Serverspace Black Friday
BM
August 13, 2022
Updated December 26, 2023

Basic UFW (Uncomplicated Firewall) commands

Linux Networks

Introduction

The default firewall configuration tool for Ubuntu is ufw. Designed to simplify iptables firewall configuration, ufw provides a convenient way to create an IPv4 or IPv6 host-based firewall. By default, UFW is disabled.

If your version does not have ufw installed, you can install it using the command:

sudo apt update && sudo apt install ufw

UFW status check

Check that the firewall is switched on, use this command:

sudo ufw status

Firewall status
The result will show whether your firewall is active or not.

Switching on UFW

If you get a Status: inactive message when running the ufw status command, it means that the firewall is not yet enabled on the system. You will need to run a command to enable it.

By default, when UFW is enabled, it blocks external access to all ports on the server. In practice, this means that if you connect to a server via SSH and enable ufw before allowing access on the SSH port, you will be disconnected.

To enable UFW on your system, run the command:

sudo ufw enable

You will see a result similar to this.

Enabling firewall autoloading

To see what is currently blocked or allowed, you can use the verbose parameter when running ufw status as shown below:

sudo ufw status verbose

Advanced firewall configuration output

Switching off the UFW

If for some reason you need to disable the firewall, you can do so with the following command:

sudo ufw disable

Be careful, this command will completely disable the firewall service on your system!

Blocking an IP address from being addressed

To block all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to block:

sudo ufw deny from 91.198.174.190

Blocking incoming requests from an ip address
In this example, from 91.198.174.190 indicates the source IP address "91.198.174.190".

sudo ufw status

If you run this command, you will see that the specified IP address is on the banned list:

Active filtering rules

All connections, incoming and outgoing, are blocked for the specified IP address.

Block the subnet

If you need to block the entire subnet, you can use the subnet address as the "from" parameter in the ufw deny command. This will block all IP addresses in the example subnet 91.198.174.0/24:

sudo ufw deny from 91.198.174.0/24

Subnet blocking

Blocking incoming connections to the network interface

To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the IP address you want to block:

sudo ufw deny in on eth0 from 91.198.174.192

Blocking an ip address in a subnetwork

The "in" parameter tells the firewall to apply the rule only to incoming connections, and the "on eth0" parameter tells it that the rule applies only to the eth0 interface.

This can be useful if you have a system with multiple network interfaces (including virtual interfaces) and you need to block external access to some of those interfaces, but not all.

Allow IP address conversions

To allow all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to allow access to:

sudo ufw allow from 91.198.174.192

Allow incoming requests from an ip address

If you now run "sudo ufw status", you will see output similar to this, with ALLOW next to the IP address you have just added.

sudo ufw status

List of active filtering rules

You can also allow connections from an entire subnet by specifying the appropriate subnet mask for the host, e.g. 91.198.174.0/24.

Allow incoming connections to the network interface

To allow incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the one you want to allow:

sudo ufw allow in on eth0 from 91.198.174.22

Allow incoming requests on the network interface

The "in" parameter tells the firewall to apply the rule only to incoming connections and the "on eth0" parameter specifies that the rule applies only to the "eth0" interface.

sudo ufw status

If you run the command, you will see a result similar to this:

Active filtering rules

Remove a firewall rule

To delete a rule previously installed in UFW, use "ufw delete", then enter the rule (allow / deny) and the target specification. The following example deletes a rule previously set to allow all connections from IP address 91.198.174.192:

sudo ufw delete allow from 91.198.174.192

Deletion of UFW rule

Another way to specify which rule you want to remove is to specify the rule ID. This information can be obtained by using the following command:

sudo ufw status numbered

Numbered list of active ufw rules

From the output you can see that there are two active rules. The first rule, denies all connections coming from IP address 91.198.174.190. The second rule allows connections on eth0 interface coming from IP address 91.198.174.22.

Since by default the firewall already blocks all external access unless it is explicitly allowed, the first rule is redundant, so it can be removed. To remove a rule according to its ID, run the command:

sudo ufw delete 1

You will be prompted to confirm the operation and make sure that the ID you specify relates to the correct rule you wish to delete.

Deleting a rule using its id

If you list your rules again with the status "sudo ufw", you will see that the rule has been removed.

List of available application profiles

When installing applications that rely on network communications, it is common to set up a firewall profile that can be used to allow connections from external addresses. This is often the same as running "ufw allow from", with the advantage that it is a shortcut that abstracts the specific port numbers used by the service and provides convenient nomenclature for referring services.

sudo ufw app list

If you have installed a service, such as a web server or other network-dependent software, and the profile was not available in the firewall, first make sure that the service is enabled.

For remote servers OpenSSH is usually available:

List of available profiles

Include a profile for a specific application

To enable a firewall application profile, run the command "ufw allow" followed by the name of the application profile you want to enable, which can be obtained with the command:

sudo ufw app list

In the following example, we enable the OpenSSH profile, which will allow all incoming SSH connections on the standard SSH port.

sudo ufw allow OpenSSH

Enabling connection using a profile

Deactivate a profile for a specific application

To disable an application profile that you previously configured in the firewall, you need to remove the corresponding rule. For example, consider the following output from "sudo ufw status"

sudo ufw status

List of active filtering rules

This output indicates that the "Nginx Full" application profile is currently enabled, allowing any connections to the web server via both HTTP and HTTPS.

If you want to allow only HTTPS requests to your web server, you need to first enable the most restrictive rule, which in this case is "Nginx HTTPS", and then disable the active rule "Nginx Full":

sudo ufw allow "Nginx HTTPS"
sudo ufw delete allow "Nginx Full"

Remember that you can list all available app profiles with:

sudo ufw app list

Enable SSH

When working with remote servers you will need to ensure that the SSH port is open for connections so that you can login remotely to your server.

