The Uncomplicated Firewall (UFW) is a key part of a server admin’s toolbox. This guide is designed to cover everything you need to know to get started with, including what it is, how to enable it, and common commands.
What is UFW?
As its full name suggests, UFW is a firewall tool. But what exactly does that mean? A firewall is used to monitor incoming and outgoing traffic on your network, allowing or blocking traffic based on a set of rules you define. You can think of it as a security filter between your device and the internet.
UFW vs IPtables
There is some confusion surrounding the difference between UFW and IPtables and which you should be using. The main thing to understand is that UFW is built on IPtables – it’s essentially a simpler IPtables interface. The answer to which you should use is, therefore, easy: IPtables if you’re an advanced user, and UFW for everything else.
Getting Started with UFW
Let’s start with the basic management of UFW: enabling it, disabling it, restarting it, and checking its status.
Checking UFW Status
You can check the status of UFW to see if it is enabled using:
ufw statusThe command will return either ufw status inactive or ufw status active.
How to Enable UFW
If your firewall is inactive, you can enable it with a simple command. However, bear in mind that enabling this on a server without first allowing traffic through port 22 for SSH will cause you to lose your SSH connection and be unable to easily regain it.
sudo ufw enableDisabling and Restarting UFW
If you run into issues with your firewall, you may need to temporarily disable ufw:
sudo ufw disableThere is no restart UFW command, so you will have to use the disable command above followed by “sudo ufw enable” to do so. Alternatively, if you just need to reload the firewall rules, you can use:
sudo ufw reloadConfiguring UFW Rules
There are three main ways to configure a firewall rule: based on IP address, a port, or an application.
Managing Ports
The most common reason to use UFW is for opening and closing ports. Opening a port allows traffic to flow through it to and from your server. Different applications and services use different ports. For example:
- SSH uses port 22 by default (though we recommend changing this for security)
- Port 443 is used for HTTPS traffic
- Port 80 is used for HTTP traffic
- FTP uses ports 20 and 21
Ideally, you should only be opening ports that you have a good to reason to. Every open port represents a potential avenue of attack. That said, you can use UFW to open a port with this command:
sudo ufw allow port/protocolSo, for example, to open the SSH port we would use:
Sudo ufw allow 22/tcpAllowing and Blocking IP Addresses
If you need to be more specific, UFW allows you to allow or block traffic from a specific IP address.
UFW block IP command
The command to block and IP with UFW is:
sudo ufw deny your.ip.addressYou can expand this by blocking an entire subnet if necessary:
sudo ufw deny from ip.address/subnetFor example:
sudo ufw deny from 123.3.234.0/24Bear in mind that it is simple to change IP address. VPNs are easily accessible, and even users on home networks tend to have their IP rotated regularly by their ISP. This is more useful if you want to limit traffic from a specific website or service with a static IP address.
Allowing an IP address with UFW
Allowing traffic from an IP address works in much the same way:
sudo ufw allow from ip.addressYou can also block subnets with:
sudo ufw allow from 129.0.0.0/24Applications
Most applications that require use of the network to function correctly will include a UFW profile when they are installed. This creates a way for you to implement all of the required UFW rules without needing to manually research them.
Working with UFW application profiles
A good place to start is by seeing which application profiles are available to you. You can use this command to list UFW app profiles:
sudo ufw app listIt should return an output that looks something like this:
Available applications:
Apache
Apache Full
Apache Secure
CUPS
OpenSSH Enabling an application profile is then as simple as running:sudo ufw allow "ApplicationName"The command to remove an application profile is:
sudo ufw delete allow "ApplicationName"Managing rules
It’s important to regularly review and manage your firewall rules to ensure there are no ports open that do not need to be. The first step in that process is using UFW to list rules that are currently active:
sudo ufw statusThis will give an output such as:
Status:active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80/tcp ALLOW AnywhereDelete UFW Rules
Removing rules that you previously enabled is quite intuitive: just type ufw delete, followed by whatever command you used to add it.
For example, ufw delete "OpenSSH" would remove the OpenSSH application rule. However, if you wanted to delete a UFW rule that allows connections from a specific port, you would run:
ufw delete allow 80/tcpOr traffic from a specific IP address would be:
ufw delete allow from 127.1.1.0UFW Logs and Monitoring
Knowing which packets are being blocked and which aren’t gives you an idea of whether your firewall rules have been effective, helps to investigate attacks, etc.
Enabling and configuring UFW logs
UFW logging is usually enabled by default, but you can check this with:
sudo ufw status verboseYour output should look like this:
Status: active
Logging: on
...There are four different levels of logging:
- Low: Shows all blocked or allowed packets by your rules
- Medium: All logged or blocked packets by rules plus those that don’t match any rules
- High: All logs for packets with and without rate limiting
- Full: All packets without rate limiting
If your logging is set to off, you can turn it on with:
sudo ufw logging onYou can change your logging level using:
sudo ufw logging low/medium/high/fullIf you’d like to monitor a specific service, you can add a logging rule. For example, we could monitor the SSH port with:
sudo ufw allow log 22/tcpViewing and interpreting UFW logs
UFW logs are saved primarily to /var/log/ufw/. You can either view them live with tail or not live using grep. The command to view UFW logs live is:
tail -f /var/log/ufw.logOr you can view your UFW history like so:
grep -i ufw /var/log/syslogClosing words
The uncomplicated firewall (UFW) is still an intimidating tool for beginners. This guide should be enough to get you started in securing your server. For more information, you can read the manual for your distribution.
