Introduction
UFW, or Uncomplicated Firewall, is a front-end for iptables designed to simplify the process of configuring a firewall. Although iptables is a powerful and flexible tool, learning how to use it to properly configure a firewall can be difficult for beginners. If you are looking to start securing your network and are not sure which tool to use, UFW may be a good choice for you.
Prerequisites
If you are using Ubuntu 16.04 or lower, we recommend that you upgrade to a newer version as Ubuntu no longer supports these versions. This set of instructions will help you upgrade your Ubuntu version.
Step 1 — Ensure IPv6 is enabled
In recent versions of Ubuntu, IPv6 is enabled by default. In practice, this means that most firewall rules added to the server will include both IPv4 and IPv6, with the latter being identified as v6 in the output of the UFW status command. To make sure IPv6 is enabled, you can check your UFW configuration file at /etc/default/ufw . Open this file using nano or your favorite command line editor:
sudo nano /etc/default/ufwThen make sure the IPV6 value is set to Yes. It should look something like this:
IPV6=yesSave and close the file. If you are using nano, you can do this by typing CTRL+X, then Y and ENTER to confirm.
When UFW is enabled in the next step of this guide, it will be configured to write both IPv4 and IPv6 firewall rules.
Step 2 — Set Default Policies
If you're just getting started with UFW, a good first step is to review your firewall's default policies. These rules control how traffic that doesn't explicitly match any other rules is handled.
By default, UFW is configured to deny all incoming connections and allow all outgoing connections. This means that anyone trying to access your server will not be able to connect, while any application inside the server will be able to reach the outside world. Additional rules are included to allow specific services and ports as exceptions to this general policy.
To ensure you can follow the rest of this tutorial, you will now set up your default UFW policies for inbound and outbound traffic.
To set the default UFW ingress policy to deny, run the following command:
sudo ufw default deny incomingOutput
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)To set the default UFW outbound policy to permissive, run the following command:
These commands set the defaults to deny incoming connections and allow outgoing connections. These firewall defaults alone may be sufficient for a personal computer, but servers often need to respond to incoming requests from external users. We'll cover this later.
Step 3 – Allow SSH Connections
If you enable your UFW firewall now, it will deny all incoming connections. This means that if you want your server to respond to these types of requests, you will need to create rules that explicitly allow legitimate incoming connections – for example, SSH or HTTP connections. If you are using a cloud server, you will probably want to allow incoming SSH connections so that you can connect to and manage your server.
Allow OpenSSH UFW application profile
Once installed, most applications that rely on network connections register an application profile with UFW, which allows users to quickly allow or disallow external access to a service. You can check which profiles are currently registered with UFW using the following command:
sudo ufw app listOutput
Available applications:
OpenSSHTo enable the OpenSSH application profile, run the following command:
Allow SSH based on service name
Another way to configure UFW to allow incoming SSH connections is to reference its service name:
Enabling SSH based on port number
As an alternative, you can write the equivalent rule by specifying the port instead of the application or service profile name. For example, this command works like the previous examples:
sudo ufw allow 22Output
Rule added
Rule added (v6)If you have configured your SSH service to use a different port, you will need to specify the appropriate port. For example, if your SSH server is listening on port 2222, you can use this command to allow connections on that port:
sudo ufw allow 2222Output
Rule added
Rule added (v6)Now that your firewall is configured to allow incoming SSH connections, you can enable it.
Step 4 — Enable UFW
Your firewall should now be configured to allow SSH connections. To verify which rules have been added so far, even when the firewall is still disabled, you can use the following command:
sudo ufw show added
Output
Added user rules (see 'ufw status' for running firewall):
ufw allow OpenSSHAfter verifying that you have a rule to allow incoming SSH connections, you can enable the firewall with the following command:
sudo ufw enable
OutputCommand may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You will receive a warning that this command may disrupt existing SSH connections. You have already set up a firewall rule that allows SSH connections, so it will be fine to continue. Respond to the prompt with y and press ENTER.
