UFW (Uncomplicated Firewall)
UFW provides a user-friendly interface to iptables for common firewall tasks.
Installation and Status
# Install (usually pre-installed on Ubuntu)
sudo apt install ufw
# Check status
sudo ufw status verbose
# Enable firewall
sudo ufw enable
# Disable firewall
sudo ufw disableDefault Policies
# Set default deny incoming
sudo ufw default deny incoming
# Set default allow outgoing
sudo ufw default allow outgoing
# Default deny forward
sudo ufw default deny forwardAllow Rules
By Port
# Allow SSH
sudo ufw allow 22
# Allow with protocol
sudo ufw allow 22/tcp
# Allow port range
sudo ufw allow 6000:6100/tcpBy Service Name
# Allow SSH by name
sudo ufw allow ssh
# Allow HTTP/HTTPS
sudo ufw allow http
sudo ufw allow https
# List available applications
sudo ufw app listFrom Specific IP
# Allow from IP
sudo ufw allow from 192.168.1.100
# Allow from subnet
sudo ufw allow from 192.168.1.0/24
# Allow from IP to specific port
sudo ufw allow from 192.168.1.100 to any port 22
# Allow from IP to specific interface
sudo ufw allow in on eth0 from 192.168.1.0/24Deny Rules
# Deny specific port
sudo ufw deny 23
# Deny from IP
sudo ufw deny from 10.0.0.50
# Deny to specific port from IP
sudo ufw deny from 10.0.0.50 to any port 22Delete Rules
# Delete by rule
sudo ufw delete allow 22
# Delete by number (list first)
sudo ufw status numbered
sudo ufw delete 3
# Reset all rules
sudo ufw resetApplication Profiles
List Profiles
sudo ufw app listView Profile Details
sudo ufw app info 'Nginx Full'Create Custom Profile
# /etc/ufw/applications.d/myapp
[MyApp]
title=My Application
description=Custom application firewall rules
ports=8080/tcp|8443/tcp# Update profiles
sudo ufw app update MyApp
# Allow profile
sudo ufw allow 'MyApp'Rate Limiting
# Rate limit SSH (6 connections per 30 seconds)
sudo ufw limit ssh
# Rate limit specific port
sudo ufw limit 22/tcpLogging
# Enable logging
sudo ufw logging on
# Set log level
sudo ufw logging low # (default)
sudo ufw logging medium
sudo ufw logging high
sudo ufw logging full
# View logs
sudo tail -f /var/log/ufw.logComplete Server Example
#!/bin/bash
# Basic web server firewall setup
# Reset to defaults
sudo ufw --force reset
# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (rate limited)
sudo ufw limit ssh
# Allow HTTP/HTTPS
sudo ufw allow http
sudo ufw allow https
# Allow from specific admin IP
sudo ufw allow from 192.168.1.100
# Enable logging
sudo ufw logging on
# Enable firewall
sudo ufw --force enable
# Show status
sudo ufw status verboseIPv6 Configuration
# Check if IPv6 enabled
grep IPV6 /etc/default/ufw
# Enable in /etc/default/ufw
IPV6=yes
# Reload
sudo ufw reloadAdvanced: Direct iptables
# Add custom iptables rule
# Edit /etc/ufw/before.rules or /etc/ufw/after.rulesExample before.rules Addition
# /etc/ufw/before.rules (before COMMIT line)
-A ufw-before-input -p icmp --icmp-type echo-request -j DROPBest Practices
- Enable SSH first - Before enabling UFW
- Use rate limiting - For login services
- Be specific - Limit source IPs when possible
- Enable logging - For monitoring
- Test remotely - Keep console access available
- ufw
- uncomplicated firewall
- ubuntu
- debian
- firewall
- security