11.12.2024

Basic UFW (Uncomplicated Firewall) commands

Introduction

The default firewall configuration tool for Ubuntu is ufw. Designed to simplify iptables firewall configuration, ufw provides a convenient way to create an IPv4 or IPv6 host-based firewall. By default, UFW is disabled.

If your version does not have ufw installed, you can install it using the command:

sudo apt update && sudo apt install ufw

UFW status check

Check that the firewall is switched on, use this command:

sudo ufw status


The result will show whether your firewall is active or not.

Switching on UFW

If you get a Status: inactive message when running the ufw status command, it means that the firewall is not yet enabled on the system. You will need to run a command to enable it.

By default, when UFW is enabled, it blocks external access to all ports on the server. In practice, this means that if you connect to a server via SSH and enable ufw before allowing access on the SSH port, you will be disconnected.

To enable UFW on your system, run the command:

sudo ufw enable

You will see a result similar to this.

To see what is currently blocked or allowed, you can use the verbose parameter when running ufw status as shown below:

sudo ufw status verbose

Switching off the UFW

If for some reason you need to disable the firewall, you can do so with the following command:

sudo ufw disable

Be careful, this command will completely disable the firewall service on your system!

Blocking an IP address from being addressed

To block all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to block:

sudo ufw deny from 91.198.174.190


In this example, from 91.198.174.190 indicates the source IP address "91.198.174.190".

sudo ufw status

If you run this command, you will see that the specified IP address is on the banned list:

All connections, incoming and outgoing, are blocked for the specified IP address.

Block the subnet

If you need to block the entire subnet, you can use the subnet address as the "from" parameter in the ufw deny command. This will block all IP addresses in the example subnet 91.198.174.0/24:

sudo ufw deny from 91.198.174.0/24

Blocking incoming connections to the network interface

To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the IP address you want to block:

sudo ufw deny in on eth0 from 91.198.174.192

The "in" parameter tells the firewall to apply the rule only to incoming connections, and the "on eth0" parameter tells it that the rule applies only to the eth0 interface.

This can be useful if you have a system with multiple network interfaces (including virtual interfaces) and you need to block external access to some of those interfaces, but not all.

Allow IP address conversions

To allow all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to allow access to:

sudo ufw allow from 91.198.174.192

If you now run "sudo ufw status", you will see output similar to this, with ALLOW next to the IP address you have just added.

sudo ufw status

You can also allow connections from an entire subnet by specifying the appropriate subnet mask for the host, e.g. 91.198.174.0/24.

Allow incoming connections to the network interface

To allow incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the one you want to allow:

sudo ufw allow in on eth0 from 91.198.174.22

The "in" parameter tells the firewall to apply the rule only to incoming connections and the "on eth0" parameter specifies that the rule applies only to the "eth0" interface.

sudo ufw status

If you run the command, you will see a result similar to this:

Remove a firewall rule

To delete a rule previously installed in UFW, use "ufw delete", then enter the rule (allow / deny) and the target specification. The following example deletes a rule previously set to allow all connections from IP address 91.198.174.192:

sudo ufw delete allow from 91.198.174.192

Another way to specify which rule you want to remove is to specify the rule ID. This information can be obtained by using the following command:

sudo ufw status numbered

From the output you can see that there are two active rules. The first rule, denies all connections coming from IP address 91.198.174.190. The second rule allows connections on eth0 interface coming from IP address 91.198.174.22.

Since by default the firewall already blocks all external access unless it is explicitly allowed, the first rule is redundant, so it can be removed. To remove a rule according to its ID, run the command:

sudo ufw delete 1

You will be prompted to confirm the operation and make sure that the ID you specify relates to the correct rule you wish to delete.

If you list your rules again with the status "sudo ufw", you will see that the rule has been removed.

List of available application profiles

When installing applications that rely on network communications, it is common to set up a firewall profile that can be used to allow connections from external addresses. This is often the same as running "ufw allow from", with the advantage that it is a shortcut that abstracts the specific port numbers used by the service and provides convenient nomenclature for referring services.

sudo ufw app list

If you have installed a service, such as a web server or other network-dependent software, and the profile was not available in the firewall, first make sure that the service is enabled.

For remote servers OpenSSH is usually available:

Include a profile for a specific application

To enable a firewall application profile, run the command "ufw allow" followed by the name of the application profile you want to enable, which can be obtained with the command:

sudo ufw app list

In the following example, we enable the OpenSSH profile, which will allow all incoming SSH connections on the standard SSH port.

sudo ufw allow OpenSSH

Deactivate a profile for a specific application

To disable an application profile that you previously configured in the firewall, you need to remove the corresponding rule. For example, consider the following output from "sudo ufw status"

sudo ufw status

This output indicates that the "Nginx Full" application profile is currently enabled, allowing any connections to the web server via both HTTP and HTTPS.

If you want to allow only HTTPS requests to your web server, you need to first enable the most restrictive rule, which in this case is "Nginx HTTPS", and then disable the active rule "Nginx Full":

sudo ufw allow "Nginx HTTPS"
sudo ufw delete allow "Nginx Full"

Remember that you can list all available app profiles with:

sudo ufw app list

Enable SSH

When working with remote servers you will need to ensure that the SSH port is open for connections so that you can login remotely to your server.

