Salin dan Bagikan
Cara Setup Firewall dengan UFW di Ubuntu untuk Keamanan Optimal
Cara Setup Firewall dengan UFW di Ubuntu untuk Keamanan Optimal
UFW (Uncomplicated Firewall) adalah frontend yang user-friendly untuk iptables di Ubuntu. Dirancang untuk memudahkan pengguna dalam mengkonfigurasi firewall tanpa harus memahami syntax iptables yang kompleks.
1. Instalasi dan Setup Dasar UFW
Install UFW
# UFW biasanya sudah terinstall di Ubuntu
# Tapi jika belum:
sudo apt update
sudo apt install ufw -y
# Verifikasi instalasi
sudo ufw version
# Check status
sudo ufw status
sudo ufw status verbose
sudo ufw status numbered
Konfigurasi Default
# Default: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Atau untuk setup yang lebih strict:
sudo ufw default deny incoming
sudo ufw default deny outgoing
# Allow specific outgoing
sudo ufw allow out 80/tcp # HTTP
sudo ufw allow out 443/tcp # HTTPS
sudo ufw allow out 53 # DNS
Enable UFW
# Pastikan Anda punya akses SSH sebelum enable!
sudo ufw allow ssh
# atau
sudo ufw allow 22/tcp
# Enable firewall
sudo ufw enable
# Confirm dengan 'y'
# Verifikasi
sudo ufw status
2. Aturan Firewall yang Umum
Allow Services Penting
# SSH (penting untuk akses remote)
sudo ufw allow ssh
sudo ufw allow 22/tcp
sudo ufw allow 2222/tcp # Jika menggunakan custom port
# HTTP dan HTTPS
sudo ufw allow http # Port 80
sudo ufw allow https # Port 443
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# FTP
sudo ufw allow ftp # Port 21
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp # FTPS
sudo ufw allow 40000:50000/tcp # Passive FTP range
# Mail server
sudo ufw allow smtp # Port 25
sudo ufw allow 587/tcp # Submission
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow imap # Port 143
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow pop3 # Port 110
sudo ufw allow 995/tcp # POP3S
# Database
sudo ufw allow 3306/tcp # MySQL/MariaDB
sudo ufw allow 5432/tcp # PostgreSQL
sudo ufw allow 27017/tcp # MongoDB
sudo ufw allow 6379/tcp # Redis
# DNS
sudo ufw allow 53
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
Allow dari IP Spesifik
# Allow dari IP tertentu (semua port)
sudo ufw allow from 192.168.1.100
# Allow dari subnet
sudo ufw allow from 192.168.1.0/24
# Allow ke port spesifik dari IP
sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw allow from 192.168.1.0/24 to any port 3306
# Allow dari IP ke port range
sudo ufw allow from 10.0.0.0/8 to any port 1000:2000/tcp
Deny Aturan
# Deny semua dari IP tertentu
sudo ufw deny from 192.168.1.200
# Deny subnet
sudo ufw deny from 10.0.0.0/8
# Deny port tertentu
sudo ufw deny 3306/tcp
# Deny dari IP ke port
sudo ufw deny from 192.168.1.200 to any port 22
3. Advanced UFW Configuration
Application Profiles
# List available profiles
sudo ufw app list
# Contoh output:
# Available applications:
# Apache
# Apache Full
# Apache Secure
# CUPS
# OpenSSH
# Info tentang profile
sudo ufw app info 'Apache Full'
# Allow profile
sudo ufw allow 'Apache Full'
sudo ufw allow 'OpenSSH'
sudo ufw allow 'Nginx Full'
# Buat profile custom
sudo nano /etc/ufw/applications.d/custom-app
Isi file custom profile:
[Node.js]
title=Node.js Server
description=Node.js application server
ports=3000/tcp|4000/tcp|5000/tcp
[MySQL Remote]
title=MySQL Remote Access
description=Allow remote MySQL connections
ports=3306/tcp
Rate Limiting
# Limit connection rate (6 connections per 30 seconds)
sudo ufw limit ssh/tcp