The following command will enable the OpenSSH application profile for the firewall and allow all connections to the default SSH port on the server:

sudo ufw allow OpenSSH

Allow SSH connection

Although less user-friendly, an alternative syntax is to specify the exact port number of the SSH service, which is usually set to 22 by default:

sudo ufw allow 22

Allow connection to a port

Allow incoming SSH from a specific IP address or subnet

To allow incoming connections from a specific IP address or subnet, you will include the "from" directive to define the source of the connection. This requires that you also specify the destination address with the "to" parameter. To block this rule for SSH only, limit "proto" (protocol) to "tcp" and then use the "port" parameter and set it to 22, the default SSH port.

The following command will only allow SSH connections originating from IP address 91.198.174.33:

sudo ufw allow from 91.198.174.33 proto tcp to any port 22

Allow incoming requests only from a specific ip address

You can also use the subnet address as the "from" parameter to allow incoming SSH connections from the entire network:

sudo ufw allow from 91.198.174.0/24 proto tcp to any port 22

Allow incoming requests from a specific subnet only

Allow incoming Rsync from a specific IP address or subnet

Rsync, which runs on port 873, can be used to transfer files from one computer to another.

To allow incoming rsync connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the port parameter to set the destination port to 873. The following command will only allow Rsync connections coming from IP address 91.198.174.33:

sudo ufw allow from 91.198.174.33 to any port 873

Permission for rsycn

To allow the entire 91.198.174.0/24 subnet to "rsync" to your server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 873

Allowing a subnet to use rsync

Allow Nginx HTTP / HTTPS

When installing the Nginx web server, it installs several different firewall profiles inside the server. After installing and enabling Nginx as a service, run the following command to determine which profiles are available:

sudo ufw app list | grep Nginx

List of available Nginx profiles

To allow HTTP and HTTPS traffic, select Nginx Full. Otherwise, select either Nginx HTTP to allow HTTP only, or Nginx HTTPS to allow HTTPS only.

The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):

sudo ufw allow "Nginx Full"

Active Nginx profile

Allow Apache HTTP / HTTPS

During installation the Apache web server installs several different UFW profiles within the server. After installing and enabling Apache as a service, run the following command to determine which profiles are available:

sudo ufw app list | grep Apache

Available Apache profiles

To enable HTTP and HTTPS traffic, select "Apache Full". Otherwise select either "Apache" for HTTP or "Apache Secure" for HTTPS.

The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):

sudo ufw allow "Apache Full"

Adding apache full profile to filter rules

Allow all incoming HTTP (port 80)

Web servers such as Apache and Nginx normally listen for HTTP requests on port 80. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access to port 80. You can use either the port number or the service name (http) as the parameter of this command.

To allow all incoming HTTP connections (port 80), run the command:

sudo ufw allow http

Allow incoming http traffic

An alternative syntax is to specify the port number of the HTTP service:

sudo ufw allow 80

Allow incoming traffic through the service port

Allow all inbound HTTPS (port 443)

HTTPS normally runs on port 443. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access on port 443. You can use either the port number or the service name (https) as the parameter of this command.

To allow all inbound HTTPS connections (port 443) run this command:

sudo ufw allow https

Allow incoming https traffic

An alternative syntax is to specify the port number of the HTTPS service:

sudo ufw allow 443

Allow incoming traffic by service port number

Allow all incoming HTTP and HTTPS

If you want to allow HTTP and HTTPS traffic, you can create one rule that allows both ports. This use requires that you also define the protocol using the "proto" parameter, which in this case must be set to tcp.

To allow all incoming HTTP and HTTPS connections (ports 80 and 443), run the command:

sudo ufw allow proto tcp from any to any port 80,443

Allow incoming traffic for http and https

Allow connection to MySQL from a specific IP address or subnet

MySQL listens for client connections on port 3306. If your MySQL database server is used by a client on a remote server, you need to create a UFW rule to allow such access.

To allow incoming MySQL connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the "port" parameter to set destination port 3306.

The following command will allow the IP address 91.198.174.33 to connect to the MySQL server port:

sudo ufw allow from 91.198.174.33 to any port 3306

Allow connection to MySQL port

To allow the entire subnet 91.198.174.0/24 to connect to your MySQL server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 3306

Allow entire subnet to connect to MySQL port

Allow connection to PostgreSQL from a specific IP address or subnet

PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is used by a client on a remote server, you need to allow this traffic.

To allow incoming PostgreSQL connections from a particular IP address or subnet, specify the source with the from parameter and set the port to 5432:

sudo ufw allow from 91.198.174.33 to any port 5432

Allow connection to PostgreSQL

To allow the entire subnet 91.198.174.0/24 to connect to your PostgreSQL server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 5432

Allow connection to PostgreSQL from a specific IP address or subnet

Mail servers such as Sendmail and Postfix normally use port 25 for SMTP traffic. If your server is not supposed to send outgoing mail, you can block this type of traffic. To block outgoing SMTP connections, run the command:

sudo ufw deny out 25

Blocking outgoing mail traffic

This will configure your firewall to block all outgoing traffic on port 25. If you need to reject outgoing connections on a different port number, you can repeat this command and replace 25 with the port number you want to block.

Conclusion

UFW is a powerful tool that, when configured correctly, can significantly improve the security of your servers. This guide covers some common UFW rules that are often used to configure the firewall in Ubuntu. Most of the commands in this guide can be adapted for different use cases and scenarios by changing parameters such as source IP address and/or destination port. For more information on each command parameter and the available modifiers you can use the man utility to check the UFW manual:

man ufw
Vote:
3 out of 5
Аverage rating : 3.2
Rated by: 31
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.