15.04.2025

Essential UFW (Uncomplicated Firewall) Commands for Ubuntu

Introduction

Ubuntu uses UFW (Uncomplicated Firewall) as the default tool for configuring the firewall. It simplifies the use of iptables, allowing for quick and easy setup of server protection using both IPv4 and IPv6. By default, UFW is disabled, but you can easily install it:

sudo apt update && sudo apt install ufw

Checking UFW Status

To check whether the firewall is active:

sudo ufw status

If you see Status: inactive, it means the firewall is currently disabled.

Enabling UFW

Warning! If you're connected via SSH, allow SSH access before enabling UFW, or you might get locked out.

To enable UFW:

sudo ufw enable

To see the list of current rules:

sudo ufw status verbose

Disabling UFW

To temporarily disable the firewall:

sudo ufw disable

Note: This completely turns off your firewall—use with caution!

Blocking IP Addresses and Subnets

Block a specific IP:

sudo ufw deny from 91.198.174.190

Block an entire subnet:

sudo ufw deny from 91.198.174.0/24

Block an IP on a specific interface:

sudo ufw deny in on eth0 from 91.198.174.192

Allowing IP Addresses

Allow all traffic from a specific IP:

sudo ufw allow from 91.198.174.192

Allow incoming traffic from an IP on a specific interface:

sudo ufw allow in on eth0 from 91.198.174.22

Deleting Rules

Delete a rule by its parameters:

sudo ufw delete allow from 91.198.174.192

Delete a rule by number:

sudo ufw status numbered sudo ufw delete 1

Application Profiles

UFW can use predefined profiles for common services:

List available profiles:

sudo ufw app list

Enable a profile (e.g. OpenSSH):

sudo ufw allow OpenSSH

Remove a profile:

sudo ufw delete allow "Nginx Full"

Opening Common Ports

SSH (port 22):

sudo ufw allow 22

HTTP (port 80):

sudo ufw allow http

HTTPS (port 443):

sudo ufw allow https

HTTP + HTTPS combined:

sudo ufw allow proto tcp from any to any port 80,443

Allowing Database Connections

MySQL (port 3306):

sudo ufw allow from 91.198.174.33 to any port 3306

PostgreSQL (port 5432):

sudo ufw allow from 91.198.174.33 to any port 5432

Allow for a subnet:

sudo ufw allow from 91.198.174.0/24 to any port 3306

FAQ — Frequently Asked Questions

How do I check which rules are currently applied?
Run:

sudo ufw status verbose

What if I accidentally blocked SSH access?
Use your hosting provider’s console or IPMI/KVM access and run:

sudo ufw allow OpenSSH

Can I allow multiple ports at once?
Yes. For example:

sudo ufw allow proto tcp from any to any port 80,443

How do I undo a rule I added by mistake?
List rules with numbers:

sudo ufw status numbered

Then remove by number:

sudo ufw delete

UFW is conflicting with another firewall. What should I do?
Disable the other firewall (e.g., firewalld) or make sure it’s not managing the same rules.

Conclusion

Configuring UFW on Ubuntu provides a straightforward and effective way to secure your server by controlling network traffic. It simplifies the complex iptables rules, making it easier for users to implement firewall policies without needing deep knowledge of networking. UFW is especially useful for small to medium-sized environments where ease of use and flexibility are essential. When setting up UFW, it's crucial to focus on securing critical services like SSH, HTTP, and database connections, while ensuring you don't inadvertently block important traffic. Regularly reviewing and updating firewall rules is vital to maintaining security, and leveraging application profiles for common services can help streamline configuration. Ultimately, using UFW effectively can greatly enhance the security of your Ubuntu server while keeping the setup process manageable and efficient