Introduction
The default firewall configuration tool for Ubuntu is ufw. Designed to simplify iptables firewall configuration, ufw provides a convenient way to create an IPv4 or IPv6 host-based firewall. By default, UFW is disabled.
If your version does not have ufw installed, you can install it using the command:
UFW status check
Check that the firewall is switched on, use this command:
The result will show whether your firewall is active or not.
Switching on UFW
If you get a Status: inactive message when running the ufw status command, it means that the firewall is not yet enabled on the system. You will need to run a command to enable it.
By default, when UFW is enabled, it blocks external access to all ports on the server. In practice, this means that if you connect to a server via SSH and enable ufw before allowing access on the SSH port, you will be disconnected.
To enable UFW on your system, run the command:
You will see a result similar to this.
To see what is currently blocked or allowed, you can use the verbose parameter when running ufw status as shown below:
Switching off the UFW
If for some reason you need to disable the firewall, you can do so with the following command:
Be careful, this command will completely disable the firewall service on your system!
Blocking an IP address from being addressed
To block all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to block:
In this example, from 91.198.174.190 indicates the source IP address "91.198.174.190".
If you run this command, you will see that the specified IP address is on the banned list:
All connections, incoming and outgoing, are blocked for the specified IP address.
Block the subnet
If you need to block the entire subnet, you can use the subnet address as the "from" parameter in the ufw deny command. This will block all IP addresses in the example subnet 91.198.174.0/24:
Blocking incoming connections to the network interface
To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the IP address you want to block:
The "in" parameter tells the firewall to apply the rule only to incoming connections, and the "on eth0" parameter tells it that the rule applies only to the eth0 interface.
This can be useful if you have a system with multiple network interfaces (including virtual interfaces) and you need to block external access to some of those interfaces, but not all.
Allow IP address conversions
To allow all network connections originating from a specific IP address, run the following command, replacing the allocated IP address with the IP address you wish to allow access to:
If you now run "sudo ufw status", you will see output similar to this, with ALLOW next to the IP address you have just added.
You can also allow connections from an entire subnet by specifying the appropriate subnet mask for the host, e.g. 91.198.174.0/24.
Allow incoming connections to the network interface
To allow incoming connections from a specific IP address to a specific network interface, run the following command, replacing the IP address with the one you want to allow:
The "in" parameter tells the firewall to apply the rule only to incoming connections and the "on eth0" parameter specifies that the rule applies only to the "eth0" interface.
If you run the command, you will see a result similar to this:
Remove a firewall rule
To delete a rule previously installed in UFW, use "ufw delete", then enter the rule (allow / deny) and the target specification. The following example deletes a rule previously set to allow all connections from IP address 91.198.174.192:
Another way to specify which rule you want to remove is to specify the rule ID. This information can be obtained by using the following command:
From the output you can see that there are two active rules. The first rule, denies all connections coming from IP address 91.198.174.190. The second rule allows connections on eth0 interface coming from IP address 91.198.174.22.
Since by default the firewall already blocks all external access unless it is explicitly allowed, the first rule is redundant, so it can be removed. To remove a rule according to its ID, run the command:
You will be prompted to confirm the operation and make sure that the ID you specify relates to the correct rule you wish to delete.
If you list your rules again with the status "sudo ufw", you will see that the rule has been removed.
List of available application profiles
When installing applications that rely on network communications, it is common to set up a firewall profile that can be used to allow connections from external addresses. This is often the same as running "ufw allow from", with the advantage that it is a shortcut that abstracts the specific port numbers used by the service and provides convenient nomenclature for referring services.
If you have installed a service, such as a web server or other network-dependent software, and the profile was not available in the firewall, first make sure that the service is enabled.
For remote servers OpenSSH is usually available:
Include a profile for a specific application
To enable a firewall application profile, run the command "ufw allow" followed by the name of the application profile you want to enable, which can be obtained with the command:
In the following example, we enable the OpenSSH profile, which will allow all incoming SSH connections on the standard SSH port.
Deactivate a profile for a specific application
To disable an application profile that you previously configured in the firewall, you need to remove the corresponding rule. For example, consider the following output from "sudo ufw status"
This output indicates that the "Nginx Full" application profile is currently enabled, allowing any connections to the web server via both HTTP and HTTPS.
If you want to allow only HTTPS requests to your web server, you need to first enable the most restrictive rule, which in this case is "Nginx HTTPS", and then disable the active rule "Nginx Full":
sudo ufw delete allow "Nginx Full"
Remember that you can list all available app profiles with:
Enable SSH
When working with remote servers you will need to ensure that the SSH port is open for connections so that you can login remotely to your server.
