UFW Command Explained: How to Install, Enable, and Manage Firewall Rules
UFW, short for Uncomplicated Firewall, is designed to make configuring a firewall straightforward and user-friendly. While IP tables offer robust and versatile functionality, their complexity can be daunting for beginners. If you’re new to network security and unsure where to begin, UFW is a great option.
In this tutorial, you’ll learn how to set up a firewall using UFW on Ubuntu version 18.04 and later.
Prerequisites
For users on Ubuntu version 16.04 or older, we strongly recommend upgrading to a more recent version as these older versions no longer receive support from Ubuntu. Our comprehensive guides can assist you in smoothly upgrading your Ubuntu version.
To proceed with this tutorial, ensure you have:
– A server running Ubuntu, and a non-root user with sudo privileges. If you need help setting this up, select your distribution from our list and follow the Initial Server Setup Guide.
UFW comes pre-installed on Ubuntu. If it’s missing, you can reinstall it using the command: `sudo apt install ufw`.
Step 1 — Ensuring IPv6 is Enabled
In the latest Ubuntu versions, IPv6 is typically enabled by default. This means that most firewall rules applied to your server will cover both IPv4 and IPv6, with IPv6 entries marked by v6 in UFW’s status output. To verify IPv6 is enabled, inspect your UFW configuration file located at /etc/default/ufw. You can open this file using nano or any preferred command line editor:
“`bash
sudo nano /etc/default/ufw
“`
Ensure the IPV6 setting is set to yes. The file should include the following line:
“`plaintext
IPV6=yes
“`
Save and close the file. If you’re using nano, you can do this by pressing `CTRL+X`, then `Y`, and `ENTER` to confirm.
When UFW is activated later in this guide, it will be set up to handle both IPv4 and IPv6 firewall rules.
Step 2 — Configuring Default Policies
When starting with UFW, it’s important to first review your default firewall policies. These policies determine how traffic that doesn’t match any specific rule is handled.
UFW’s default settings deny all incoming connections and allow all outgoing connections. This means that external attempts to connect to your server will be blocked, while internal applications can freely access the internet. Specific rules can be added to permit necessary services and ports, creating exceptions to this default behaviour.
Let’s set up your UFW default policies for incoming and outgoing traffic to ensure you can follow this tutorial smoothly.
Set the default policy for incoming traffic to deny by running:
“`bash
sudo ufw default deny incoming
“`
You should see the following output:
“`plaintext
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
“`
Next, set the default policy for outgoing traffic to allow by running:
“`bash
sudo ufw default allows outgoing
“`
You should see the following output:
“`plaintext
Default outgoing policy changed to ‘allow’
(be sure to update your rules accordingly)
“`
These commands establish a default policy of denying incoming and allowing outgoing connections. While this setup may be adequate for personal computers, servers typically need to accept incoming requests from external users. We’ll address this requirement in the next steps.
Step 3 — Allowing SSH Connections
If you activate your UFW firewall now, it will block all incoming connections. Therefore, you need to set rules to permit legitimate incoming connections, such as SSH or HTTP, to allow your server to respond to these requests. For cloud server users, enabling SSH connections is crucial for managing the server remotely.
Enabling the OpenSSH UFW Application Profile
Most network-dependent applications automatically register an application profile with UFW during installation. This profile allows users to easily manage external access to the service. To see the list of currently registered profiles, run:
“`bash
sudo ufw app list
“`
You should see something like:
“`plaintext
Available applications:
OpenSSH
“`
To enable the OpenSSH application profile, use the following command:
“`bash
sudo ufw allow OpenSSH
“`
You will receive the following confirmation:
“`plaintext
Rule added
Rule added (v6)
“`
This command sets up firewall rules to allow all connections on port 22, the default port for the SSH daemon.
Allowing SSH by Service Name
Another method to permit SSH connections is by referencing its service name:
“`bash
sudo ufw allow ssh
“`
You will see:
“`plaintext
Rule added
Rule added (v6)
“`
UFW identifies the ports and protocols a service uses by consulting the `/etc/services` file.
Allowing SSH by Port Number
Alternatively, you can specify the port number directly to create the same rule. For example:
“`bash
sudo ufw allow 22
“`
You will get the same output:
“`plaintext
Rule added
Rule added (v6)
“`
If your SSH daemon listens on a different port, specify that port number. For instance, if SSH is configured on port 2222, use:
“`bash
sudo ufw allow 2222
“`
The output will confirm the rule addition:
“`plaintext
Rule added
Rule added (v6)
“`
With your firewall now set to allow incoming SSH connections, you are ready to enable UFW.
Step 4 — Activating UFW
At this point, your firewall should be configured to permit SSH connections. To review the rules that have been added so far, even if the firewall is not yet active, you can run:
“`bash
sudo ufw show added
“`
You should see an output like this:
“`plaintext
Added user rules (see ‘ufw status’ for running firewall):
ufw allow OpenSSH
“`
After confirming the presence of a rule that allows incoming SSH connections, you can enable the firewall with:
“`bash
sudo ufw enable
“`
You will encounter a warning:
“`plaintext
The command may disrupt existing SSH connections. Proceed with the operation (y|n)? y
The firewall is active and enabled on the system startup
“`
Although this warning suggests the command might interrupt existing SSH connections, you have already set up a rule to allow SSH, so it’s safe to proceed. Type `y` and press `ENTER` to continue.
The firewall is now active. To view the current rules, use:
“`bash
sudo ufw status verbose
“`
The rest of this tutorial will guide you through using UFW in greater detail, including how to allow or deny various types of connections.
Step 5 — Allowing Additional Connections
Now that SSH connections are permitted, it’s time to configure your firewall to allow other necessary connections based on your server’s specific requirements. You’ve already learned how to create rules using application profiles, service names, or port numbers, as demonstrated with SSH on port 22. Here’s how you can do the same for other services:
– HTTP (port 80): Used by unencrypted web servers. Allow it with:
“`bash
sudo ufw allow http
“`
or
“`bash
sudo ufw allow 80
“`
– HTTPS (port 443): Used by encrypted web servers. Allow it with:
“`bash
sudo ufw allow https
“`
or
“`bash
sudo ufw allow 443
“`
– Apache (HTTP and HTTPS): Allow both by using:
“`bash
sudo ufw allow ‘Apache Full’
“`
– Nginx (HTTP and HTTPS): Allow both by using:
“`bash
sudo ufw allow ‘Nginx Full’
“`
You can see all available application profiles for your server with:
“`bash
sudo ufw app list
“`
Allowing Connections in Various Ways
Some applications require multiple ports. For instance, to allow X11 connections (ports 6000-6007), use:
“`bash
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
“`
When specifying port ranges, you must include the protocol (TCP or UDP). Omitting the protocol will allow both by default, which is generally acceptable.
Specific IP Addresses
To allow connections from a specific IP, such as 203.0.113.4, use:
“`bash
sudo ufw allow from 203.0.113.4
“`
You can also restrict this to a specific port:
“`bash
sudo ufw allow from 203.0.113.4 to any port 22
“`
Subnets
To allow a range of IP addresses, use CIDR notation. For instance, to allow all IPs from 203.0.113.1 to 203.0.113.254, use:
“`bash
sudo ufw allow from 203.0.113.0/24
“`
To restrict this subnet to a specific port:
“`bash
sudo ufw allow from 203.0.113.0/24 to any port 22
“`
Connections to a Specific Network Interface
To apply rules to a specific network interface, identify your network interfaces with:
“`bash
ip addr
“`
You’ll see outputs like `eth0` or `enp3s2`. To allow HTTP traffic on a public interface `eth0`:
“`bash
sudo ufw allow in on eth0 to any port 80
“`
For MySQL on a private interface `eth1`:
“`bash
sudo ufw allow in on eth1 to any port 3306
“`
These configurations will ensure your server can handle necessary incoming connections while maintaining robust security.
Step 6 — Blocking Connections
If you haven’t altered the default policy for incoming connections, UFW is set to block all incoming traffic by default. This approach simplifies creating a secure firewall policy, as you only need to define rules for allowed ports and IP addresses.
Sometimes, however, you might need to block specific connections based on source IP addresses or subnets, such as if your server is under attack. Additionally, if you decide to change your default incoming policy to allow (though this is generally not recommended), you would need to create rules to block unwanted services or IP addresses.
To create block rules, simply replace “allow” with “deny” in the commands we’ve covered.
For instance, to block HTTP connections, use:
“`bash
sudo ufw deny http
“`
You should see:
“`plaintext
Rule added
Rule added (v6)
“`
To block all connections from a specific IP, such as 203.0.113.4, use:
“`bash
sudo ufw deny from 203.0.113.4
“`
You’ll see:
“`plaintext
Rule added
“`
In some situations, you might also want to block outgoing connections. To prevent all users from using a specific port on the server, such as port 25 for SMTP traffic, use:
“`bash
sudo ufw deny out 25
“`
The output will be:
“`plaintext
Rule added
Rule added (v6)
“`
This command will block all outgoing SMTP traffic on the server, enhancing security by preventing unauthorized email sending.
Step 7 — Removing Rules
Understanding how to remove firewall rules is as crucial as creating them. You can delete rules either by their rule number or by their description, similar to how they were defined when created.
Deleting a UFW Rule By Number
To remove a rule by its number, first, you need a numbered list of all your firewall rules. Use the `ufw status` command with the `numbered` option:
“`bash
sudo ufw status numbered
“`
Example output:
“`plaintext
Status: Active
To Action From
— —— —-
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN Anywhere
“`
To delete rule number 2, which allows port 80 (HTTP) connections, run:
“`bash
sudo ufw delete 2
“`
Output:
“`plaintext
Deleting:
allow 80
Proceed with the operation (y|n)? y
Rule deleted
“`
This prompts for confirmation and then removes rule 2, which permits HTTP connections. If IPv6 is enabled, remember to delete the corresponding IPv6 rule as well.
Deleting a UFW Rule By Name
Alternatively, you can refer to a rule by its description. This includes the type of rule (allow or deny) and the service name or port number, or the application profile name if used. For instance, to delete an allow rule for an application profile named “Apache Full,” use:
“`bash
sudo ufw delete allow “Apache Full”
“`
Output:
“`plaintext
Rule deleted
Rule deleted (v6)
“`
This method also applies to rules created with a service name or port number. For example, if you allowed HTTP connections with `sudo ufw allow http`, delete it with:
“`bash
sudo ufw delete allow http
“`
Output:
“`plaintext
Rule deleted
Rule deleted (v6)
“`
Similarly, since service names are interchangeable with port numbers, you can delete the same rule with:
“`bash
sudo ufw delete allow 80
“`
Output:
“`plaintext
Rule deleted
Rule deleted (v6)
“`
Deleting rules by name removes both IPv4 and IPv6 rules if they exist.
Step 8 — Checking UFW Status and Rules
You can check the current status of UFW at any time with the following command:
“`bash
sudo ufw status verbose
“`
If UFW is disabled (its default state), you’ll see:
“`plaintext
Status: Inactive
“`
If UFW is active (as it should be if you followed Step 3), you will see it marked as active along with any set rules. For instance, if SSH (port 22) is allowed from anywhere, the output may look like this:
“`plaintext
Status: Active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
— —— —-
22/tcp ALLOW IN Anywhere
“`
Use this command to review how UFW is configured and which rules are currently in effect.
Step 9 — Disabling or Resetting the Firewall
If you decide to stop using the UFW firewall, you can turn it off with:
“`bash
sudo ufw disable
“`
Output:
“`plaintext
The firewall stopped and disabled on the system startup
“`
This command deactivates UFW, and any rules you have created will no longer be enforced. To re-enable it later, simply run `sudo ufw enable`.
If you want to reset your UFW configuration and start fresh, use the reset command:
“`bash
sudo ufw reset
“`
Output:
“`plaintext
Resetting all rules to installed defaults. This may disrupt existing SSH connections. Proceed with the operation (y|n)? y
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20210729_170353’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20210729_170353’
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20210729_170353’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20210729_170353’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20210729_170353’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20210729_170353’
“`
This command disables UFW and removes all previously defined rules, giving you a clean slate. Note that it does not revert any changes made to the default policies.
Conclusion
Your firewall is now set up to permit SSH connections. Remember to configure additional rules for any other services your server needs to accept while restricting any superfluous connections. This approach will ensure your server remains both functional and secure.