A firewall can help you in monitoring and filtering incoming and outgoing network traffic, most firewalls work by defining a set of security rules that determine whether to allow or block specific traffic.
UFW, or Uncomplicated Firewall, comes preinstalled with Ubuntu and most of the other Debian-based distros, providing a simplified firewall management for low-level filtering technologies like iptables
.
This tutorial on setting up UFW firewall will cover pretty much everything you need to know about configuring and managing your UFW firewall on Ubuntu and Debian.
Step 1: Installing UFW on Ubuntu
UFW should come with your Ubuntu installation, if it doesn’t, you can install it using:
# Update packages
sudo apt update && apt upgrade
# Install UFW
sudo apt install ufw
Step 2: Checking UFW Status & Rules
# Check UFW status
sudo ufw status verbose
You should see UFW is disabled, shown as Status: inactive
.
Step 3: Enable IPv6 with UFW
This guide is written with IPv4 in mind, but, can work just fine with IPv6, just configure UFW to support IPv6 by editing /etc/default/ufw
, and verifying if it has IPV6=yes
:
# Configure UFW to support IPv6
sudo nano /etc/default/ufw
IPV6=yes
Save and close the file, now, when you enable UFW, it will be configured to write both IPv4 and IPv6 firewall rules.
Step 4: Setting Up Default Policies for UFW
Let’s start with defining the rules for default policies, these rules control how to handle traffic that does not explicitly match any other rules.
By default, UFW is set to deny all incoming connections and allow all outgoing connections.
This means anyone trying to access your server will not be able to connect unless you specifically open the port, while, applications and services running on your server will be able to access the outside world.
The default polices are defined in the /etc/default/ufw
file and can be changed either by manually modifying the file or with the sudo ufw default <policy> <chain>
command.
You can set your UFW rules back to the defaults, to follow along with this tutorial:
# Set up default policy for UFW Firewal
sudo ufw default deny incoming
sudo ufw default allow outgoing
This denies all incoming connections, and allows all outgoing connections, the defaults alone might suffice for a personal computer, but you’ll need your servers to respond to incoming requests from outside users.
Step 5: Allowing SSH Connections via UFW
If we enabled our UFW firewall now, it would deny all incoming connections, including legitimate SSH or HTTP connections, allow incoming SSH connections, so you can connect to and manage your server:
# Allow SSH connections
sudo ufw allow ssh
This will create firewall rules that will allow all connections on port 22
, the port that the SSH daemon listens on by default, you could also use the following command instead:
# Allow SSH connections
sudo ufw allow 22
Replace 22
with a different port number if you’ve configured SSH daemon to use a different port.
Alright, with that done, let’s enable our UFW firewall.
Step 6: Enabling UFW
You can enable UFW using the following command:
# Enabling UFW
sudo ufw enable
You will receive a warning that says the command may disrupt existing SSH connections, as we’ve already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with y
and hit ENTER
.
The firewall is now up and running, run sudo ufw status verbose
command to see the rules that are set.
It should show something like this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
Step 7: Allowing Other Connections via UFW
Depending on the applications and services running on your server, you’ll need to open other ports on UFW. The general syntax to open a port is as follows:
sudo ufw allow port_number/protocol
You already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22
. Here are a few more examples:
# Allow HTTP on port 80
sudo ufw allow 80
# Allow HTTPS on port 443
sudo ufw allow 443
Allowing Applications & Services via UFW
You can also allow specific installed applications and services via UFW, run the following command to see profiles that UFW knows about and can use:
# View UFW profiles
sudo ufw app list
Just because you see an app or service in that list, it doesn’t mean that UFW has active rules for all of them. You can also create your own custom profiles, and they should be stored in /etc/ufw/applications.d
, but I wouldn’t recommend deleting any of them.
You can enable a particular UFW application profile, using the familiar command:
sudo ufw allow application_profile
For example, if you have Nginx installed, you might see these application profiles:
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
To enable Nginx Full which will opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL, encrypted traffic):
# Enabling Nginx Full
sudo ufw allow 'Nginx Full'
You should get an output like this:
# Output
Rules updated
Rules updated (v6)
Allowing Specific IP addresses via UFW
You can also allow specific IP addresses via UFW by adding from
, for example, if you want to allow connections from, say, 123.45.67.89
, use this command:
sudo ufw allow from 123.45.67.89
You can also specify a specific port for a particular IP address by adding to any port
followed by the port number.
For example, If you want to allow 123.45.67.89
to connect to port 22
(SSH), use this command:
sudo ufw allow from 123.45.67.89 to any port 22
Allowing Specific Subnets via UFW
You can also allow a specific subnet of IP addresses, using CIDR notation to specify a netmask.
For example, if you want to allow all the IP addresses ranging from 123.45.67.1
to 123.45.67.254
, use this command:
sudo ufw allow from 123.45.67.0/24
Likewise, you can specify the destination port, say 22, that a particular subnet is allowed to connect to using the following command:
sudo ufw allow from 123.45.67.0/24 to any port 22
Step 8: Denying Connections via UFW
By default, UFW is configured to deny all incoming connections, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses through.
If you changed your default incoming policy to allow (which is not recommended), you might want to create deny rules for any services or IP addresses that you don’t want to allow connections for.
To write deny rules, just use the commands described above, replacing allow with deny.
For example, to deny HTTP connections, use this:
sudo ufw deny http
You can also block all connections from a particular IP address, say, 123.45.67.89
, using:
sudo ufw deny from 123.45.67.89
Similarly, a particular subnet can be blocked using:
sudo ufw deny from 123.45.67.0/24
Output
Status: active
To Action From
-- ------ ----
Anywhere DENY 123.45.67.89
Anywhere DENY 123.45.67.0/24
This can help block specific connections based on the source IP address or subnet, in case your server is being attacked.
Just follow the same commands you used to allow something, and replace allow with deny, to create blocking rules.
Step 9: Deleting UFW Firewall Rules
There are basically two ways to specifying which UFW rules to delete; by rule number or by the actual rule.
Deleting UFW Rules by Rule Number
To delete a firewall rule using a rule number, we’ll need to first get a list of all firewall rules, you can do just that using the following command:
sudo ufw status numbered
# Numbered Output of UFW Rules
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80 (v6) ALLOW IN Anywhere (v6)
[ 6] 443 (v6) ALLOW IN Anywhere (v6)
Note “(v6)” signifying an IPv6 rule, the ones not marked are IPv4 rules.
To delete a rule, say, rule number 3, just use the following command:
sudo ufw delete 3
You’ll be prompted if you want to proceed with deletion, just type “y” and hit enter.
# Output
Deleting:
allow 443
Proceed with operation (y|n)? y
Rule deleted
Deleting UFW Rules by Actual Rule
Another way of deleting a UFW rule is to just straight up specify the actual rule to delete.
For example, if you want to remove the allow https
rule, you could write it like this:
sudo ufw delete allow https
You can also specify the rule using the port number, allow 443
instead:
sudo ufw delete allow 443
Step 10: Disabling & Resetting UFW
You can disable UFW using the following command:
sudo ufw disable
This will disable any rules that you created with UFW, you can always run sudo ufw enable
if you need it later.
If you want to start over, you can use the reset command:
sudo ufw reset
This will disable UFW and delete any rules that were previously defined, giving you a fresh start with UFW.
That’s all folks!
You now know how to have a fully configured firewall on your Ubuntu server, be sure to allow any incoming connections that your servers need, while blocking any unnecessary connections, keeping your server secure and running.