS, or OpenSSH have been allowed or denied by ufw
, you can use the sudo ufw status
command. This command will display the current status of the firewall and the active rules.
$ sudo ufw allow 'OpenSSH'
Rules updated
Rules updated (v6)
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
$ sudo ufw status
Status: active
To Action From
-- ------ ----
5060/udp ALLOW Anywhere
OpenSSH ALLOW Anywhere
5060/udp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
$ sudo ufw disable
Firewall stopped and disabled on system startup
2. Ubuntu Firewall (ufw) vs AWS Security Groups#
A firewall like UFW is running at the OS level, while Amazon Security Groups are running at the instance level. Traffic coming into the EC2 would first pass through the SG, and then be evaluated by UFW.
I strongly recommend you to use only “SG(Security Group)” on EC2 even though we can use both “SG” and “UFW. “SG” is a firewall same as “UFW”.
When only “SG” allowed “SSH 22” and “UFW” didn’t allow “SSH 22” then I logged out ubuntu, I couldn’t log in to ubuntu forever, then I terminated ubuntu.
Even though “SG” allowed “SSH 22”, I couldn’t log in to ubuntu because “UFW” didn’t allow “SSH 22”. So if either of them doesn’t allow “SSH 22”, “SSH 22” doesn’t work. If both “SG” and “UFW” allow “SSH 22”, “SSH 22” works, then we can log in to ubuntu.
I also experimented with “HTTP 80”. When only “SG” allowed “HTTP 80” and “UFW” didn’t allow “HTTP 80”, “HTTP 80” didn’t work. When “SG” and “UFW” allowed “HTTP 80”, “HTTP 80” worked.
Just remember like “If both allow, it works” and “If only either of them allow, it doesn’t work”. Actually, using both of them makes complication and some trobles. So again, I really recommend you to use only “SG” on EC2 which is simpler than using both of them.