UFW, or the Uncomplicated Firewall, is a commonly used firewall in Debian and Ubuntu. UFW is a management layer/frontend for iptables which aims to simplify the management of your firewall. In this tutorial we explain the usage of UFW.
- UFW processes rules in the order they were entered in. A later firewall rule may override an earlier firewall rule.
- UFW handles configuration changes in real-time.
- Use sudo or a root user when using the commands in this article.
Starting UFW
By default, a Ubuntu and Debian installation comes with UFW. You need only enable UFW and logging for it.
Step 1
UFW doesn’t have a default configuration. It is recommended to start by blocking all incoming traffic and allow outgoing traffic before actually enabling UFW. The first part you do with the following commands:
ufw default deny incoming ufw default allow outgoing
Step 2
Next, enable UFW and start logging its actions.
ufw enable
ufw logging onWith logging on, UFW creates notes in a log (/var/log/ufw.log), which is definitely recommended. This way, you have more information to troubleshoot with if problems occur.
Optionally, adjust the verbosity level of the ufw logging (low, medium, high, full):
sudo ufw logging mediumThe status of UFW can be checked at any time with:
ufw status verbose
Opening ports
There are three options for opening ports:
- Opening tcp and udp ports:
ufw allow 22- Replace 22 with the desired port number. For a port range you use the syntax:
ufw allow 1234:2345- Opening a tcp port:
ufw allow 22/tcp- Replace 22 with the desired port number. For a port range you use the syntax:
ufw allow 1234:2345/tcp- Opening an udp port:
ufw allow 22/udp- Replace 22 with the desired port number. For a port range you use the syntax:
ufw allow 1234:2345/udp
Closing ports
There are also three options for closing ports:
- Closing tcp and udp ports:
ufw deny 22- Replace 22 with the desired port number. For a port range you use the syntax:
ufw deny 1234:2345- Closing a tcp port:
ufw deny 22/tcp- Replace 22 with the desired port number. For a port range you use the syntax:
ufw deny 1234:2345/tcp- Closing a udp port:
ufw deny 22/udp- Replace 22 with the desired port number. For a port range you use the syntax:
ufw deny 1234:2345/udp
Allowing or denying IP's
It may be preferable to open or close ports for specific IP addresses. This is for example a useful method for allowing only yourself access to the SSH port.
Access per IP can be regulated based on: IP's, subnets, ports and IP's, or a combination of IP addresses ports and protocols.
In the examples below replace 123.123.123.123 by the actual IP address, 1234 by the desired port and TCP by the desired protocol.
-
Allowing / denying IP addresses
An IP address is given access with the syntax:
ufw allow from 123.123.123.123- or denied access with:
ufw deny from 123.123.123.123-
Allowing or denying IP subnets
Subnets are allowed access using:
ufw allow from 123.123.123.0/24- or denied access with:
ufw deny from 123.123.123.0/24-
Allowing / denying per port and IP
Tip: instead of a specific IP, you can also use an IP subnet.
Access to a specific port is given using:
ufw allow from 123.123.123.123 to any port 22- An IP address is denied access to a specific port with:
ufw deny from 123.123.123.123 to any port 22-
Allowing / denying per IP, port and protocol:
Tip: instead of a specific IP, you can also use an IP subnet.
Access to a specific port and protocol is given using:
ufw allow from 123.123.123.123 to any port 22 proto tcp- An IP address is denied access to a specific port and protocol with:
ufw deny from 123.123.123.123 to any port 22 proto tcp- Replace TCP with UDP if you'd like to open/close a UDP port instead.
Allowing services
In addition to opening ports, you can also open specific services with UFW. You add the service in UFW and UFW then opens incoming traffic for one or more ports.
You allow services in UFW with the following commands, where you replace SSH with the relevant service name:
ufw allow sshUFW uses configuration files to determine which ports are associated with services. These ports are opened when the service is added. For example, if you change your SSH port and then opened the SSH service in UFW, the new port will not automatically be open unless you open the port manually or adjust the configuration of the service in UFW.
Available services
UFW gets all its port information for allowing or denying services from the files in /etc/ufw/applications.d/. You can view the contents of the directory after adding services with:
ls /etc/ufw/applications.d/Then check the contents of a file with:
cat /etc/ufw/applications.d/*.profile
Denying services
Ports related to services are just as easy to close in UFW as they are opened:
ufw deny sshAll incoming connections are closed by default, so the specific denying of a service is not immediately necessary.
Deleting specific rules
At the beginning of this article, we have set a deny on all incoming connections as default. Regardless of whether you manually open or close ports or services afterward, these are all considered to be UFW rules. You can delete these rules as follows:
ufw delete deny servicename
ufw delete allow 1234/tcp- The first command is an example for deleting a service rule, the second for deleting a port rule.
- Replace servicename with the name of the service.
- Replace the port number and protocol as required.
Since all incoming connections are closed by default, it is sufficient to create allow rules for ports and services and to delete those rules when no longer necessary.
Unblocking IPs
There are multiple options for unblocking IPs, but perhaps the easiest one is by deleting a specific firewall rule. You can also use this option as an alternative to removing specific rules (see the 'deleting rules' section). First, check all current lines with the command:
ufw status numberedYou then get an output in which all the rules are neatly numbered. You delete a specific line with the command:
ufw delete 1Replace 1 with the line number you want to delete.
If you use 'ufw delete 1', rule 2 has now become line 1. It is therefore best to use a new ufw status numbered after each delete to prevent you from accidentally deleting the wrong rule.
Too much output? Specify the results for a specific IP address as follows (replacing 123.123.123.123 with the actual IP address):
ufw status numbered | grep 123.123.123.123
This concludes our tutorial on UFW in Ubuntu. Do you want to know more about UFW? Take a look at UFW's documentation.