Raspberry Pi Firewall Setup

Step-by-step instructions for setting up a Firewall using iptables with UFW (Uncomplicated FireWall).

These procedures apply to Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit).

General Notes

1. General: The procedures below are optimized for setting up a firewall on a Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit) connected via Ethernet. Raspberry Pi OS includes iptables, an IP packet filter, however it is disabled by default. UFW (Uncomplicated FireWall) is a firewall user interface for use with iptables. UFW together with iptables provide basic firewall features, but lack more sophisticated firewall features and protections.

2. Internet access during setup: Many of the steps below assume and require the target Raspberry Pi is connected to a network with access to the Internet and a DHCP server is on the network configured for DHCP clients to access the Internet. This is the standard and/or default configuration for most networks, so in most cases nothing additional will need to be done.

3. Firewall: A good quality firewall ahead of the Raspberry Pi is a good practice. In cases where the Raspberry Pi is connected directly to the Internet or a public network without a firewall ahead of it, running a firewall on the Raspberry Pi is advisable. Raspberry Pi OS includes iptables, an IP packet filter, however it is disabled by default. UFW (Uncomplicated FireWall) is a firewall user interface for use with iptables. UFW together with iptables provide basic firewall features, but lack more sophisticated firewall features and protections. In the case of a good quality firewall ahead of the Raspberry Pi, it would likely be able to detect and block more sophisticated attacks than UFW together with iptables. In addition, running a firewall ahead of the Raspberry Pi and not running a firewall on the Raspberry Pi would reduce resource consumption on the Raspberry Pi.

Notice about updates, upgrades and installations failing due to repository or network congestion or outages

Occasionally updates, upgrades and installations fail due to repository or network congestion or outages. Sometimes there is an appropriate message saying as such, sometimes a missing file is reported, and sometimes there is just a failure message without an explanation. When this occurs, simply run the command again. If that does not solve the issues immediately, try again later.

Install and configure a firewall - UFW

See "General Notes" 3. near the top of this document.

Install UFW

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install UFW

sudo apt install UFW

Once installed, UFW is disabled by default. The default configuration blocks all incoming traffic (denied), and allows all outgoing traffic (allowed). Therefore all incoming traffic would be denied, however Raspberry Pi Connect and TeamViewer would continue functioning. It is important to allow necessary management traffic such as SSH and/or VNC prior to enabling the firewall. Not doing so will require management via Raspberry Pi Connect, TeamViewer or a directly attached Display, Keyboard and Mouse.

Note: The Subnetwork Mask is expressed in Slash Notation along with an IP Address in certain areas of the next sections.

Network Subnetwork Mask and Slash Notation Relationships

Class	Mask	Slash	Addresses	Nodes	Usable Addresses
A	255.000.000.000	/8	16777216	16777214	16777213
B	255.255.000.000	/16	65536	65534	65533
B	255.255.128.000	/17	32768	32766	32765
B	255.255.192.000	/18	16384	16382	16381
B	255.255.224.000	/19	8192	8190	8189
B	255.255.240.000	/20	4096	4094	4093
B	255.255.248.000	/21	2048	2046	2045
B	255.255.252.000	/22	1024	1022	1021
B	255.255.254.000	/23	512	510	509
C	255.255.255.000	/24	256	254	253
C	255.255.255.128	/25	128	126	125
C	255.255.255.192	/26	64	62	61
C	255.255.255.224	/27	32	30	29
C	255.255.255.240	/28	16	14	13
C	255.255.255.248	/29	8	6	5
C	255.255.255.252	/30	4	2	1
C	255.255.255.254	/31	2	0	0
C	255.255.255.255	/32	1	0	0

Configure UFW

Set the firewall rules as appropriate for the installation. Multiple rules can be applied to each service type. Source Addresses and Source Subnets can be either internal or external of the network the Raspberry Pi is connected to. If any of the services below have not been installed, do not set a rule for that service.

FTP

Allow from anywhere:
sudo ufw allow 21/TCP
Example:
sudo ufw allow 21/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 21
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 21

Allow from a specific IP Address:
sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 21
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 21

SSH

Allow from anywhere:
sudo ufw allow 22/TCP
Example:
sudo ufw allow 22/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 22
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 22

Allow from a specific IP Address:
sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 22
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 22

HTTP

Allow from anywhere:
sudo ufw allow 80/TCP
Example:
sudo ufw allow 80/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 80
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 80

Allow from a specific IP Address:
sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 80
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 80

HTTPS

Allow from anywhere:
sudo ufw allow 433/TCP
Example:
sudo ufw allow 433/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 433
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 433

Allow from a specific IP Address:
sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 433
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 433

VNC Server

Allow from anywhere:
sudo ufw allow 5900/TCP
Example:
sudo ufw allow 5900/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 5900
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 5900

Allow from a specific IP Address:
sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 5900
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 5900

Enable the firewall

sudo ufw enable

Note: This also enables iptables

If it is ever desirable to disable the firewall for testing or other reasons (Optional)

sudo ufw disable

Note: This also disables iptables

Check UFW status to see if it's active (Optional)

sudo ufw status

To list current rules (Optional)

sudo ufw status
- or -
sudo ufw status verbose

To remove a rule (Optional)

Identify the rule ID number to be removed

sudo ufw status numbered

Remove the rule by ID number

sudo ufw delete <ID>
Example:
sudo ufw delete 2

Remove packages that were automatically installed and are no longer required

Occasionally excess update, upgrade and installation packages install automatically, but are no longer required. These can be removed automatically.

Automatically detect and remove packages no longer required

sudo apt autoremove -y

Charles Varvayanis
Sonora, CA 95370
e-mail: charles@varvayanis.com
Phone: (209) 586-3782
Fax: (209) 586-3761
Business Card (PDF 153 KB)

www.varvayanis.com