The firewall is now enabled. Run the command sudo ufw status verbose to see the rules that have been set up. The rest of this tutorial covers how to use UFW in more detail, such as allowing or denying different types of connections.
Step 5 — Allow other connections
At this point, you should allow all other connections that your server needs to handle. The connections you should allow depend on your specific needs. You already know how to write rules that allow connections based on application profile, service name, or port. You already did this for SSH on port 22. You can also do this for:
- HTTP on port 80, which is the same port used by unencrypted web servers, using sudo ufw allow http or sudo ufw allow 80
- HTTPS on port 443, which is the same port that encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443
- Apache with HTTP and HTTPS, using sudo ufw allow 'Apache Full'‘
- Nginx with HTTP and HTTPS, using sudo ufw allow 'Nginx Full'‘
Don't forget to check which application profiles are available for your server using the sudo ufw app list command.
Apart from specifying a port or a well-known service name, there are several other ways to allow connections. We will discuss some of these methods below.
Specific port ranges
You can specify a range of ports with UFW. Some applications use multiple ports instead of just one.
For example, to allow X11 connections using ports 6000-6007, use these commands:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
When specifying port ranges with UFW, you must specify the protocol (TCP or UDP) that the rules should apply to. We haven't mentioned this before because not specifying a protocol automatically allows both protocols, which is fine in most cases.
Specific IP addresses
When working with UFW, you can also specify IP addresses in your rules. For example, if you want to allow connections from a specific IP address, such as your work or home IP address 203.0.113.4, you would use the from parameter and then enter the IP address you want:
sudo ufw allow from 203.0.113.4Output
Rule addedYou can also specify the port that an IP address is allowed to connect to by appending to each port followed by the port number. For example, if you want to allow 203.0.113.4 to connect to port 22 (SSH), use this command:
sudo ufw allow from 203.0.113.4 to any port 22
OutputRule added
Subnets
If you want to allow access to a subnet of IP addresses, you can do so by using CIDR notation to specify a network mask. For example, if you want to allow access to all IP addresses from 203.0.113.1 to 203.0.113.254, you can use this command:
sudo ufw allow from 203.0.113.0/24
Output
Rule addedSimilarly, you can specify the destination port that the 203.0.113.0/24 subnet is allowed to connect to. Again, we'll use port 22 (SSH) as an example:
sudo ufw allow from 203.0.113.0/24 to any port 22Output
Rule addedConnecting to a specific network interface
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying "Allow Logging" followed by the name of the network interface.
Before continuing, you can search for your network interfaces. To do this, use this command:
ip addrOutput Excerpt
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .The highlighted output shows the names of the network interfaces. They are usually named something like eth0 or enp3s2.
So, if your server has a public network interface called eth0, you can allow HTTP traffic (port 80) to it with this command:
sudo ufw allow in on eth0 to any port 80Output
Rule added
Rule added (v6)Doing this will allow your server to receive HTTP requests from the public internet.
Or if you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1, for example, you can use this command:
sudo ufw allow in on eth1 to any port 3306Output
Rule added
Rule added (v6)This allows other servers on your private network to connect to your MySQL database.
Step 6 – Discard connections
If you haven't changed the default policy for inbound connections, UFW is configured to deny all inbound connections. Overall, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses to pass through.
However, sometimes you want to deny specific connections based on the source IP address or subnet, perhaps because you know your server is being attacked from there. Also, if you want to change your default inbound policy to allow (which is not recommended), you will need to create deny rules for each service or IP address that you do not want to allow connections from.
To write deny rules, you can use the commands described earlier, replacing allow with deny.
