UFW (Uncomplicated Firewall) is a simplified interface for managing iptables, the standard Linux firewall. It is designed to make firewall configuration easier while maintaining powerful security features. This command reference is a beginner-friendly yet comprehensive guide to Linux firewall management.
Key Notes Before Proceeding
- Most UFW commands require
sudoprivileges. - UFW modifies iptables rules but abstracts away the complexity.
- Always check rules with
ufw statusbefore enabling the firewall.
1. Basic UFW Commands
Enable/Disable UFW
| Command | Description |
|---|---|
sudo ufw enable | Activates UFW and enables it at boot. |
sudo ufw disable | Stops UFW and disables it at boot. |
Check UFW Status
| Command | Description |
|---|---|
sudo ufw status | Shows active rules. |
sudo ufw status verbose | Detailed status (including defaults). |
sudo ufw status numbered | Lists rules with numbers for easy deletion. |
Reset UFW to Defaults
| Command | Description |
|---|---|
sudo ufw reset | Disables UFW and deletes all rules permanently. |
2. Default Policies
Controls default behavior for incoming, outgoing, and routed traffic.
| Command | Description | Security Note |
|---|---|---|
sudo ufw default deny incoming | Blocks all incoming connections unless explicitly allowed. | Recommended for security. |
sudo ufw default allow outgoing | Allows all outgoing traffic by default. | Commonly used for usability. |
sudo ufw default reject incoming | Rejects (instead of drops) incoming traffic, notifying the sender. | Useful for debugging. |
3. Allowing/Denying Connections
Basic Port Rules
| Command | Description | Example |
|---|---|---|
sudo ufw allow <port> | Allows traffic on a port (TCP & UDP). | sudo ufw allow 22 |
sudo ufw allow <port>/<proto> | Allows only TCP or UDP. | sudo ufw allow 53/udp |
sudo ufw deny <port> | Blocks traffic on a port. | sudo ufw deny 23 |
Service Names (Resolved via /etc/services)
UFW recognizes common services (e.g., ssh, http).
sudo ufw allow ssh # Allows port 22 (SSH)
sudo ufw allow http # Allows port 80 (HTTP)
sudo ufw allow https # Allows port 443 (HTTPS)
IP-Based Rules
| Command | Description | Example |
|---|---|---|
sudo ufw allow from <IP> | Allows all traffic from an IP. | sudo ufw allow from 192.168.1.100 |
sudo ufw allow from <IP> to any port <port> | Allows only a specific port. | sudo ufw allow from 192.168.1.100 to any port 3306 |
sudo ufw deny from <IP> | Blocks all traffic from an IP. | sudo ufw deny from 10.0.0.5 |
4. Advanced Rule Management
Port Ranges
sudo ufw allow 5000:6000/tcp # Allow TCP ports 5000-6000
sudo ufw allow 9000:9100/udp # Allow UDP ports 9000-9100
Rate Limiting (Brute-Force Protection)
ufw limitrestricts repeated connections (useful for SSH).- Uses
iptablesrecent module to block excessive requests.
sudo ufw limit ssh # Allow SSH but block brute-force attempts
Deleting Rules
- List rules with numbers:
sudo ufw status numbered
- Delete by rule number:
sudo ufw delete 2 # Deletes rule #2
Or delete by rule syntax:
sudo ufw delete allow 22 # Removes the rule allowing port 22
5. Application Profiles
UFW supports predefined application rules (stored in /etc/ufw/applications.d/).
| Command | Description | Example |
|---|---|---|
sudo ufw app list | Lists available profiles. | sudo ufw app list |
sudo ufw app info <name> | Shows details of a profile. | sudo ufw app info 'Nginx Full' |
sudo ufw allow <app> | Allows an application’s ports. | sudo ufw allow 'Nginx HTTP' |
6. Logging
Enable Logging
sudo ufw logging on # Enable (default: low)
sudo ufw logging high # Most verbose logging
- Logs stored in
/var/log/ufw.log. - Levels:
low(default) – Logs blocked packets.medium– Logs allowed & blocked.high– Logs all traffic (can be noisy).
7. Advanced Configurations
Port Forwarding (NAT)
- Enable forwarding in
/etc/default/ufw:
DEFAULT_FORWARD_POLICY="ACCEPT"
- Add rules in
/etc/ufw/before.rules(before*filter):
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
COMMIT
- Restart UFW:
sudo ufw disable && sudo ufw enable
IPv6 Support
Ensure IPv6 is enabled in /etc/default/ufw:
IPV6=yes
8. Practical Examples
Example 1: Secure Web Server
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
Example 2: Restrict MySQL to a Subnet
sudo ufw allow from 192.168.1.0/24 to any port 3306
Example 3: Rate-Limited SSH
sudo ufw limit ssh # Protects against brute-force attacks
Example 4: Complex Rule (IP + Port)
sudo ufw allow from 203.0.113.45 to any port 22 proto tcp
9. Troubleshooting
| Issue | Solution |
|---|---|
| UFW not blocking traffic? | Check sudo ufw status. Ensure UFW is enabled. |
| Rule not working? | Verify syntax with sudo ufw show added. |
| Too many logs? | Adjust log level: sudo ufw logging medium. |
10. Re-Ordering and Inserting UFW Rules
To manage the order of your firewall rules or insert new rules at specific positions, follow these steps:
Step 1: List Current Firewall Rules
Use the following command to display the current firewall rules along with their positions:
sudo ufw status numberedThis command will list all the active firewall rules in a numbered format, making it easier to identify their positions.
Step 2: Insert a New Rule at a Specific Position
To insert a new rule at a specific position, use the ufw insert command. This command places the new rule at the specified position and shifts the existing rules down by one position.
sudo ufw insert [position] [rule text]
- [position]: The position number where you want to insert the new rule.
- [rule text]: The actual rule you want to add (e.g.,
allow from 10.10.10.0/24).
Example
- List Current Rules:
sudo ufw status numbered
This will output something like:
[ 1] allow in on eth0 from 192.168.1.0/24 to any port 22
[ 2] deny in on eth0 from 10.0.0.0/8 to any
- Insert a New Rule at Position 2:
sudo ufw insert 2 allow from 10.10.10.0/24
This command will insert the new rule at position 2, and the existing rule at position 2 will move to position 3.
Final Note
- Inserting Rules: The
ufw insertcommand does not replace the existing rule at the specified position; it shifts it down. - Re-Ordering Rules: By inserting rules at specific positions, you can effectively re-order your firewall rules to ensure they are processed in the desired sequence.
UFW provides a simple yet powerful way to manage Linux firewalls. By combining default policies, port rules, and application profiles, you can secure your system effectively.
