Research and Development
Uncomplicated Firewall (UFW) is an interface to iptables that is geared towards simplifying the process of configuring a firewall.
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with:
sudo apt install ufw
To set the defaults used by UFW, use these commands:
sudo ufw default deny incoming
sudo ufw default allow outgoing
These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users.
To configure your server to allow incoming SSH connections, you can use this command:
sudo ufw allow ssh
This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh means because it’s listed as a service in the /etc/services file.
However, we can actually write the equivalent rule by specifying the port instead of the service name. For example, this command works the same as the one above:
sudo ufw allow 22
If you configured your SSH daemon to use a different port, you will have to specify the appropriate port (e.g. 2222):
sudo ufw allow 2222
To enable UFW, use this command:
sudo ufw enable
Use sudo ufw status verbose command to see the rules that are set.
A web server should have ports 80 and 443 allowed on the firewall:
HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80
HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443
You can specify port ranges with UFW. Some applications use multiple ports, instead of a single port.
For example, to allow X11 connections, which use ports 6000-6007, use these commands:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
When specifying port ranges with UFW, you must specify the protocol (tcp or udp) that the rules should apply to.
Not specifying the protocol automatically allows both protocols.
To allow connections from a specific IP address:
sudo ufw allow from 203.0.113.4
You can also specify a specific port that the IP address is allowed to connect to:
sudo ufw allow from 203.0.113.4 to any port 22
Alternatively, to add the whole subnet:
sudo ufw allow from 203.0.113.0/24
sudo ufw allow from 203.0.113.0/24 to any port 22
To write deny rules, you can use the commands described above, replacing allow with deny:
sudo ufw deny http
sudo ufw deny from 203.0.113.4
The UFW status command has an option to display numbers next to each rule, as demonstrated here:
sudo ufw status numbered
If we decide that we want to delete rule 2:
sudo ufw delete 2
Note that if you have IPv6 enabled, you would want to delete the corresponding IPv6 rule as well.
The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the allow http rule, you could write it like this:
sudo ufw delete allow http
You could also specify the rule by allow 80, instead of by service name:
sudo ufw delete allow 80
This method will delete both IPv4 and IPv6 rules, if they exist.
At any time, you can check the status of UFW with this command:
sudo ufw status verbose
If you decide you don’t want to use UFW, you can disable it with this command:
sudo ufw disable
Any rules that you created with UFW will no longer be active. You can always run sudo ufw enable if you need to activate it later.
If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:
sudo ufw reset
This will disable UFW and delete any rules that were previously defined. Keep in mind that the default policies won’t change to their original settings, if you modified them at any point. This should give you a fresh start with UFW.
If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4.
sudo vim /etc/default/ufw
and make sure the value of IPV6 is yes:
IPV6=yes