The following command will enable the OpenSSH application profile for the firewall and allow all connections to the default SSH port on the server:
Although less user-friendly, an alternative syntax is to specify the exact port number of the SSH service, which is usually set to 22 by default:
Allow incoming SSH from a specific IP address or subnet
To allow incoming connections from a specific IP address or subnet, you will include the "from" directive to define the source of the connection. This requires that you also specify the destination address with the "to" parameter. To block this rule for SSH only, limit "proto" (protocol) to "tcp" and then use the "port" parameter and set it to 22, the default SSH port.
The following command will only allow SSH connections originating from IP address 91.198.174.33:
You can also use the subnet address as the "from" parameter to allow incoming SSH connections from the entire network:
Allow incoming Rsync from a specific IP address or subnet
Rsync, which runs on port 873, can be used to transfer files from one computer to another.
To allow incoming rsync connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the port parameter to set the destination port to 873. The following command will only allow Rsync connections coming from IP address 91.198.174.33:
To allow the entire 91.198.174.0/24 subnet to "rsync" to your server, run the command:
Allow Nginx HTTP / HTTPS
When installing the Nginx web server, it installs several different firewall profiles inside the server. After installing and enabling Nginx as a service, run the following command to determine which profiles are available:
To allow HTTP and HTTPS traffic, select Nginx Full. Otherwise, select either Nginx HTTP to allow HTTP only, or Nginx HTTPS to allow HTTPS only.
The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):
Allow Apache HTTP / HTTPS
During installation the Apache web server installs several different UFW profiles within the server. After installing and enabling Apache as a service, run the following command to determine which profiles are available:
To enable HTTP and HTTPS traffic, select "Apache Full". Otherwise select either "Apache" for HTTP or "Apache Secure" for HTTPS.
The following command will allow HTTP and HTTPS traffic on the server (ports 80 and 443):
Allow all incoming HTTP (port 80)
Web servers such as Apache and Nginx normally listen for HTTP requests on port 80. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access to port 80. You can use either the port number or the service name (http) as the parameter of this command.
To allow all incoming HTTP connections (port 80), run the command:
An alternative syntax is to specify the port number of the HTTP service:
Allow all inbound HTTPS (port 443)
HTTPS normally runs on port 443. If your default policy for inbound traffic is set to reject or deny, you need to create a UFW rule to allow external access on port 443. You can use either the port number or the service name (https) as the parameter of this command.
To allow all inbound HTTPS connections (port 443) run this command:
An alternative syntax is to specify the port number of the HTTPS service:
Allow all incoming HTTP and HTTPS
If you want to allow HTTP and HTTPS traffic, you can create one rule that allows both ports. This use requires that you also define the protocol using the "proto" parameter, which in this case must be set to tcp.
To allow all incoming HTTP and HTTPS connections (ports 80 and 443), run the command:
Allow connection to MySQL from a specific IP address or subnet
MySQL listens for client connections on port 3306. If your MySQL database server is used by a client on a remote server, you need to create a UFW rule to allow such access.
To allow incoming MySQL connections from a particular IP address or subnet, use the from parameter to specify the source IP address and the "port" parameter to set destination port 3306.
The following command will allow the IP address 91.198.174.33 to connect to the MySQL server port:
To allow the entire subnet 91.198.174.0/24 to connect to your MySQL server, run the command:
Allow connection to PostgreSQL from a specific IP address or subnet
PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is used by a client on a remote server, you need to allow this traffic.
To allow incoming PostgreSQL connections from a particular IP address or subnet, specify the source with the from parameter and set the port to 5432:
To allow the entire subnet 91.198.174.0/24 to connect to your PostgreSQL server, run the command:
Allow connection to PostgreSQL from a specific IP address or subnet
Mail servers such as Sendmail and Postfix normally use port 25 for SMTP traffic. If your server is not supposed to send outgoing mail, you can block this type of traffic. To block outgoing SMTP connections, run the command:
This will configure your firewall to block all outgoing traffic on port 25. If you need to reject outgoing connections on a different port number, you can repeat this command and replace 25 with the port number you want to block.
Conclusion
UFW is a powerful tool that, when configured correctly, can significantly improve the security of your servers. This guide covers some common UFW rules that are often used to configure the firewall in Ubuntu. Most of the commands in this guide can be adapted for different use cases and scenarios by changing parameters such as source IP address and/or destination port. For more information on each command parameter and the available modifiers you can use the man utility to check the UFW manual: