Uncomplicated Firewall (ufw) notes

ufw can only be run with root access.

• Status

  # ufw status
  Status: active
  
  To                         Action      From
  --                         ------      ----
  Apache Full                ALLOW       Anywhere
  Apache Full (v6)           ALLOW       Anywhere (v6)
  

• Get list of applications configuring it for use

  # ufw app list
  Available applications:
    Apache
    Apache Full
    Apache Secure
    OpenSSH
  

• Enable an application's use—for example, ssh^*

  # ufw allow ssh
  Rule added
  Rule added (v6)
  # ufw status               # (see how allowing ssh affects status:)
  Status: active
  
  To                         Action      From
  --                         ------      ----
  Apache Full                ALLOW       Anywhere
  22/tcp                     ALLOW       Anywhere
  Apache Full (v6)           ALLOW       Anywhere (v6)
  22/tcp (v6)                ALLOW       Anywhere (v6)
  

^* Incidentally, this solved not being able to connect via ssh:

russ@tirion ~ $ ssh russ-microservices
ssh russ-microservices
ssh: connect to host russ-microservices port 22: Connection timed out
russ@tirion ~ $ ping russ-microservices   # (and yet, I could ping it:)
PING russ-microservices (192.168.0.108) 56(84) bytes of data.
64 bytes from russ-microservices (192.168.0.108): icmp_seq=1 ttl=64 time=0.236 ms
64 bytes from russ-microservices (192.168.0.108): icmp_seq=2 ttl=64 time=0.217 ms
64 bytes from russ-microservices (192.168.0.108): icmp_seq=3 ttl=64 time=0.215 ms
64 bytes from russ-microservices (192.168.0.108): icmp_seq=4 ttl=64 time=0.202 ms
^C
--- russ-microservices ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3055ms
rtt min/avg/max/mdev = 0.202/0.217/0.236/0.012 ms

After allowing ssh, this began working:

russ@tirion ~ $ ssh russ-microservices
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-40-generic x86_64)

(etc.)

Opening up port 8080, Tomcat's default port (or any other port you've configured Tomcat to listen on), is sadly less well supported and correspondingly more complicated. It amounts to forcing ufw to allow anything TCP through on port 8080 letting whichever application (Tomcat it's hoped) dealt with it.

# ufw allow from any to any port 8080 proto tcp
Rule added
Rule added (v6)
# ufw status               # (see how this affects status:)
Status: active

To                         Action      From
--                         ------      ----
Apache Full                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
8080/tcp                   ALLOW       Anywhere
Apache Full (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
8080/tcp (v6)              ALLOW       Anywhere (v6)

Instantly, remote clients (including browsers) are able to reach Tomcat web applications on this server.