Introduction
This guide explains how to configure and manage UFW (Uncomplicated Firewall) on Ubuntu servers. You will learn how to enable the firewall, create and delete rules, manage service profiles, and secure both IPv4 and IPv6 network traffic.
Checking UFW Firewall Status on Ubuntu
To check whether the firewall is active:
If you see Status: inactive, it means the firewall is currently disabled.
Enabling UFW
To enable UFW:
To see the list of current rules:
Disabling UFW
To temporarily disable the firewall:
Note: This completely turns off your firewall—use with caution!
Blocking IP Addresses and Subnets
- Block a specific IP:
- Block an entire subnet:
- Block an IP on a specific interface:
Allowing IP Addresses
- Allow all traffic from a specific IP:
- Allow incoming traffic from an IP on a specific interface:
Deleting Rules
- Delete a rule by its parameters:
- Delete a rule by number:
Application Profiles
UFW can use predefined profiles for common services:
- List available profiles:
- Enable a profile (e.g. OpenSSH):
- Remove a profile:
Opening Common Ports
- SSH (port 22):
- HTTP (port 80):
- HTTPS (port 443):
- HTTP + HTTPS combined:
Allowing Database Connections
- MySQL (port 3306):
- PostgreSQL (port 5432):
- Allow for a subnet:
FAQ: UFW (Uncomplicated Firewall) on Ubuntu
- Q1: How can I check which UFW rules are currently applied?
A1: Run the command:sudo ufw status verboseThis shows all active rules, including allowed ports and IP addresses.
- Q2: What if I accidentally block SSH access?
A2: Use your hosting provider’s console or IPMI/KVM access, then run:sudo ufw allow OpenSSHThis restores SSH connectivity safely.
- Q3: Can I allow multiple ports at once?
A3: Yes. For example, to allow HTTP and HTTPS together:sudo ufw allow proto tcp from any to any port 80,443You can adjust the ports as needed for your services.
- Q4: How do I remove a UFW rule I added by mistake?
A4: First, list rules with numbers:sudo ufw status numberedThen delete the unwanted rule by its number:
sudo ufw delete <rule_number> - Q5: What should I do if UFW conflicts with another firewall?
A5: Disable the other firewall (e.g., firewalld) or ensure it’s not managing the same ports and rules to avoid conflicts. - Q6: Can UFW manage both IPv4 and IPv6 traffic?
A6: Yes. UFW handles IPv4 and IPv6 simultaneously if configured in /etc/default/ufw by setting IPV6=yes.
UFW Best Practices for Ubuntu Servers
Best practices include allowing SSH before enabling UFW, restricting database access to trusted IPs, enabling IPv6 support, and periodically auditing firewall rules.
Conclusion
Configuring UFW on Ubuntu provides a simple and effective way to secure servers by controlling incoming and outgoing network traffic. UFW abstracts complex iptables rules, making firewall management accessible without sacrificing flexibility.
By carefully allowing essential services such as SSH, HTTP, HTTPS, and databases, and regularly reviewing firewall rules, administrators can significantly reduce attack surfaces and maintain a secure Ubuntu environment.