The following command will enable the OpenSSH application profile for the firewall and allow all connections to the default SSH port on the server:

sudo ufw allow OpenSSH

Although less user-friendly, an alternative syntax is to specify the exact port number of the SSH service, which is usually set to 22 by default:

sudo ufw allow 22

Allow incoming SSH from a specific IP address or subnet

To allow incoming connections from a specific IP address or subnet, you will include the "from" directive to define the source of the connection. This requires that you also specify the destination address with the "to" parameter. To block this rule for SSH only, limit "proto" (protocol) to "tcp" and then use the "port" parameter and set it to 22, the default SSH port.

The following command will only allow SSH connections originating from IP address 91.198.174.33:

sudo ufw allow from 91.198.174.33 proto tcp to any port 22

You can also use the subnet address as the "from" parameter to allow incoming SSH connections from the entire network:

sudo ufw allow from 91.198.174.0/24 proto tcp to any port 22

Allow incoming Rsync from a specific IP address or subnet

Rsync, which runs on port 873, can be used to transfer files from one computer to another.

To allow incoming rsync connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the port parameter to set the destination port to 873. The following command will only allow Rsync connections coming from IP address 91.198.174.33:

sudo ufw allow from 91.198.174.33 to any port 873

To allow the entire 91.198.174.0/24 subnet to "rsync" to your server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 873

Allow Nginx HTTP / HTTPS

When installing the Nginx web server, it installs several different firewall profiles inside the server. After installing and enabling Nginx as a service, run the following command to determine which profiles are available:

sudo ufw app list | grep Nginx

To allow HTTP and HTTPS traffic, select Nginx Full. Otherwise, select either Nginx HTTP to allow HTTP only, or Nginx HTTPS to allow HTTPS only.

The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):

sudo ufw allow "Nginx Full"

Allow Apache HTTP / HTTPS

During installation the Apache web server installs several different UFW profiles within the server. After installing and enabling Apache as a service, run the following command to determine which profiles are available:

sudo ufw app list | grep Apache

To enable HTTP and HTTPS traffic, select "Apache Full". Otherwise select either "Apache" for HTTP or "Apache Secure" for HTTPS.

The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):

sudo ufw allow "Apache Full"

Allow all incoming HTTP (port 80)

Web servers such as Apache and Nginx normally listen for HTTP requests on port 80. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access to port 80. You can use either the port number or the service name (http) as the parameter of this command.

To allow all incoming HTTP connections (port 80), run the command:

sudo ufw allow http

An alternative syntax is to specify the port number of the HTTP service:

sudo ufw allow 80

Allow all inbound HTTPS (port 443)

HTTPS normally runs on port 443. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access on port 443. You can use either the port number or the service name (https) as the parameter of this command.

To allow all inbound HTTPS connections (port 443) run this command:

sudo ufw allow https

An alternative syntax is to specify the port number of the HTTPS service:

sudo ufw allow 443

Allow all incoming HTTP and HTTPS

If you want to allow HTTP and HTTPS traffic, you can create one rule that allows both ports. This use requires that you also define the protocol using the "proto" parameter, which in this case must be set to tcp.

To allow all incoming HTTP and HTTPS connections (ports 80 and 443), run the command:

sudo ufw allow proto tcp from any to any port 80,443

Allow connection to MySQL from a specific IP address or subnet

MySQL listens for client connections on port 3306. If your MySQL database server is used by a client on a remote server, you need to create a UFW rule to allow such access.

To allow incoming MySQL connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the "port" parameter to set destination port 3306.

The following command will allow the IP address 91.198.174.33 to connect to the MySQL server port:

sudo ufw allow from 91.198.174.33 to any port 3306

To allow the entire subnet 91.198.174.0/24 to connect to your MySQL server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 3306

Allow connection to PostgreSQL from a specific IP address or subnet

PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is used by a client on a remote server, you need to allow this traffic.

To allow incoming PostgreSQL connections from a particular IP address or subnet, specify the source with the from parameter and set the port to 5432:

sudo ufw allow from 91.198.174.33 to any port 5432

To allow the entire subnet 91.198.174.0/24 to connect to your PostgreSQL server, run the command:

sudo ufw allow from 91.198.174.0/24 to any port 5432

Allow connection to PostgreSQL from a specific IP address or subnet

Mail servers such as Sendmail and Postfix normally use port 25 for SMTP traffic. If your server is not supposed to send outgoing mail, you can block this type of traffic. To block outgoing SMTP connections, run the command:

sudo ufw deny out 25

This will configure your firewall to block all outgoing traffic on port 25. If you need to reject outgoing connections on a different port number, you can repeat this command and replace 25 with the port number you want to block.

Conclusion

UFW is a powerful tool that, when configured correctly, can significantly improve the security of your servers. This guide covers some common UFW rules that are often used to configure the firewall in Ubuntu. Most of the commands in this guide can be adapted for different use cases and scenarios by changing parameters such as source IP address and/or destination port. For more information on each command parameter and the available modifiers you can use the man utility to check the UFW manual:

man ufw