How to Configure the UFW Firewall

Introduction

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing^[1].
In this tutorial, you will learn how to set up a firewall with UFW on Ubuntu 14.04.

Requirements

• Ubuntu-14.04 installed on your system
• A non-root user account with sudo privilege set up on your system

Installing UFW

By default, UFW is installed in Ubuntu-14.04. But if anything, you can install it yourself by running the following command.

sudo apt-get install ufw

Before starting, you should check whether UFW is running or not. You can do this by running the following command:

sudo ufw status

You should see the following output:

Status: inactive

If you see above output, it means it’s not active. You can enable it by just typing the following command:

sudo ufw enable

You should see the following output:

Firewall is active and enabled on system startup

To disable it, run the following command:

sudo ufw disable

List current ufw rules

You can list the default firewall rules by running the following command:

sudo ufw status verbose

You should see the following output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

You should see that by default every incoming connection is denied.

Allow connections

If you want to access your system from remote machine then you will need to allow SSH connection. You can allow SSH by running the following command:

sudo ufw allow ssh

or

sudo ufw allow 22/tcp

Output:

Rule added Rule added (v6) 

Now, check the status of UFW:

sudo ufw status

You should see the output like this:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)

Deny connections

If you want to deny access to certain port then you can use the following format:

sudo ufw deny "<port>/<protocol>"

For example, you can deny access to port 80 by running the following command:

sudo ufw deny 80/tcp

Allow Specific Port Range

You can also add port-range into the rule. For example, if you want to allow port from 2200 to 2300 with tcp protocol then run the following command:

sudo ufw allow 2200:2300/tcp

Now, check the status for the UFW:

sudo ufw status

You should see the following output:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp                     DENY        Anywhere
2200:2300/tcp              ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                DENY        Anywhere (v6)
2200:2300/tcp (v6)         ALLOW       Anywhere (v6)

Allow access from Specific IP Address

You can also allow access to specific port from specific IP address. For example, if you want to allow IP 192.168.0.15 to access only port 22 then run the following command:

sudo ufw allow from 192.168.0.15 to any port 22

Deleting Rules

You can also delete specific UFW rules. First, you will need to list UFW rules then you can remove it. Run the following command to list out UFW rules:

sudo ufw status numbered

Output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22/tcp                     ALLOW IN    Anywhere
[ 3] 80/tcp                     DENY IN     Anywhere
[ 4] 2200:2300/tcp              ALLOW IN    Anywhere
[ 5] 22                         ALLOW IN    192.168.0.15
[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 7] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 80/tcp (v6)                DENY IN     Anywhere (v6)
[ 9] 2200:2300/tcp (v6)         ALLOW IN    Anywhere (v6)

Now, to remove any of these rules, you will need to use these numbers.

sudo ufw delete [number]

For example, if you want to remove third number rule then run the following command:

sudo ufw delete [3]

If you need to go back to default settings, simply type in the following command. This will revert any of your changes.

sudo ufw reset

References

[1] https://wiki.ubuntu.com/UncomplicatedFirewall

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become a Linux expert?

Here is our hand-picked selection of the best courses you can find online:
Linux Mastery course
Linux Administration Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial