25.01.2026

UFW Commands for Ubuntu: Firewall Setup, Rules, and Security Best Practices

Introduction

This guide explains how to configure and manage UFW (Uncomplicated Firewall) on Ubuntu servers. You will learn how to enable the firewall, create and delete rules, manage service profiles, and secure both IPv4 and IPv6 network traffic.

sudo apt update && sudo apt install ufw

Checking UFW Firewall Status on Ubuntu

To check whether the firewall is active:

sudo ufw status

If you see Status: inactive, it means the firewall is currently disabled.

Enabling UFW

Important: If you are connected via SSH, allow SSH access before enabling UFW to avoid being locked out.

To enable UFW:

sudo ufw allow OpenSSH

sudo ufw enable

To see the list of current rules:

sudo ufw status verbose

Disabling UFW

To temporarily disable the firewall:

sudo ufw disable

Note: This completely turns off your firewall—use with caution!

Blocking IP Addresses and Subnets

Block a specific IP:

sudo ufw deny from 91.198.174.190

Block an entire subnet:

sudo ufw deny from 91.198.174.0/24

Block an IP on a specific interface:

sudo ufw deny in on eth0 from 91.198.174.192

Allowing IP Addresses

Allow all traffic from a specific IP:

sudo ufw allow from 91.198.174.192

Allow incoming traffic from an IP on a specific interface:

sudo ufw allow in on eth0 from 91.198.174.22

Deleting Rules

Delete a rule by its parameters:

sudo ufw delete allow from 91.198.174.192

Delete a rule by number:

sudo ufw status numbered sudo ufw delete 1

Application Profiles

UFW can use predefined profiles for common services:

List available profiles:

sudo ufw app list

Enable a profile (e.g. OpenSSH):

sudo ufw allow OpenSSH

Remove a profile:

sudo ufw delete allow "Nginx Full"

Opening Common Ports

SSH (port 22):

sudo ufw allow 22

HTTP (port 80):

sudo ufw allow http

HTTPS (port 443):

sudo ufw allow https

HTTP + HTTPS combined:

sudo ufw allow proto tcp from any to any port 80,443

Allowing Database Connections

MySQL (port 3306):

sudo ufw allow from 91.198.174.33 to any port 3306

PostgreSQL (port 5432):

sudo ufw allow from 91.198.174.33 to any port 5432

Allow for a subnet:

sudo ufw allow from 91.198.174.0/24 to any port 3306

FAQ: UFW (Uncomplicated Firewall) on Ubuntu

Q1: How can I check which UFW rules are currently applied?
A1: Run the command:

sudo ufw status verbose

This shows all active rules, including allowed ports and IP addresses.
Q2: What if I accidentally block SSH access?
A2: Use your hosting provider’s console or IPMI/KVM access, then run:

sudo ufw allow OpenSSH

This restores SSH connectivity safely.
Q3: Can I allow multiple ports at once?
A3: Yes. For example, to allow HTTP and HTTPS together:

sudo ufw allow proto tcp from any to any port 80,443

You can adjust the ports as needed for your services.
Q4: How do I remove a UFW rule I added by mistake?
A4: First, list rules with numbers:

sudo ufw status numbered

Then delete the unwanted rule by its number:

sudo ufw delete <rule_number>
Q5: What should I do if UFW conflicts with another firewall?
A5: Disable the other firewall (e.g., firewalld) or ensure it’s not managing the same ports and rules to avoid conflicts.
Q6: Can UFW manage both IPv4 and IPv6 traffic?
A6: Yes. UFW handles IPv4 and IPv6 simultaneously if configured in /etc/default/ufw by setting IPV6=yes.

UFW Best Practices for Ubuntu Servers

Best practices include allowing SSH before enabling UFW, restricting database access to trusted IPs, enabling IPv6 support, and periodically auditing firewall rules.

Conclusion

Configuring UFW on Ubuntu provides a simple and effective way to secure servers by controlling incoming and outgoing network traffic. UFW abstracts complex iptables rules, making firewall management accessible without sacrificing flexibility.

By carefully allowing essential services such as SSH, HTTP, HTTPS, and databases, and regularly reviewing firewall rules, administrators can significantly reduce attack surfaces and maintain a secure Ubuntu environment.