This wikiHow teaches you how to open ports on three popular firewalls. If you use a product such as ConfigServer Firewall (CSF) or Advanced Policy Firewall (ADP), you can control which ports are open in the main wall configuration file. If you use Uncomplicated Firewall (UFW), Ubuntu's main firewall option, you can add rules on the command line, without editing complicated files.
Step
Method 1 of 3: Using Uncomplicated Firewall for Ubuntu
Step 1. Log in to the server
If you are using Ubuntu on a desktop computer, press Ctrl+Alt+T to open a Terminal window.
Step 2. Type in sudo ufw status verbose and press Enter
If UFW is already running, you'll see a status message, as well as a list of firewall rules (including open ports) that already exist.
If you see the message “Status: inactive”, type sudo ufw enable in the command window and press Enter to launch the firewall
Step 3. Use sudo ufw allow [port number] to open the port
For example, if you want to open an SSH port (22), type kbd and press Enter. You don't need to re-run the firewall because the changes will take effect immediately.
- If the port you want to open is the port for the service shown in the /etc/services list, just type the name of the service instead of the port number. For example: sudo ufw allow ssh.
- To open a port within a specific range, use the syntax sudo ufw allow 6000:6007/tcp and replace 6000:6007 with the desired range. If the range is UDP port range, replace tcp with udp.
- To specify an IP address that can access a port, use the following syntax: sudo ufw allow from 10.0.0.1 to any port 22. Replace 10.0.0.1 with the IP address, and 22 with the port you want to open for that address.
Step 4. Remove the firewall rules that you don't need
Ports that are not specifically opened will be blocked automatically. If you open a port that you want to close, follow these steps:
- Type in sudo ufw status numbered and press Enter. A list of all firewall rules is displayed and each entry begins with a number that represents it on the list.
- Identify the number at the beginning of the rule you want to delete. For example, you want to delete a rule that opens port 22, and that rule is mentioned in number 2.
- Type sudo ufw delete 2 and press Enter to delete the rule on the second line (or number 2).
Method 2 of 3: Using ConfigServer Firewall
Step 1. Log in to the server
If you are not logged in as the root user, you can use the su command to access root and adjust the configuration.
Step 2. Open the directory that created the CSF configuration file
This file is named csf.conf and is saved to the /etc/csf/csf.conf directory by default. To open the directory, type cd /etc/csf and press Enter.
Step 3. Open csf.conf in a text editing program
You can use any text editing program you want, such as vim or nano.
To open csf.conf in vim, type vim csf.config and press Enter
Step 4. Add the input port to the TCP_IN list
These ports are TCP ports. After opening the file, you can see the TCP_IN and TCP_OUT segments. The TCP_IN segment displays the open TCP input TCP ports separated by commas. The ports are displayed numerically for your convenience, but when entering ports, you don't have to follow the existing order. You can add ports at the end of the sequence, and simply separate the added ports with a comma.
- For example, you want to open port 999 and the already open ports are 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995.
- After adding port 999 to the list, the port set will look like this: 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 999.
- To access input/typing mode in vim, press the i key on the keyboard.
Step 5. Allow TCP output ports in the TCP_OUT list
As you did with the input ports, add the output TCP ports you want to open to the TCP_OUT list.
Step 6. Save changes and close the file
Follow these steps to save and close the file:
- Press the Esc key.
- Type:wq!.
- Press Enter.
Step 7. Type in service csf restart and press Enter
The firewall will restart and new ports will be opened.
To block or close a port, reopen the file, delete the port, save the file, and restart the firewall
Method 3 of 3: Using Advanced Policy Firewall
Step 1. Log in to the server
If you are not logged in as the root user, you can use the su command to access root and adjust the configuration.
Step 2. Open the directory that contains the APF configuration files
The file you need to find is called conf.apf and is located in the /etc/apf directory by default. Type cd /etc/apf to access that directory.
Step 3. Open conf.apf in a text editing program
You can use any program you want, like vim or nano.
To open conf.apf in vim, type vim conf.apf and press Enter
Step 4. Add the input port to the IG_TCP_CPORTS list
Once the file is opened, you can see the IG_TCP_CPORTS and EG_TCP_CPORTS segments. The IG_TCP_CPORTS segment displays the open input ports separated by commas. The ports are listed numerically for your convenience, but you don't have to follow the order. You can add ports to the end of the string and separate them with a comma.
- For example, you want to open port 999 and the currently open ports are 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995.
- After adding port 999 to the IG_TCP_CPORTS list, the order of the ports will look like this: 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 999.
- To access input/typing mode in vim, press the i key on the keyboard.
Step 5. Add the output port to the EG_TCP_CPORTS list
As with input ports, add the output TCP ports you want to open to the EG_TCP_CPORTS list.
Step 6. Save changes and close the file
Follow these steps to save and close the file:
- Press the Esc key.
- Type:wq!.
- Press Enter.
Step 7. Type in service apf -r and press Enter
The APF firewall will restart and new ports will be opened.
To block or close a port, reopen the file, delete the port, save the file, and restart the firewall
Tips
- If you see a port that is not needed or used by a running service, close the port. Don't leave the door open to intruders!
- If you start adding randomly (and completely haphazardly) open ports, YOU WILL BE HACKED! Therefore, make sure you don't give way to hackers. Only open the ports you really need.
