The UFW (Uncomplicated Firewall) is a frontend for iptables and is particularly well-suited for host-based firewalls. UFW provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.
UFW is a great firewall tool that is designed to be run on hosts or servers. It allows or blocks incoming and outgoing connections to and from the server. You can block ports, IPs or even entire subnets using UFW. It is not as flexible as iptables but is vastly easier for basic operations.
When it comes to configuring firewall on Ubuntu server, you have two primary options: ufw and iptables. Both tools provide firewall functionality but differ in terms of ease of use and complexity.
UFW is a front-end for iptables that aims to simplify the process of configuring a firewall. It provides a user-friendly command-line interface and allows you to manage firewall rules using human-readable syntax. UfW provides a set of default rules that are easy to understand and configure.
IPTables provides granular control over network traffic by allowing you to define rules based on various criteria such as IP addresses, ports, protocols, and more. IPTables gives you more flexibility, but it's also slightly more complicated to configure. So use whichever one you're most happy with. If you use iptables, remember that it only affects IPv4 - you need to also use ip6tables if your server has IPv6.
In this article, we will show you how to install and config the UFW firewall on Ubuntu 22.04.
To install UFW, you need to SSH into the system.
$ sudo apt update $ sudo apt upgrade
To check if ufw is installed, you can use the which command:
$ which ufw
And if the result doesn’t show output, it means ufw is not installed and you should install it like below.
$ sudo apt-get install ufw
After your ufw installation is complete, use the command below to check. The initial default after installation, UFW will be disabled because it has not been activated and you have to enable it manually.
$ sudo ufw status verbose ----------------------------- Output Status: inactive
To enable UFW and start enforcing the firewall rules, run:
$ sudo ufw enable
To temporarily disable UFW, run:
$ sudo ufw disable
To check the current status of UFW, run the following command:
$ sudo ufw status
This will show you if UFW is active or inactive, the default input and output policies, and any rules that have been created.
A fresh Ubuntu 22.04 installation will have UFW inactive by default.
To allow incoming connections on a specific port, you need to allow that port using UFW. For example, to allow HTTP traffic on port 80, run:
$ sudo ufw allow 80/tcp
This will allow all incoming TCP connections on port 80. You can also specify the IP address to allow only for a specific host:
$ sudo ufw allow from 192.168.1.100 to any port 80
To allow both TCP and UDP protocols on port 123, run:
$ sudo ufw allow 123/tcp $ sudo ufw allow 123/udp
To allow multiple ports at once, specify the starting and ending ports:
$ sudo ufw allow 2000:2100/tcp
This will allow all ports from 2000 to 2100. You can also specify ports in a comma-separated list:
$ sudo ufw allow 80,443,8080/tcp $ sudo ufw allow 22,25,110/tcp
It is a common requirement to allow incoming HTTP and HTTPS traffic. You can do that with:
$ sudo ufw allow 'Apache Full'
This will allow HTTP traffic on port 80 and HTTPS traffic on port 443.
To allow incoming SSH connections on port 22, run:
$ sudo ufw allow 22/tcp
This is required to manage your Ubuntu server remotely using SSH.
DNS uses UDP protocol on port 53. To allow incoming DNS queries, run:
$ sudo ufw allow 53/udp
To allow incoming VNC connections (usually port 5900 ), run:
$ sudo ufw allow 5900/tcp
To block specific ports or protocols, use deny instead of allow. For example, to block incoming SMTP traffic:
$ sudo ufw deny 25/tcp
Closing tcp and udp ports, replace 80 with the desired port number:
$ sudo ufw deny 80
For a port range you use the syntax:
$ ufw deny 1234:2345 $ ufw deny 1234:2345/tcp $ ufw deny 1234:2345/udp
By default, the UFW incoming policy is set to deny, which means all incoming traffic is blocked. You can change this policy using:
$ sudo ufw default deny incoming # To deny all incoming traffic $ sudo ufw default allow incoming # To allow all incoming traffic
Similarly, you can set the default outgoing policy using:
$ sudo ufw default deny outgoing $ sudo ufw default allow outgoing
It is recommended to keep the default incoming policy as deny for security.
You can enable logging with the command:
$ sudo ufw logging on
Log levels can be set by running sudo ufw logging low|medium|high, selecting either low, medium, or high from the list. The default setting is low.
UFW keeps logs of denied connections in /var/log/ufw.log. You can view the log file using:
$ sudo less /var/log/ufw.log
To enable verbose logging, run:
$ sudo ufw logging verbose
Then UFW will log all allowed and denied connections.
The syntax is as follows to list all of the current rules in a numbered list format:
$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere # accept Apache [ 3] 443/tcp ALLOW IN Anywhere # accept HTTPS connections [ 4] 1194/udp ALLOW IN Anywhere # OpenVPN server [ 5] 3000:4000/tcp ALLOW IN Anywhere [ 6] 3000:4000/udp ALLOW IN Anywhere
To delete 6th rule type the command:
$ sudo ufw delete 6
You can also delete rules for a specific port:
$ sudo ufw delete allow 80
To flush all UFW rules and restore the default policy, run:
$ sudo ufw reset
For some reason, you need to restore/delete all existing rules to return to the original defaults, use the reset option to do the following:
$ sudo ufw disable $ sudo ufw reset $ sudo ufw enable
- Disable UFW
- Flush existing rules
- Re-enable UFW with the default configuration
This ensures UFW works with the default settings again.
Make sure the directive IPV6=yes do exists in /etc/default/ufw file. For instance:
$ cat /etc/default/ufw
UFW is a powerful tool that can greatly improve the security of your servers when properly configured. This reference guide covers some common UFW rules that are often used to configure a firewall on Ubuntu. Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while limiting any unnecessary connections, so your server will be functional and secure.
I hope this helps you configure and manage UFW firewall on Ubuntu 22.04. Let me know if you have any other questions!