A Guide to the Uncomplicated Firewall (UFW) for Linux

Check out my podcast, “Talking Cryptocurrency” where I interview with the people making the cryptocurrency and blockchain revolution happen. Guests have ranged from solo devs to CEOs. These are quick 15–20 minutes episodes. Read my Podcast Manifesto or listen to the show now.

Firewalls are too import to be convoluted. UFW allows mere mortals to create firewall rules. In this post, I will walk you though all you need to know about using this awesome Linux security tool.

Warning: If you are using a remote system be careful. It is very easy to lock yourself out of remote system. If are using SSH and the firewall blocks the SSH port, you are gonna have a bad time.

Install

sudo apt-get install ufw

Reset

sudo ufw reset

This command will return UFW to its defaults. Removing any mistakes we might make.

Defaults

Status

sudo ufw status

A brand new install will probably return:

Status: inactive

An enabled system will return something much more interesting. A nice table of rules.

Status: activeTo                         Action      From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 DENY Anywhere

Verbous

sudo ufw status verbose

This view is a bit more detailed.

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) DENY IN Anywhere
8080 ALLOW IN Anywhere
2020 ALLOW IN Anywhere
22 DENY IN Anywhere

Numbered

sudo ufw status numbered

This view will be very useful later, when we are deleting rules.

Status: activeTo                         Action      From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN Anywhere

Reload

sudo ufw reload

Enable

sudo ufw enable

Disable

sudo ufw disable

Allow/Deny

Ports

sudo ufw allow 2020

This allows TCP and UDP connections to port 2020. And if we want to block TCP and UDP connections on port 22.

sudo ufw deny 22

Services

sudo ufw app list

On my system at home, I get back:

Available applications:
CUPS
OpenSSH

If we want to allow OpenSSH. I run:

sudo ufw allow OpenSSH

And of course we could also block OpenSSH with:

sudo ufw deny OpenSSH

Although this would be a very bad idea on a remote machine.

Address

sudo ufw allow from 192.168.1.2

Or we can block specific IP addresses.

sudo ufw deny from 192.168.1.2

Protocols

sudo ufw allow 80/tcp

This will only allow TCP connections on port 80. And if we want, we can explicitly block UDP connections also.

sudo ufw deny 80/udp

Interface

sudo ufw allow in on eth0 to any port 80

In and Out

sudo ufw allow in 80

And we could also block outgoing connections on port 3389.

sudo ufw deny out 3389

Combinations

sudo ufw allow from 192.168.0.1 to any port 22

Limit

sudo ufw limit ssh

Reject

sudo ufw reject 666

Delete Rule

sudo ufw delete allow 80

Or we can delete a rule by number. Remember:

sudo ufw status numbered

We got this nice table with all the rules numbered.

Status: activeTo                         Action      From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN Anywhere

We can delete a rule using its number.

sudo ufw delete 8

Comment

sudo ufw allow 22 comment 'for my SSH'

Now when we run:

sudo ufw status

We get our little comment helper.

Status: activeTo                         Action      From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 ALLOW Anywhere # for my SSH
80 REJECT Anywhere

Logs

sudo ufw logging on

Conclusion

If you liked this post then you might like my YouTube channel, Mr. Rigden’s Channel.

You may remember me from such projects as The Seattle Podcasters Guild, The Talking Cryptocurrency Podcast, or some of my popular Python tutorials.