sudo ufw limit 22/tcp
# Limit untuk SSH dengan port custom
sudo ufw limit 2222/tcp
# Verifikasi limit rules
sudo ufw status verbose
Logging
# Enable logging
sudo ufw logging on
sudo ufw logging high # Log level: off, low, medium, high, full
# View logs
sudo tail -f /var/log/ufw.log
# Disable logging
sudo ufw logging off
4. Manajemen dan Troubleshooting
Delete Aturan
# List dengan nomor
sudo ufw status numbered
# Delete by number
sudo ufw delete 3
# Delete by rule
sudo ufw delete allow 80/tcp
sudo ufw delete allow from 192.168.1.100
# Delete profile rule
sudo ufw delete allow 'Apache Full'
Insert dan Reorder Rules
# Insert at position 1 (top priority)
sudo ufw insert 1 allow from 192.168.1.100
# Insert before specific rule
sudo ufw insert 2 allow from 10.0.0.0/8
Reset UFW
# Reset semua aturan ke default
sudo ufw reset
# Konfirmasi dengan 'y'
Backup dan Restore
# Export konfigurasi
sudo ufw show added > ufw-rules.txt
# Export full config dengan comments
sudo ufw status verbose > ufw-backup.txt
# Restore rules
while read rule; do
sudo ufw $rule
done < ufw-rules.txt
5. UFW untuk Server Spesifik
Web Server (LAMP/LEMP)
#!/bin/bash
# setup-webserver-ufw.sh
echo "Setting up UFW for web server..."
# Reset
sudo ufw --force reset
# Default
sudo ufw default deny incoming
sudo ufw default allow outgoing
# SSH
sudo ufw allow ssh
# Web
sudo ufw allow http
sudo ufw allow https
# FTP (opsional)
# sudo ufw allow ftp
# Database (opsional, only if remote access needed)
# sudo ufw allow from 192.168.1.0/24 to any port 3306
# Enable
sudo ufw --force enable
echo "UFW configured for web server"
sudo ufw status verbose
Mail Server
# Allow mail services
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 587/tcp # Submission
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow 143/tcp # IMAP
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 110/tcp # POP3
sudo ufw allow 995/tcp # POP3S
# Allow webmail (Roundcube, etc)
sudo ufw allow http
sudo ufw allow https
Database Server
# Strict: Only allow database dari subnet internal
sudo ufw allow from 192.168.0.0/16 to any port 3306 # MySQL
sudo ufw allow from 192.168.0.0/16 to any port 5432 # PostgreSQL
sudo ufw allow from 192.168.0.0/16 to any port 27017 # MongoDB
# Allow SSH dari mana saja (opsional: restrict juga)
sudo ufw allow ssh
# Block all other
sudo ufw default deny incoming
Kesimpulan
UFW adalah cara termudah untuk mengkonfigurasi firewall di Ubuntu. Dengan profile applications dan syntax yang intuitif, UFW menjembatani gap antara keamanan dan usability.
Checklist Keamanan UFW:
- Always allow SSH sebelum enable UFW
- Use rate limiting untuk public-facing SSH
- Restrict database ports ke internal network
- Regularly review dan audit rules
- Backup configuration sebelum major changes
- Test rules di staging environment
Best Practices:
- Default deny all incoming
- Whitelist sebelum blacklist
- Gunakan application profiles
- Monitor logs secara berkala
- Document setiap rule yang unusual
Troubleshooting:
- Jika locked out: Boot rescue mode atau akses console provider
- Check logs:
sudo tail /var/log/ufw.log - Verifikasi rules:
sudo ufw status verbose - Disable jika emergency:
sudo ufw disable
Artikel Terkait
Link Postingan : https://www.tirinfo.com/cara-setup-firewall-ufw-ubuntu-keamanan-optimal/
Editor : Hendra WIjaya
Publisher :
Tirinfo
Read : 5 minutes.
Update : 3 February 2026