Security using Uncomplicated Firewall (UFW)

We are going to set up some firewall rules to illustrate how we can lock up our machines, but yet allow access for access for certain protocols.

Installing UFW

We should really update our machines before we do this, but we did that at the end of last lab. We will update before we leave again today.

Test to see if UFW is installed

To see if UFW is installed or not, try:

sudo ufw status

Install UFW

sudo apt install ufw

Setup some firewall rules

CAREFUL – we do not want to lock ourselves out of our own machines. We are wanting to set up some rules, but we do not want to apply them until we can make sure we are not locked out.

Lock down everything but keep ssh open

There are plenty of web pages to check out to help, but Scott and Matt really like Digital Ocean and Stackexchange – here is a Digital Ocean link:

Helpful link

sudo ufw default deny incoming

Allow everything out from our servers

sudo ufw default allow outgoing

Make sure we can get back into our machines

sudo ufw allow ssh

Turn on the firewall

sudo ufw enable

Check to see where we are at for ports open

sudo ufw status

We should see that port 22 is open for ssh.

We can do more – but we will leave it for today

If we were really wanting to lock down ssh further, we could edit ssh to use a different port and change the firewall to open that port. The trick is to set the port to be open with UFW first –> reload UFW rules, then edit: /etc/ssh/sshd_config to change the default ssh port. You also need to do this through a ssh connection (not x2go) software such as Putty

Setting up to access PostGIS from osmotar

We need to add one more rule to access postgis through the firewall as well as configure postgres to allow access to your database from osmotar.

Get remote machine information

Login to osmotar and get the address of the server you are working from on the osmotar cluster by:

  • Open the command prompt (type cmd at the start menu on osmotar)
  • Type ipconfig in the command window
  • Jot down the address

Set a rule for UFW

Back on your VM add a rule for accessing PostGIS from the server:

sudo ufw allow from to any port 5432

The xxx set represents the address of the osmotar cluster server IP. Restart UFW by issuing the command:

sudo ufw reload
sudo ufw status

Set a rule for allowing access to Postgres

  • Use sudo to edit /etc/postgresql/12/main/pg_hba.conf
  • Add a line at the end of the IPv4 to allow connections from the same machine
  • host all all md5
  • Save the file and restart postgres with the following command:
sudo service postgresql restart

Other security considerations

We should be very careful to close off the connection after we have completed our work. There are number of steps we can also take to better protect our data.

  • Always use a strong password
  • Setup a new user(s) for postgres for specific actions (i.e. read only users)
  • Setup a copied database or schema that can be exposed to the outside
  • Use different ports or tunnels instead of default ports

Testing with QGIS and FME

We should now be able to access our server through QGIS and FME.


  • Open QGIS
  • Setup a new connection to PostGIS using the address of your VM


  • Open FME Data Inspector and setup a connection
  • Open dataset
  • Choose PostGIS
  • Setup the connection by adding a new connection

You should be asked what tables to add when you connect – test with one of your layers

FME workbench and PostGIS

You should be able to test accessing your PostGIS database by generating a new workspace.

  • Use: L:\GEOG413\fme_postgis_tutorial\pg_city_index.sqlite as input
  • Use your connection to your VM’s postgis database
  • Name your output table properly
  • Include the LabelPointReplacer as a transformer
    – Use the fid as the label value
    – Use 5 as the label height
  • Run your translation

Open the results in QGIS on your VM