UFW (Uncomplicated Firewall) is a simple-to-use firewall utility with plenty of options for all kinds of users.
It is actually an interface for iptables, which is the classic low-level tool (and harder to get comfortable with) to set up rules for your network.
A firewall is a way to regulate the incoming and outgoing traffic on your network. This is crucial for servers, but it also makes a regular user’s system much safer, giving you control. If you are one of those people who like to keep things under control on an advanced level even on the desktop, you may consider setting up a firewall.
In short, the firewall is a must for servers. On desktops, it is up to you if you want to set it up.
It is important to properly set up firewalls. An incorrect setup may leave the server inaccessible if you are doing it for a remote Linux system, like a cloud or VPS server. For example, you block all incoming traffic on the server you are accessing via SSH. Now you won’t be able to access the server via SSH.
In this tutorial, I’ll go over configuring a firewall that suits your needs, giving you an overview of what can be done using this simple utility. This should be suitable for both Ubuntu server and desktop users.
Please note that I’ll be using the command line method here. There is a GUI frontend called Gufw for desktop users but I won’t be covering it in this tutorial. There is a dedicated guide to Gufw if you want to use that.
If you are using Ubuntu, UFW should already be installed. If not, you can install it using the following command:
For other distributions, please use your package manager for installing UFW.
To check that UFW is properly installed, enter:
If it is installed, you should see the version details:
Great! So you have UFW on your system. Let’s see about using it now.
Note: You need to use sudo or be root to run (almost) all the ufw commands.
UFW works by setting up rules for incoming and outgoing traffic. These rules consist of allowing and denying specific sources and destinations.
You can check the firewall rules by using the following command:
This should give you the following output at this stage:
The above command would have shown you the firewall rules if the firewall was enabled. By default, UFW is not enabled and doesn’t affect your network. We’ll take care of that in the next section.
But here’s the thing, you can see and modify the firewall rules even ufw is not enabled.
And in my case, it showed this result:
Now, I don’t remember if I added this rule manually or not. It’s not a fresh system.
By default, UFW denies all incoming and allows all outgoing traffic. This behavior makes perfect sense for the average desktop user, since you want to be able to connect to various services (such as http/https to access web pages) and don’t want to have anyone connect to your machine.
However, if you are using a remote server, you must allow traffic on the SSH port so that you can connect to the system remotely.
You can either allow traffic on SSH default port 22:
In case you are using SSH on some other port, allow it at the service level:
Do note that the firewall is not active yet. This is a good thing. You can modify rules before you enable ufw so that essential services are not impacted.
If you are going to use UFW a production server, please ensure to allow ports through UFW for the running services.
For example, web servers usually use port 80, so use “sudo ufw allow 80”. You may also do it at service level “sudo ufw allow apache”.
This onus lies on your side and it is your responsibility to ensure your server runs properly.
For desktop users, you can go ahead with the default policies.
For UFW to work, you have to enable it:
Doing so will start the firewall and schedule it to start every time you boot up. You receive the following message:
Again: if you are connected to a machine via ssh, make sure ssh is allowed before enabling ufw by entering sudo ufw allow ssh.
If you want to turn UFW off, type in:
You’ll get back:
If UFW is already enabled and you modify the firewall rules, you need to reload it before the changes take into effect.
You can restart UFW by disabling it and enabling it again:
Or reload the rules:
If at any time you screw up any of your rules and want to return to the default rules (that is, no exceptions for allowing incoming or denying outgoing traffic), you can start it afresh with:
Keep in mind that this will delete all your firewall configs.
Alright! So you have learned most of the basic ufw commands. At this stage, I would prefer to go a bit in more detail on the firewall rule configuration.
This is how you add new exceptions to your firewall; allow enables your machine to receive data from the specified service, while deny does the opposite
By default, these commands will add rules for both IP and IPv6. If you’d like to modify this behavior, you’ll have to edit /etc/default/ufw. Change
That being said, the basic commands are:
If the rule was successfully added, you’ll get back:
Note: if you don’t include a specific protocol, the rule will be applied for both tcp and udp.
