Table of Contents
Overview
UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables. It provides a simplified way to configure a Linux firewall while retaining the reliability and security of iptables.
Key Features
Simple command syntax
Application integration
IPv4 and IPv6 support
Logging capabilities
Rate limiting
Port management
Installation
Ubuntu (22.04/24.04)
# Install UFW
sudo apt update
sudo apt install ufw
# Check status
sudo ufw status
Initial Setup
# Reset all rules
sudo ufw reset
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
Basic Usage
Status Management
# Check firewall status
sudo ufw status
sudo ufw status verbose
sudo ufw status numbered
# Enable/Disable firewall
sudo ufw enable
sudo ufw disable
# Reload firewall
sudo ufw reload
Basic Rules
# Allow incoming port
sudo ufw allow 22
# Deny incoming port
sudo ufw deny 80
# Allow specific service
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Rule Management
Port Rules
# Allow specific port
sudo ufw allow 3306
# Allow port range
sudo ufw allow 6000:6007/tcp
# Allow from specific IP
sudo ufw allow from 192.168.1.100
# Allow to specific port
sudo ufw allow from 192.168.1.100 to any port 22
Protocol Rules
# Allow TCP traffic
sudo ufw allow 80/tcp
# Allow UDP traffic
sudo ufw allow 53/udp
# Allow both TCP and UDP
sudo ufw allow 80,443/tcp
Network Rules
# Allow subnet
sudo ufw allow from 192.168.1.0/24
# Allow specific IP range
sudo ufw allow from 192.168.1.1-192.168.1.100
# Allow to specific network interface
sudo ufw allow in on eth0 to any port 80
Application Profiles
Managing Profiles
# List available applications
sudo ufw app list
# Show application info
sudo ufw app info PROFILE
# Allow application
sudo ufw allow "Apache Full"
sudo ufw allow "OpenSSH"
Common Profiles
# Web server
sudo ufw allow "Apache"
sudo ufw allow "Nginx Full"
# SSH server
sudo ufw allow "OpenSSH"
# Mail server
sudo ufw allow "Postfix"
Advanced Configuration
Rate Limiting
# Limit SSH connections
sudo ufw limit ssh
# Limit custom port
sudo ufw limit 3306/tcp
# Limit with specific IP
sudo ufw limit from 192.168.1.100
Delete Rules
# Delete by number
sudo ufw status numbered
sudo ufw delete 2
# Delete specific rule
sudo ufw delete allow 80
sudo ufw delete deny 443
# Delete by full rule
sudo ufw delete allow from 192.168.1.100
Custom Rules
# Allow multiple ports
sudo ufw allow 80,443/tcp
# Allow range with specific IP
sudo ufw allow from 192.168.1.100 to any port 60000:61000
# Allow specific in/out
sudo ufw allow in on eth0 from 192.168.1.100
sudo ufw allow out on eth0 to 192.168.1.100
Logging
Enable/Disable Logging
# Enable logging
sudo ufw logging on
# Set logging level
sudo ufw logging low
sudo ufw logging medium
sudo ufw logging high
# Disable logging
sudo ufw logging off
View Logs
# View UFW logs
sudo tail -f /var/log/ufw.log
# Filter logs
sudo grep "UFW BLOCK" /var/log/ufw.log
# Monitor real-time
sudo journalctl -f -n 100 | grep "UFW"
Troubleshooting
Common Issues
Connection Problems
# Check rule status
sudo ufw status verbose
# Test specific rule
sudo ufw status | grep 80
# Check logs
sudo tail -f /var/log/ufw.log
Rule Conflicts
# List all rules
sudo ufw show added
# Check rule order
sudo ufw status numbered
# Reset rules if needed
sudo ufw reset
Service Access
# Verify service rules
sudo ufw app info "Apache Full"
# Test connection
nc -zv localhost 80
Best Practices
Security Configuration
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Essential services
sudo ufw allow ssh
sudo ufw limit ssh
Maintenance
# Regular status check
sudo ufw status verbose
# Backup rules
sudo cp /etc/ufw/user.rules /etc/ufw/user.rules.backup
# Review logs
sudo tail -f /var/log/ufw.log
Quick Reference
Essential Commands
# Status management
sudo ufw status
sudo ufw enable
sudo ufw disable
# Basic rules
sudo ufw allow ssh
sudo ufw deny http
sudo ufw limit https
# Rule management
sudo ufw delete RULE
sudo ufw reset
Common Rules
# Web server
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# SSH server
sudo ufw allow 22/tcp
sudo ufw limit ssh
# Database
sudo ufw allow 3306/tcp
Application Rules
# List applications
sudo ufw app list
# Allow applications
sudo ufw allow "Apache Full"
sudo ufw allow "OpenSSH"
sudo ufw allow "Nginx Full"
Example Configurations
Basic Web Server
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow "Apache Full"
sudo ufw enable
Secure Server
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw logging on
Database Server
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw limit ssh
Remember:
Always backup before making changes
Test rules before implementing
Use limiting for sensitive services
Keep logs for monitoring
Regular review of rules
Document all changes
For detailed information, consult the man pages (man ufw
) and official documentation.