UFW, or "Uncomplicated Firewall", is a firewall management interface for Linux, designed to be easy to use. It is a layer on top of the more complex but very powerful
iptables tool. UFW is the default firewall on Ubuntu and aims to provide a simple interface for the most common firewall configurations without sacrificing security.
Why use UFW?
- Simplicity: Its syntax is much simpler and more intuitive than that of iptables.
- Secure by default: It is designed to be secure from the start, with a default policy that blocks all incoming traffic.
- Integration: Well integrated into distributions like Ubuntu.
- Flexibility: Although simple, it allows more complex rules when needed.
Prerequisites
- A Linux server (this guide focuses on Ubuntu/Debian).
- Root access or sudo privileges.
Basic configuration
On Ubuntu, UFW is generally installed by default. Otherwise, you can install it with sudo apt install ufw.
Step 1: Set the default policies
This is the first thing to do. A safe policy is to deny everything incoming and allow everything outgoing.
sudo ufw default deny incoming
sudo ufw default allow outgoingThis means that no connection will be able to reach your server unless you explicitly allow it.
Step 2: Allow SSH connections
WARNING: This is the most important step. If you enable the firewall without allowing SSH, you will lose access to your server!
# Allow the standard SSH port (22)
sudo ufw allow ssh
# If you have changed your SSH port (e.g. 2222)
# sudo ufw allow 2222/tcp
Step 3: Allow other services
Only open the ports you actually need.
# Allow web HTTP traffic (port 80)
sudo ufw allow http
# Allow web HTTPS traffic (port 443)
sudo ufw allow https
# Allow a specific port (e.g. for a game server on port 25565)
sudo ufw allow 25565/tcp
Step 4: Enable UFW
Once you have allowed at least SSH, you can enable the firewall.
sudo ufw enableUFW will warn you that the command may disrupt existing SSH connections. Type `y` and confirm.
Managing UFW day to day
Check the status and rules
The `status` command is your best friend.
# See whether the firewall is active and list the rules
sudo ufw status verbose
# List the rules with numbers, handy for deleting them
sudo ufw status numbered
Delete a rule
You can delete a rule by its number (obtained with `status numbered`) or by its definition.
# Delete rule number 3
sudo ufw delete 3
# Or delete by the exact definition
sudo ufw delete allow http
More advanced rules
# Allow a specific IP address to connect on all ports
sudo ufw allow from 1.2.3.4
# Allow a specific IP address on a specific port
sudo ufw allow from 1.2.3.4 to any port 22 proto tcp
Disable or reset UFW
# Temporarily disable the firewall
sudo ufw disable
# Reset all rules to their default state (disabled)
sudo ufw reset
With just a few commands (`ufw default deny`, `ufw allow ssh`, `ufw enable`), you have already considerably increased the security of your server.
Be careful: by default, Docker modifies the `iptables` rules directly and can bypass UFW rules. This is a well-known issue. If you use Docker, additional configuration is required to make sure your UFW rules are respected.
Conclusion
UFW lives up to its name: it makes managing a firewall on Linux simple and straightforward. For the vast majority of web or application servers, UFW offers an excellent balance between ease of use and robust security. It is the ideal tool to quickly set up an essential first line of defense for your server.
Comments