If you enable (or, if already running, reload) UFW and check out its status, you can see that the new rules have been successfully applied.
You can also allow/deny port ranges. For this type of rule, you must specify the protocol. For example:
Will allow all services on ports 90 to 100 using the TCP protocol. You can reload and verify the status:
To make things easier, you can also add rules using the service name:
For example, to allow incoming ssh and block and incoming HTTP services:
While doing so, UFW will read the services from /etc/services. You can check out the list yourself:
Some apps provide specific named services for ease of use and might even utilize different ports. One such example is ssh. You can see a list of such apps that are present on your machine with the following:
In my case, the available applications are CUPS (a network printing system) and OpenSSH.
To add a rule for an application, type:
Reloading and checking the status, you should see that the rule has been added:
This was just the tip of the
iceberg firewall. There is so much more to firewalls in Linux that a book can be written on it. In fact, there is already an excellent book Linux Firewalls by Steve Suehring.
If you think setting up a firewall with UFW, you should try using iptables or nftables. Then you’ll realize how UFW uncomplicates the firewall configuration.
I hope you liked this beginner’s guide to UFW. Let me know if you have questions or suggestions.
Creator of It’s FOSS. An ardent Linux user & open source promoter. Huge fan of classic detective mysteries ranging from Agatha Christie and Sherlock Holmes to Detective Columbo & Ellery Queen. Also a movie buff with a soft corner for film noir.
Installing Google Chrome on Fedora is super easy. You can use either command line or GUI methods. Here are detailed, step-by-step instructions.
Read More How to Install Google Chrome on Fedora [Beginner’s Tutorial]
Complete screenshot tutorial to show you how to install and use the official Telegram desktop client on Ubuntu and other Linux distributions.
Read More Install And Use Official Telegram Desktop Client In Linux
Creating a slideshow of photos is a matter of a few clicks. Here’s how to make a slideshow of pictures in Ubuntu and other Linux distributions.
Read More How to Create a Slideshow of Photos in Ubuntu
Ubuntu dimming the screen brightness automatically? Here’s how to turn off automatic brightness on Ubuntu Linux.
Read More How to Turn Off Automatic Brightness on Ubuntu [Quick Tip]
This beginner’s guide shows you how to install themes in Ubuntu. The tutorial covers the installation of icon themes, GTK themes and GNOME Shell themes.
Read More How to Install Themes in Ubuntu Linux
Flatpak is a new universal packaging format from Fedora. Enabling Flatpak will give you access to the easy installation of many Linux applications. Here’s how to use Flatpak in Ubuntu and other Linux distributions.
Read More Using Flatpak on Ubuntu and Other Linux Distributions [Complete Guide]
The first thing I do when starting up a server is install Webmin – it has admin tools for every conceivable feature on the server, including firewall.
Webmin is a lifesaver for people who are not hardcore sysadmins.
For desktop Linux, does Portmaster entirely replace the need for enabling a firewall?
I think it is strange that, A: Ubuntu does not have a firewall enabled by default, and B: uses UFW and not Firewalld by default.
The reason that I find this strange is that manufacturers of Linux laptops ship allmost all with Ubuntu or something based on Ubuntu. Laptops are mobile devices. So they can move arround to different places with networks that you might not trust. Firewalld is perfect for this since it offers zones. Set it up for own network in the ‘home’ zone and other networks will by default be set to the very restricted ‘public’ zone. Firewalld really should be the default on Ubuntu!
Your sharp observation skill and intellect have identified a potential issue with this article.
Is it a grammatical mistake or a simple typo? That happens from time to time.
Is there some incorrect technical information? It’s possible that we were not clear on the topic.
Part of the article contains outdated steps or commands? We have over 1500 articles in the last ten years. It’s possible that some articles that worked well five years ago won’t work today.
Is there an issue with the UI and UX of the website? Some button not working? Link leading to a dead page? Or any other issue with the website elements?
Dear Holmes, help your Watson (that’s us) by explaining the details.
© CC-by-SA | It's FOSS is part of CHMOD777 Media Tech Pvt Ltd
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.