HxHippy

UFW Simplified Firewall

Easy-to-use UFW (Uncomplicated Firewall) for quick Linux firewall configuration.

Last updated: 2025-01-15

UFW (Uncomplicated Firewall)

UFW provides a user-friendly interface to iptables for common firewall tasks.

Installation and Status

# Install (usually pre-installed on Ubuntu)
sudo apt install ufw

# Check status
sudo ufw status verbose

# Enable firewall
sudo ufw enable

# Disable firewall
sudo ufw disable

Default Policies

# Set default deny incoming
sudo ufw default deny incoming

# Set default allow outgoing
sudo ufw default allow outgoing

# Default deny forward
sudo ufw default deny forward

Allow Rules

By Port

# Allow SSH
sudo ufw allow 22

# Allow with protocol
sudo ufw allow 22/tcp

# Allow port range
sudo ufw allow 6000:6100/tcp

By Service Name

# Allow SSH by name
sudo ufw allow ssh

# Allow HTTP/HTTPS
sudo ufw allow http
sudo ufw allow https

# List available applications
sudo ufw app list

From Specific IP

# Allow from IP
sudo ufw allow from 192.168.1.100

# Allow from subnet
sudo ufw allow from 192.168.1.0/24

# Allow from IP to specific port
sudo ufw allow from 192.168.1.100 to any port 22

# Allow from IP to specific interface
sudo ufw allow in on eth0 from 192.168.1.0/24

Deny Rules

# Deny specific port
sudo ufw deny 23

# Deny from IP
sudo ufw deny from 10.0.0.50

# Deny to specific port from IP
sudo ufw deny from 10.0.0.50 to any port 22

Delete Rules

# Delete by rule
sudo ufw delete allow 22

# Delete by number (list first)
sudo ufw status numbered
sudo ufw delete 3

# Reset all rules
sudo ufw reset

Application Profiles

List Profiles

sudo ufw app list

View Profile Details

sudo ufw app info 'Nginx Full'

Create Custom Profile

# /etc/ufw/applications.d/myapp
[MyApp]
title=My Application
description=Custom application firewall rules
ports=8080/tcp|8443/tcp
# Update profiles
sudo ufw app update MyApp

# Allow profile
sudo ufw allow 'MyApp'

Rate Limiting

# Rate limit SSH (6 connections per 30 seconds)
sudo ufw limit ssh

# Rate limit specific port
sudo ufw limit 22/tcp

Logging

# Enable logging
sudo ufw logging on

# Set log level
sudo ufw logging low    # (default)
sudo ufw logging medium
sudo ufw logging high
sudo ufw logging full

# View logs
sudo tail -f /var/log/ufw.log

Complete Server Example

#!/bin/bash
# Basic web server firewall setup

# Reset to defaults
sudo ufw --force reset

# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (rate limited)
sudo ufw limit ssh

# Allow HTTP/HTTPS
sudo ufw allow http
sudo ufw allow https

# Allow from specific admin IP
sudo ufw allow from 192.168.1.100

# Enable logging
sudo ufw logging on

# Enable firewall
sudo ufw --force enable

# Show status
sudo ufw status verbose

IPv6 Configuration

# Check if IPv6 enabled
grep IPV6 /etc/default/ufw

# Enable in /etc/default/ufw
IPV6=yes

# Reload
sudo ufw reload

Advanced: Direct iptables

# Add custom iptables rule
# Edit /etc/ufw/before.rules or /etc/ufw/after.rules

Example before.rules Addition

# /etc/ufw/before.rules (before COMMIT line)
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Best Practices

  1. Enable SSH first - Before enabling UFW
  2. Use rate limiting - For login services
  3. Be specific - Limit source IPs when possible
  4. Enable logging - For monitoring
  5. Test remotely - Keep console access available
beginner Firewalls Updated 2025-01-15
  • ufw
  • uncomplicated firewall
  • ubuntu
  • debian
  • firewall
  • security