You are Here
Mastering Linux Firewall with UFW (Uncomplicated Firewall): The Ultimate Command Reference & Configuration Guide
Command Reference Configuration Guide Linux Network Security Systems Administration Tech Guides

Mastering Linux Firewall with UFW (Uncomplicated Firewall): The Ultimate Command Reference & Configuration Guide

UFW (Uncomplicated Firewall) is a simplified interface for managing iptables, the standard Linux firewall. It is designed to make firewall configuration easier while maintaining powerful security features. This command reference is a beginner-friendly yet comprehensive guide to Linux firewall management.

Key Notes Before Proceeding

  • Most UFW commands require sudo privileges.
  • UFW modifies iptables rules but abstracts away the complexity.
  • Always check rules with ufw status before enabling the firewall.

1. Basic UFW Commands

Enable/Disable UFW

CommandDescription
sudo ufw enableActivates UFW and enables it at boot.
sudo ufw disableStops UFW and disables it at boot.

Check UFW Status

CommandDescription
sudo ufw statusShows active rules.
sudo ufw status verboseDetailed status (including defaults).
sudo ufw status numberedLists rules with numbers for easy deletion.

Reset UFW to Defaults

CommandDescription
sudo ufw resetDisables UFW and deletes all rules permanently.

2. Default Policies

Controls default behavior for incoming, outgoing, and routed traffic.

CommandDescriptionSecurity Note
sudo ufw default deny incomingBlocks all incoming connections unless explicitly allowed.Recommended for security.
sudo ufw default allow outgoingAllows all outgoing traffic by default.Commonly used for usability.
sudo ufw default reject incomingRejects (instead of drops) incoming traffic, notifying the sender.Useful for debugging.

3. Allowing/Denying Connections

Basic Port Rules

CommandDescriptionExample
sudo ufw allow <port>Allows traffic on a port (TCP & UDP).sudo ufw allow 22
sudo ufw allow <port>/<proto>Allows only TCP or UDP.sudo ufw allow 53/udp
sudo ufw deny <port>Blocks traffic on a port.sudo ufw deny 23

Service Names (Resolved via /etc/services)

UFW recognizes common services (e.g., ssh, http).

sudo ufw allow ssh      # Allows port 22 (SSH)
sudo ufw allow http     # Allows port 80 (HTTP)
sudo ufw allow https    # Allows port 443 (HTTPS)

IP-Based Rules

CommandDescriptionExample
sudo ufw allow from <IP>Allows all traffic from an IP.sudo ufw allow from 192.168.1.100
sudo ufw allow from <IP> to any port <port>Allows only a specific port.sudo ufw allow from 192.168.1.100 to any port 3306
sudo ufw deny from <IP>Blocks all traffic from an IP.sudo ufw deny from 10.0.0.5

4. Advanced Rule Management

Port Ranges

sudo ufw allow 5000:6000/tcp   # Allow TCP ports 5000-6000
sudo ufw allow 9000:9100/udp   # Allow UDP ports 9000-9100

Rate Limiting (Brute-Force Protection)

  • ufw limit restricts repeated connections (useful for SSH).
  • Uses iptables recent module to block excessive requests.
sudo ufw limit ssh   # Allow SSH but block brute-force attempts

Deleting Rules

  1. List rules with numbers:
   sudo ufw status numbered
  1. Delete by rule number:
   sudo ufw delete 2   # Deletes rule #2

Or delete by rule syntax:

sudo ufw delete allow 22   # Removes the rule allowing port 22

5. Application Profiles

UFW supports predefined application rules (stored in /etc/ufw/applications.d/).

CommandDescriptionExample
sudo ufw app listLists available profiles.sudo ufw app list
sudo ufw app info <name>Shows details of a profile.sudo ufw app info 'Nginx Full'
sudo ufw allow <app>Allows an application’s ports.sudo ufw allow 'Nginx HTTP'

6. Logging

Enable Logging

sudo ufw logging on        # Enable (default: low)
sudo ufw logging high      # Most verbose logging
  • Logs stored in /var/log/ufw.log.
  • Levels:
    • low (default) – Logs blocked packets.
    • medium – Logs allowed & blocked.
    • high – Logs all traffic (can be noisy).

7. Advanced Configurations

Port Forwarding (NAT)

  1. Enable forwarding in /etc/default/ufw:
   DEFAULT_FORWARD_POLICY="ACCEPT"
  1. Add rules in /etc/ufw/before.rules (before *filter):
   *nat
   :PREROUTING ACCEPT [0:0]
   -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
   COMMIT
  1. Restart UFW:
   sudo ufw disable && sudo ufw enable

IPv6 Support

Ensure IPv6 is enabled in /etc/default/ufw:

IPV6=yes

8. Practical Examples

Example 1: Secure Web Server

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

Example 2: Restrict MySQL to a Subnet

sudo ufw allow from 192.168.1.0/24 to any port 3306

Example 3: Rate-Limited SSH

sudo ufw limit ssh   # Protects against brute-force attacks

Example 4: Complex Rule (IP + Port)

sudo ufw allow from 203.0.113.45 to any port 22 proto tcp

9. Troubleshooting

IssueSolution
UFW not blocking traffic?Check sudo ufw status. Ensure UFW is enabled.
Rule not working?Verify syntax with sudo ufw show added.
Too many logs?Adjust log level: sudo ufw logging medium.

UFW provides a simple yet powerful way to manage Linux firewalls. By combining default policies, port rules, and application profiles, you can secure your system effectively.

Spread the word:

Related Posts

Leave a Reply