UFW, short for “uncomplicated firewall”;, is a front end for the more complex
iptablestool. It is designed to make it easy to manage a firewall such as setting gates to be open and closed and regulating which traffic is allowed to pass through.
UFW is installed by default in Ubuntu, but if it is not, you can install it from
sudo apt-get install ufw
If you run another distro, you will need to use the distros package manager, but UFW is widely available. You can check the status of the firewall with:
sudo ufw status
Which should say “Inactive” if you have not configured it before.
A good place to start with any firewall is to close all incoming traffic and allow outgoing traffic. Do not worry, this will not terminate your SSH connection immediately, as the firewall is not activated yet.
sudo ufw default deny incoming sudo ufw default allow outgoing
This gives us an empty slate to work with, and add rules on top.
Open ports with UFW
Use the command to open ports
ufw allow. For example, you need to open port 22, so go ahead and run:
sudo ufw allow 22
You can also leave a note for your future self when adding any rule:
sudo ufw allow 8080/tcp comment 'Open port for Express API'
Many applications install profiles for UFW, SSH is one of them. So you can also allow some applications to open the ports they need by entering the name:
sudo ufw allow ssh
You can view a list of available applications with
ufw app list, and view details of an application with
ufw app info [name].
You can also allow a whole range of ports by using a colon as a separator and you can specify a protocol. For example, if you only allow TCP traffic on ports 3000 to 3100, you can run:
sudo ufw allow 3000:3100/tcp
Since the default setting is set to deny incoming, you do not need to close ports manually. If you wanted to close an outgoing port, you must enter a direction next to it
sudo ufw reject out 3001
Whitelisting and speed limit with UFW
You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you can drive:
sudo ufw allow 192.168.1.1
To whitelist specific ports, you must use the full syntax:
sudo ufw allow proto tcp from 192.168.1.1 to any port 22
You will probably not want to whitelist SSH access this way unless you have a backup connection or some form of port tapping, as IP addresses change quite often. An option if you want to restrict SSH access to you only is to set up an OpenVPN server in the same private cloud and whitelist access to that server.
If you want to whitelist an entire block of IP addresses, as is the case when running your servers through a virtual private cloud provider, you can default CIDR subnet notation:
sudo ufw allow 192.168.0.0/24
Subnets are quite complicated, so you can read our guide to working with them to learn more.
Price limitation is another useful feature in firewalls that can block connections that are obviously offensive. This is used to protect against an attacker attempting to break an open SSH port. Obviously, you can whitelist the gate to protect it completely, but speed limitation is still useful. By default, the UFW speed limits 6 connections per 30 seconds, and is intended for use with SSH:
sudo ufw limit ssh
Turn on UFW
When you have finished configuring your rules, you can enable UFW. Make sure SSH on port 22 is open, otherwise you lock yourself out. If you want, you can disable UFW running at startup so that a reset would resolve any issues:
sudo systemctl disable ufw
Then you can activate UFW with:
sudo ufw enable
If all goes well, you can run
ufw status to display the current status of the firewall. If you are not excluded and the firewall is running, set it to run at startup with:
sudo systemctl enable ufw
Each time you make changes, you must reload the firewall with:
sudo ufw reload
You can also enable logging to log connections to
sudo ufw logging on
Manage and delete rules
To delete a rule, you must enter its number with:
sudo ufw status numbered
Note that the numbers start at 1, not 0. You can delete a rule by number:
sudo ufw delete [number]
Again, make sure you do not delete your rule so that port 22 is open. You can use
--dry-run parameters for UFW to ask you for confirmation:
If you make any changes, you will need to reload the firewall.