A Guide to the Uncomplicated Firewall (UFW) for Linux

Jason Rigden
5 min readFeb 26, 2018

Check out my podcast, “Talking Cryptocurrency” where I interview with the people making the cryptocurrency and blockchain revolution happen. Guests have ranged from solo devs to CEOs. These are quick 15–20 minutes episodes. Read my Podcast Manifesto or listen to the show now.

Firewalls are too import to be convoluted. UFW allows mere mortals to create firewall rules. In this post, I will walk you though all you need to know about using this awesome Linux security tool.

Warning: If you are using a remote system be careful. It is very easy to lock yourself out of remote system. If are using SSH and the firewall blocks the SSH port, you are gonna have a bad time.


UFW was made for Ubuntu, but now is available for most distributions. Check your distro’s package management system. For Ubuntu just run:

sudo apt-get install ufw


Before we do anything, we should know how to reset the firewall.

sudo ufw reset

This command will return UFW to its defaults. Removing any mistakes we might make.


The default settings for UFW is to allow all outgoing connections and block all incoming connections. It should also bedisabled by default.


We can check status of our newly installed firewall.

sudo ufw status

A brand new install will probably return:

Status: inactive

An enabled system will return something much more interesting. A nice table of rules.

Status: activeTo                         Action      From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 DENY Anywhere


We can make the status option show some extra information with:

sudo ufw status verbose

This view is a bit more detailed.

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) DENY IN Anywhere
8080 ALLOW IN Anywhere
2020 ALLOW IN Anywhere
22 DENY IN Anywhere


We can also see the rules numbered for convience:

sudo ufw status numbered

This view will be very useful later, when we are deleting rules.

Status: activeTo                         Action      From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN Anywhere


As we add and remove rules we will need to reload the firewall.

sudo ufw reload


Enable reloads the firewall and starts it when the machine boots.

sudo ufw enable


Unloads the firewall and it will not start automatically when the machine boots.

sudo ufw disable


A firewall is really just a set of rules for networking. These are rules about who can connect with a machine and who the machine can connect with. Rules about how ports, protocols, and hardware be used. UFW makes it pretty easy to write these rules. The rules we create with UFW are all about what we allow and what we deny.


Let us say we want to allow connection is our SSH server. It is listening on a non-standard port of 2020.

sudo ufw allow 2020

This allows TCP and UDP connections to port 2020. And if we want to block TCP and UDP connections on port 22.

sudo ufw deny 22


You can also create rules by name for some installed services. We can list the available services with:

sudo ufw app list

On my system at home, I get back:

Available applications:

If we want to allow OpenSSH. I run:

sudo ufw allow OpenSSH

And of course we could also block OpenSSH with:

sudo ufw deny OpenSSH

Although this would be a very bad idea on a remote machine.


We can allow connections for specific IP addresses too.

sudo ufw allow from

Or we can block specific IP addresses.

sudo ufw deny from


Earlier I mentioned UDP and TCP. We can create rules for these protocols specifically.

sudo ufw allow 80/tcp

This will only allow TCP connections on port 80. And if we want, we can explicitly block UDP connections also.

sudo ufw deny 80/udp


If you have multiple network interfaces, than you will probably want different rules for them. We want want eth0 to have port 80 open.

sudo ufw allow in on eth0 to any port 80

In and Out

We can allow or deny certain connections based on whether or not they are incoming or outgoing. The following will allow incoming connections on port 80.

sudo ufw allow in 80

And we could also block outgoing connections on port 3389.

sudo ufw deny out 3389


We can compose complex rules by combining some elements here. Let us say that I want to only allow a specific IP to access port 22.

sudo ufw allow from to any port 22


We can rate limit connection. This will limit connection attempts to 6 within 30 seconds for the rule.

sudo ufw limit ssh


Some times we want to explicitly reject a connection. This will let the sender know they are being rejected.

sudo ufw reject 666

Delete Rule

Eventually, we will want delete a rule we created. That can be pretty simple.

sudo ufw delete allow 80

Or we can delete a rule by number. Remember:

sudo ufw status numbered

We got this nice table with all the rules numbered.

Status: activeTo                         Action      From
-- ------ ----
[ 1] OpenSSH DENY IN Anywhere
[ 2] 8080 ALLOW IN Anywhere
[ 3] 2020 ALLOW IN Anywhere
[ 4] 22 DENY IN Anywhere

We can delete a rule using its number.

sudo ufw delete 8


Commenting your code is always a good idea. After the command add comment and then a string in quotes.

sudo ufw allow 22 comment 'for my SSH'

Now when we run:

sudo ufw status

We get our little comment helper.

Status: activeTo                         Action      From
-- ------ ----
OpenSSH DENY Anywhere
8080 ALLOW Anywhere
2020 ALLOW Anywhere
22 ALLOW Anywhere # for my SSH
80 REJECT Anywhere


We can also instruct our firewall to maintain logs.

sudo ufw logging on


Firewall rules can get complex pretty fast. I hope this little tutorial can make it a little easier.

If you liked this post then you might like my YouTube channel, Mr. Rigden’s Channel.



Jason Rigden

You may remember me from such projects as The Seattle Podcasters Guild, The Talking Cryptocurrency Podcast, or some of my popular Python tutorials.