RU
EN
UA
CZ
What is UFW
UFW or Uncomplicated Firewall is an iptables based firewall management application in Ubuntu. UFW is the default firewall configuration tool for Ubuntu Linux and provides a convenient way to configure the firewall. The UFW command is the same as the English one, so the commands are easy to remember. The UFW firewall supports IPv4 and IPv6.
How to install UFW
By default, UFW should already be installed on Ubuntu 20.04. You can check this with the command:
which ufw
As you can see, we already have UFW installed. But if you somehow miss it, you can install it with the command below:
apt install ufw
Then run the following command to enable UFW:
ufw enable
You can see above, it turned on, it will also be available after rebooting the OS.
Основные команды в UFW
The “ufw enable” command will enable UFW with default rules. You can verify that UFW is working by issuing this command:
If you want to disable UFW you can use the command:
ufw disable
We get this answer:
We see that UFW is stopped and turned off.
How to add a UFW rule
UFW will deny all incoming connections after you enable it. So, the first thing you need to do is allow SSH access to the server if you want to manage the system remotely. The “ufw allow sshport” command allows SSH access, replace SSHPORT with the port of the SSH service, the default SSH port is 22.
ufw allow 22
And we get this result:
root@firstbyte:~# ufw allow 22 Rule added Rule added (v6)
If you want to allow incoming connections on port 22 for TCP only, add “/tcp” to the end of the command, as shown in the following example:
ufw allow 22/tcp
When the service you want to allow access to is listening on its default port, you can use the service name instead of the port number. This makes it easier to open the port as you may not know it. UFW will find the correct port number for you in /etc/services.
This command will open the default SSH port:
ufw allow ssh
Now test the rule with:
ufw status
We will get the same result as above.
Forbidden rule in UFW
The “deny” command works similarly to the “allow” command and is used to close a port in the firewall:
You can disable a port like this:
ufw deny 80
We get this result:
Example for “deny” with service name. In this example, we will block http port/80:
ufw deny http
Important:
All ports and their service names are listed in the /etc/services file.
Now we will delve into the syntax of the UFW command, learn how to allow part of the ranges (for example, for passive FTP ports) and access from only one IP address or subnet.
- Allow port range
You can allow a range of ports in UFW. Some services, such as FTP or IRC, use a number of ports to communicate with their clients.
In this example, we will allow the port range from 6660 to 6670:
ufw allow 6660:6670/tcp ufw allow 6660:6670/udp
The command will allow connections to ports 6660-6670 via TCP and UDP protocols.
- Allow a specific IP address
You can add a specific IP address to allow access to all services by adding the “from” option. This is for example useful if you have a static IP address at home or office and want to allow access to all services on your server from there. The command below will allow IP 10.10.10.10 to access all ports on the server:
ufw allow from 10.10.10.10
- Allow subnet
If you want to allow all IP addresses on your subnet, you can add an IP subnet (range of IP addresses) to the UFW command like this:
ufw allow from 10.10.10.0/24
Result:
WARN: Rule changed after normalization
Rule added
- Allow access from a specific IP address to one port
If you want to only allow access to a single port from a specific IP address, you can combine the UFW commands we learned above.
For example, only IP address 10.10.10.10 can access SSH port 22 TCP, and other IP addresses will be rejected from this port, you can use the following command:
ufw allow from 10.10.10.10 proto tcp to any port 22
Result:
Rule added
- Allow all incoming traffic on a specific port
If you want to allow all traffic on port 80 you can use this command:
ufw allow to any port 80
Deleting a UFW Rule
In this section, you will learn how to delete a rule saved in UFW. You can use the “delete” command to remove the ufw rule. Please enter the command “ufw delete” and then select the option you want to delete, allow or deny.
Here are some examples:
Removing an SSH allow rule with a service name:
ufw delete allow ssh
Result:
Rule deleted
Rule deleted (v6)
This command will remove the “allow ssh” rule. Be careful not to block yourself from the server!
Remove the “deny” rule on port 80:
ufw delete deny 80
Result:
Rule deleted Rule deleted (v6)
If you have a complex rule, there is an easy way to identify and delete a rule by its rule ID. Run the following command to get a list of all rules with their IDs:
ufw status numbered
Now remove the SSH rule for IPv6 by rule number only:
ufw delete 9
Result:
Deleting:
allow 22/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)
Disable and reset UFW settings
If you want to disable UFW without removing your rules, you can use the “disable” command:
ufw disable
Result:
Firewall stopped and disabled on system startup
If you want to completely disable UFW and remove all rules, you can use the “reset” command:
ufw reset
Result:
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20230426_231930'
Backing up 'before.rules' to '/etc/ufw/before.rules.20230426_231930'
Backing up 'after.rules' to '/etc/ufw/after.rules.20230426_231930'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20230426_231930'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20230426_231930'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20230426_231930'
Conclusion
UFW is the default firewall configuration tool in Ubuntu. This UFW tutorial is a guide to getting started with this great firewall tool. If you want to learn more about UFW, you can go to the Ubuntu wiki or the ufw-manpage.