Skip to content
Linux Administration
ufw

ufw

UFW (Uncomplicated Firewall) is a user-friendly front-end for managing iptables or nftables firewall rules. Developed for Ubuntu, it simplifies complex netfilter configurations. It is typically pre-installed on Ubuntu and available on most Debian, Arch, and RHEL-based distributions.

Installation and Basic Management

Installation

On Debian/Ubuntu:

sudo apt install ufw

On Arch Linux:

sudo pacman -S ufw

On RHEL/Fedora/CentOS:

sudo dnf install ufw

Basic Management

sudo ufw status                # Show enabled/disabled and list rules
sudo ufw status verbose        # Show details including default policies
sudo ufw enable                # Turn on firewall (Ensure SSH is allowed first!)
sudo ufw disable               # Turn off firewall and unload rules
sudo ufw reload                # Reload firewall without interrupting connections
sudo ufw reset                 # Disable and reset to installation defaults

Setting Default Policies and Common Rules

Set Default Policies

sudo ufw default deny incoming   # Block all incoming connections by default
sudo ufw default allow outgoing  # Allow all outgoing connections by default

Allow and Deny by Port

sudo ufw allow 22                # Allow both TCP and UDP on port 22
sudo ufw allow 80/tcp            # Allow TCP port 80 only
sudo ufw deny 23                 # Deny all traffic on port 23 (TCP+UDP)

Allow and Deny by IP/Subnet

sudo ufw allow from 10.0.0.1               # Allow all traffic from 10.0.0.1
sudo ufw allow from 192.168.1.0/24         # Allow traffic from entire LAN
sudo ufw allow from 10.0.0.1 to any port 22 # Allow SSH only from 10.0.0.1

Advanced Features

Delete Rules

sudo ufw status numbered       # List rules with numbers
sudo ufw delete 3              # Delete rule number 3
sudo ufw delete allow 80/tcp   # Delete rule by specifying the rule itself

Rule Insertion

Since UFW processes rules from top to bottom, use insert to place high-priority exceptions at the beginning of the list.

sudo ufw insert 1 allow from 1.2.3.4 # Places rule at position 1

Rate Limiting

Limits connections to 6 per 30 seconds to protect against brute-force attacks.

sudo ufw limit ssh             # Recommended for public-facing SSH
sudo ufw limit 8080/tcp        # Rate-limit a custom port

While limit is a great first line of defense because it is built directly into UFW, many administrators prefer a tool called Fail2Ban. Fail2Ban is more aggressive; it reads your log files and can ban an IP for hours or days after a few failed login attempts, whereas UFW’s limit is a shorter, more temporary “cooling off” period.

Application Profiles

sudo ufw app list              # List all available application profiles
sudo ufw app info 'Nginx Full' # View ports included in a profile
sudo ufw allow 'Nginx Full'    # Allow both HTTP (80) and HTTPS (443)

Example Session: Setting Up a Basic Firewall

Goal: Block all incoming traffic except SSH (rate-limited) and HTTPS, while allowing all outgoing traffic.

  1. Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
  1. Add rules (Do this before enabling to avoid lockout)
sudo ufw limit ssh
sudo ufw allow 443/tcp
  1. Enable firewall sudo ufw enable
  2. Verify configuration sudo ufw status numbered

Reference

Day 6: Firewall