For example, to reject HTTP connections, you can use this command:
sudo ufw deny httpOutput
Rule added (v6)Or if you want to deny all connections from 203.0.113.4, you can use this command:
sudo ufw deny from 203.0.113.4Output
Rule addedIn some cases, you may also want to block outbound connections from the server. To prevent all users from using a port on the server, such as port 25 for SMTP traffic, you can use deny out followed by the port number:
sudo ufw deny out 25Output
Rule added
Rule added (v6)This will block all outgoing SMTP traffic on the server.
Step 7 – Delete rules
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways to specify which rules to delete: via the rule number or via the human-readable name (similar to how rules are specified when they are created).
Delete a UFW rule by number
To delete a UFW rule based on its number, you first need to get a numbered list of all your firewall rules. The UFW status command has an option to display the numbers next to each rule, as shown here:
sudo ufw status numberedNumbered Output:
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN AnywhereIf you decide to remove rule #2, the rule that allows port 80 (HTTP) connections, you can specify it in the UFW removal command like this:
sudo ufw delete 2Output
Deleting:
allow 80
Proceed with operation (y|n)? y
Rule deletedThis will ask you for confirmation and then delete rule 2 which allows HTTP connectivity. Note that if you have IPv6 enabled, you will need to delete the corresponding IPv6 rule as well.
Delete a UFW rule by name
Instead of using rule numbers, you can also refer to a rule with a human-readable name, which is determined by the rule type (usually allow or deny) and the service name or port number that the rule targets, or the application profile name if one is used. For example, if you want to remove an allow rule for an application profile named Apache Full that was previously enabled, you can use the following command:
sudo ufw delete allow "Apache Full"Output
Rule deleted
Rule deleted (v6)
The delete command works the same way for rules that were created by referencing a service by name or port. For example, if you previously created a rule to allow HTTP connections to sudo ufw allow http You can delete the rule as follows:
sudo ufw delete allow httpOutput
Rule deleted
Rule deleted (v6)Since service names are interchangeable with port numbers when specifying rules, you can also refer to the same rule allow 80 instead of allow http:
sudo ufw delete allow http
Output
Rule deleted Rule deleted (v6)Since service names are interchangeable with port numbers when specifying rules, you can also refer to the same rule allow 80 instead of allow http:
sudo ufw delete allow 80Output
Rule deleted
Rule deleted (v6)When deleting UFW rules by name, both IPv4 and IPv6 rules, if any, are deleted.
Step 8 — Check UFW status and rules
At any time, you can check the status of UFW with this command:
sudo ufw status verboseIf UFW is disabled, which it is by default, you will see something like this:
Output
Status: inactiveIf UFW is enabled, which it should be if you followed Step 3, the output will say it is enabled and list any rules that have been set. For example, if the firewall is configured to allow SSH connections (port 22) from anywhere, the output might look something like this:
Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhereاگر میخواهید بررسی کنید که UFW چگونه فایروال را پیکربندی کرده است، از دستور status استفاده کنید.
مرحله ۹ – غیرفعال کردن یا تنظیم مجدد فایروال
اگر تصمیم دارید که از فایروال UFW استفاده نکنید، میتوانید آن را با این دستور غیرفعال کنید:
sudo ufw disableOutput
Firewall stopped and disabled on system startupAny rules you created with UFW will no longer be active. If you need to enable them later, you can always sudo ufw enable Run.
If you have already configured UFW rules but decide to start over, you can use the reset command:
sudo ufw resetOutput
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20210729_170353'
Backing up 'before.rules' to '/etc/ufw/before.rules.20210729_170353'
Backing up 'after.rules' to '/etc/ufw/after.rules.20210729_170353'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20210729_170353'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20210729_170353'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20210729_170353'This will disable UFW and remove any rules that were previously defined. This should give you a fresh start with UFW. Keep in mind that if you change the default policies at any time, they will not revert to their original settings.
Conclusion
Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while restricting any unnecessary connections to keep your server functional and secure.
For more information on common UFW configurations, see the tutorial
UFW Essentials: Common Firewall Rules and Commands for Linux Security
Check it out.
