Getting Started with UFW (Uncomplicated Firewall) on Linux
UFW (Uncomplicated Firewall) is a user-friendly tool designed to simplify managing firewall rules on Linux systems. It’s the default firewall configuration utility for Ubuntu and provides a command syntax that’s easy to understand and use. UFW supports both IPv4 and IPv6, making it versatile for various configurations.
This guide will help you install, configure, and use UFW on your Linux server, covering the most common commands and scenarios.
Installing UFW
On most Ubuntu-based systems, UFW is installed by default. You can check if it’s present with:
which ufw
If the command returns the path to ufw, it’s already installed. If not, install it with:
sudo apt-get install ufw
Enabling UFW
To enable UFW, run the command:
sudo ufw enable
Result:
Command may disrupt existing SSH connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
This command activates UFW using its default rules (deny incoming, allow outgoing).
Checking the Status of UFW
Verify that UFW is active with:
sudo ufw status verbose
Result:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
Disabling UFW
To turn off UFW temporarily:
sudo ufw disable
Result:
Firewall stopped and disabled on system startup
Allowing and Denying Connections
After enabling UFW, all incoming connections are blocked by default. You need to explicitly allow services you want to use.
Allowing Connections
- Allow SSH Access
sudo ufw allow 22
This command opens the default SSH port (22).
Result:
Rules updated
Rules updated (v6)
- Allowing Specific Services
If a service is running on its default port, you can allow it using its name instead of a port number. For example, to allow HTTP traffic:
sudo ufw allow http
Or for HTTPS:
sudo ufw allow https
- Allowing a Specific Port Range
Some services use a range of ports. For example, to allow ports 6660–6670 for IRC:
sudo ufw allow 6660:6670/tcp
- Allowing Traffic from a Specific IP
If you want to allow only a specific IP to access your server:
sudo ufw allow from 192.168.1.106
- Allowing Traffic to a Specific Port from a Single IP
To restrict access to a port from only one IP:
sudo ufw allow from 192.168.1.106 to any port 22 proto tcp
Denying Connections
The deny command works similarly to allow, but blocks the specified service or port:
- Deny HTTP Traffic
sudo ufw deny http
Result:
Rule added
Rule added (v6)
- Denying a Specific Port
sudo ufw deny 80
This blocks HTTP (port 80) traffic.
Deleting UFW Rules
If you want to remove a rule, use the delete command followed by the rule you want to delete.
- Delete an Allow Rule by Service Name
sudo ufw delete allow ssh
Result:
Rule deleted
Rule deleted (v6)
- Delete a Deny Rule by Port Number
sudo ufw delete deny 80
This will delete the rule blocking HTTP traffic on port 80.
- Delete Rules by Rule Number
You can view the rule numbers with:
sudo ufw status numbered
Result:
Status: active
To Action From
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)
To delete a rule, use its number:
sudo ufw delete 2
This deletes the second rule (IPv6 SSH).
Advanced UFW Commands
- Allowing a Port Range
Allow a range of ports for services like FTP:
sudo ufw allow 6660:6670/tcp
- Allowing a Subnet
Allow access from a subnet instead of a single IP:
sudo ufw allow from 192.168.1.0/24
This command allows all IP addresses within the 192.168.1.0/24 range.
Disabling and Resetting UFW
- Disable UFW
To turn off UFW without deleting your existing rules:
sudo ufw disable
Result:
Firewall stopped and disabled on system startup
- Reset UFW
If you want to delete all existing rules and restore UFW to its default settings:
sudo ufw reset
Result:
Resetting all rules to installed defaults. This may disrupt existing SSH connections. Proceed with operation (y|n)? y
Viewing UFW Status with Details
To see detailed information about the active UFW rules, run:
sudo ufw status verbose
Example UFW Status Table
Below is an example output of ufw status numbered, showing active rules with their IDs:
| No | To | Action | From |
|---|---|---|---|
| 1 | 22/tcp | ALLOW IN | Anywhere |
| 2 | 80/tcp | ALLOW IN | Anywhere |
| 3 | 443/tcp | ALLOW IN | Anywhere |
| 4 | 22/tcp (v6) | ALLOW IN | Anywhere (v6) |
| 5 | 80/tcp (v6) | ALLOW IN | Anywhere (v6) |
| 6 | 443/tcp (v6) | ALLOW IN | Anywhere (v6) |
To delete any of these rules, reference the rule number as shown in the example above:
sudo ufw delete 1
This command will delete the rule allowing SSH (port 22).
Further Notes
- UFW is a great tool for quickly setting up a firewall on Ubuntu or other Debian-based distributions.
- Use
ufw statusto view the current state and rules of your firewall. - Always remember to allow SSH access before enabling UFW if you are working on a remote server.
This guide provides a starting point for using UFW on Linux. For more advanced configurations, consult the UFW man page (man ufw) or the Ubuntu Wiki.
Would you like to add more advanced scenarios or specific UFW configurations?