UFW Firewall

Prerequisites:

Linux system with sudo/root access
Basic command line knowledge

UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables firewall rules on Linux. This guide will help you install, enable, and configure UFW to secure your system.

Installation

Install UFW

UFW is typically pre-installed on Ubuntu and Debian systems. If it’s not installed, use your package manager:Ubuntu/Debian:

sudo apt update
sudo apt install ufw

CentOS/RHEL/Fedora:

sudo yum install ufw
# or for newer versions
sudo dnf install ufw

Check UFW status

Verify that UFW is installed and check its current status:

sudo ufw status

If UFW is inactive, you’ll see Status: inactive. If it’s active, you’ll see a list of current rules.

Enabling UFW

Before enabling UFW, make sure you have SSH access configured, or you may lock yourself out of your server. Always allow SSH first!

Allow SSH (Critical!)

Before enabling UFW, allow SSH connections to prevent being locked out:

sudo ufw allow ssh
# or specify the port if you use a custom SSH port
sudo ufw allow 22/tcp

Enable UFW

Once SSH is allowed, enable UFW:

sudo ufw enable

You’ll be prompted to confirm. Type y and press Enter.

Verify UFW is active

Check that UFW is now active:

sudo ufw status verbose

Configuring Ports for Services

Configure UFW to allow traffic for your running services.

Common Service Ports

Web Server (HTTP/HTTPS)

Allow HTTP and HTTPS traffic:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Or allow both at once:

sudo ufw allow 'Nginx Full'
# or for Apache
sudo ufw allow 'Apache Full'

Database (MySQL/MariaDB)

Allow MySQL connections (default port 3306):

sudo ufw allow 3306/tcp

Only allow database access from trusted IPs in production. Use: sudo ufw allow from YOUR_IP to any port 3306

PostgreSQL

Allow PostgreSQL connections (default port 5432):

sudo ufw allow 5432/tcp

Custom Application Ports

Allow traffic on any custom port:

# Allow TCP on port 3000
sudo ufw allow 3000/tcp

# Allow UDP on port 5000
sudo ufw allow 5000/udp

# Allow both TCP and UDP
sudo ufw allow 8080

Allow from Specific IP Addresses

To restrict access to specific IP addresses:

# Allow SSH only from a specific IP
sudo ufw allow from 192.168.1.100 to any port 22

# Allow database access from a specific subnet
sudo ufw allow from 192.168.1.0/24 to any port 3306

Blocking ICMP Echo Requests (Ping)

To block ping requests and make your server less visible to network scans:

Edit UFW before.rules

Open the UFW before.rules file:

sudo nano /etc/ufw/before.rules

Add ICMP blocking rule

Locate the line # ok icmp codes for INPUT and add the following rule right below it:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Save the file (Ctrl+O, Enter, Ctrl+X in nano).

Reload UFW

Apply the changes:

sudo ufw reload

After this change, your server will not respond to ping requests, which can help prevent some types of network scanning and attacks.

Managing Firewall Rules

Viewing Rules

# Show numbered rules
sudo ufw status numbered

# Show verbose output with more details
sudo ufw status verbose

Deleting Rules

Delete by rule number

First, list rules with numbers:

sudo ufw status numbered

Then delete by number:

sudo ufw delete 3

Replace 3 with the rule number you want to delete.

Delete by rule specification

Delete a rule by specifying it exactly:

sudo ufw delete allow 80/tcp

UFW will prompt you to confirm the deletion.

Resetting UFW

To remove all rules and start fresh:

sudo ufw reset

This will delete all UFW rules and disable the firewall. You’ll need to reconfigure it afterward.

Disabling UFW

To temporarily disable UFW (rules are preserved):

sudo ufw disable

To re-enable:

sudo ufw enable

Best Practices

Default Policies

Set default deny policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Rate Limiting

Enable rate limiting for SSH:

sudo ufw limit ssh/tcp

Logging

Enable logging to monitor firewall activity:

sudo ufw logging on

Logs are stored in /var/log/ufw.log

Regular Audits

Regularly review your firewall rules:

sudo ufw status verbose

Troubleshooting

Locked out of SSH

If you’re locked out, you’ll need console access (KVM, VNC, or physical access):

Access the server console
Disable UFW: sudo ufw disable
Reconfigure SSH access: sudo ufw allow ssh
Re-enable UFW: sudo ufw enable

Service not accessible after adding rule

Check if the rule was added correctly:

sudo ufw status | grep PORT_NUMBER

Make sure the service is running and listening on the correct port:

sudo netstat -tulpn | grep PORT_NUMBER

UFW not starting

Check UFW status and logs:

sudo ufw status verbose
sudo tail -f /var/log/ufw.log

Ensure UFW service is enabled:

sudo systemctl status ufw
sudo systemctl enable ufw

Need more help? Check the UFW manual: man ufw or visit the UFW documentation.

Guides

Securing Linux

Installation

Enabling UFW

Configuring Ports for Services

Common Service Ports

Allow from Specific IP Addresses

Blocking ICMP Echo Requests (Ping)

Managing Firewall Rules

Viewing Rules

Deleting Rules

Resetting UFW

Disabling UFW

Best Practices

Default Policies

Rate Limiting

Logging

Regular Audits

Troubleshooting

Guides

Securing Linux

​Installation

​Enabling UFW

​Configuring Ports for Services

​Common Service Ports

​Allow from Specific IP Addresses

​Blocking ICMP Echo Requests (Ping)

​Managing Firewall Rules

​Viewing Rules

​Deleting Rules

​Resetting UFW

​Disabling UFW

​Best Practices

Default Policies

Rate Limiting

Logging

Regular Audits

​Troubleshooting

Installation

Enabling UFW

Configuring Ports for Services

Common Service Ports

Allow from Specific IP Addresses

Blocking ICMP Echo Requests (Ping)

Managing Firewall Rules

Viewing Rules

Deleting Rules

Resetting UFW

Disabling UFW

Best Practices

Troubleshooting