Linux UFW Tool


UFW (Uncomplicated Firewall) is a command-line tool in Linux designed to simplify the process of configuring a firewall. It’s an easier front-end for iptables and is particularly popular on Debian-based systems like Ubuntu. Here’s a guide on using ufw with commands and example outputs.


Step 1: Installing UFW (if not already installed)

On most Debian-based systems, ufw is pre-installed. If it’s not, you can install it using:

sudo apt update sudo apt install ufw

Step 2: Enable UFW

By default, ufw is inactive. To start the firewall and enable it to load on boot, run:

sudo ufw enable

Example Output:

Firewall is active and enabled on system startup

Step 3: Set Default Policies

To secure your system, it’s a good idea to deny all incoming connections and allow all outgoing connections by default:

sudo ufw default deny incoming sudo ufw default allow outgoing

Example Output:

Default incoming policy changed to 'deny' (be sure to update your rules accordingly) Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)

This setup blocks all incoming connections except those you explicitly allow, while allowing all outgoing connections.

Step 4: Allow or Deny Specific Ports and Services

Allowing a Service (e.g., SSH on port 22)

To allow SSH connections (important if you’re managing the server remotely), use:

sudo ufw allow ssh

Alternatively, you can specify the port number directly:

sudo ufw allow 22

Example Output:

Rule added Rule added (v6)

Allow HTTP and HTTPS Traffic

To allow web traffic, open HTTP (port 80) and HTTPS (port 443):

sudo ufw allow http sudo ufw allow https

or:

sudo ufw allow 80 sudo ufw allow 443

Example Output:

Rule added Rule added (v6) Rule added Rule added (v6)

Deny a Port

To block a specific port, such as port 8080, use:

sudo ufw deny 8080

Example Output:

Rule added Rule added (v6)

Step 5: Allow or Deny IP Address Ranges

Allow Specific IP

To allow a specific IP address (e.g., 192.168.1.10) access to your server:

sudo ufw allow from 192.168.1.10

Allow Specific IP on a Port

To allow a specific IP only on a certain port (e.g., 192.168.1.10 on SSH port 22):

sudo ufw allow from 192.168.1.10 to any port 22

Example Output:

Rule added Rule added (v6)

Step 6: Check UFW Status and Rules

To check if UFW is active and see the list of current rules:

sudo ufw status

Example Output:

Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 8080 DENY Anywhere 22 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 8080 (v6) DENY Anywhere (v6)

Step 7: Delete Rules

To delete a rule, use the delete keyword. You can specify the rule by port or service name.

Delete by Port:

sudo ufw delete allow 22

Delete by Service:

sudo ufw delete allow ssh

Example Output:

Rule deleted Rule deleted (v6)

Step 8: Disable UFW

If you need to temporarily disable the firewall (e.g., for troubleshooting):

sudo ufw disable

Example Output:

Firewall stopped and disabled on system startup

To re-enable it, use:

sudo ufw enable

Step 9: Advanced UFW Commands

  • Check Detailed Status: For a more detailed list of rules with numbered lines, use:

    sudo ufw status numbered

    Example Output:

    Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 80 ALLOW IN Anywhere [ 3] 443 ALLOW IN Anywhere [ 4] 8080 DENY IN Anywhere [ 5] 22 (v6) ALLOW IN Anywhere (v6)
  • Delete a Rule by Number: To delete a rule by its number from the numbered status list:

    sudo ufw delete 1

Summary of UFW Commands

  • Enable UFW: sudo ufw enable
  • Set default policies: sudo ufw default deny incoming / sudo ufw default allow outgoing
  • Allow a service or port: sudo ufw allow ssh or sudo ufw allow 80
  • Deny a service or port: sudo ufw deny 8080
  • Check status: sudo ufw status