17 Beginner’s Guides to UFW (Uncomplicated Firewall) on Ubuntu
UFW or Uncomplicated Firewall is a Python-based firewall software that available by default on Ubuntu Server. It is an alternative to IPTables, which provides a user-friendly command line, and is easier to implement. Compared to IPTables, UFW provides readable command lines that are easy to understand. UFW makes users easier to set up their firewall, even without an in-depth understanding of networking and TCP/IP background.
In this article, you will learn how to use UFW practically. You will learn most UFW commands that you can implement in real-world scenarios.
Prerequisites
Before you start, ensure that you have the Ubuntu server up and running with UFW installed.
Now let’s get started and deep-dive into UFW.
1. Start and Enable UFW on Ubuntu Server
UFW comes pre-installed on the Ubuntu server, but not running. It’s also available for multiple Linux distributions and can be installed via APT for Debian-based distributions and DNF for RedHat-based distributions.
Before you start and enable UFW, you must add the OpenSSH
application profile to the using the following command.
sudo ufw allow OpenSSH
An output Rules updated
confirms that the new UFW rule has been added.
After the OpenSSH
is added, type the following command to start and enable UFW.
sudo ufw enable
When prompted, input y
to confirm, then press ENTER to proceed. With that, you should get an output such as Firewall is active and enabled on system startup
.
2. Checking UFW Status on Ubuntu Server
With the UFW running and enabled, you can now verify the UFW status by typing the following command.
sudo ufw status
You should see the output like this:
An output Status: active
confirms that the UFW is running, enabled, and will start automatically upon the system startup. Furthermore, You also see the list of available rules on UFW. In this case, the OpenSSH
application profile is enabled.
3. Opening Port on Ubuntu via UFW
In this section, you will learn how to add a specific port to UFW via the ufw allow
command.
Type the following command to allow connections to port 5353
on protocol UDP
. When added, you should receive an output such as Rules added
.
sudo ufw allow 5353/udp
Now if you verify the status of UFW, you should get the port 5353/udp
available on the list rules.
sudo ufw status
4. Opening Multiple Ports via UFW
To add multiple ports in UFW, you can separate each port like this 443,80,8080,8000/tcp
. This will add a single rule with multiple ports.
sudo ufw allow 443,80,8080,8000/tcp
Type the following command to list detailed rules on UFW.
sudo ufw status
You should see the new rule with multiple ports 443,80,8080,8000/tcp
.
5. Opening Port Range in UFW
This is used when you have services that use random ports in between of N-N
number. To add a range of ports in UFW, you can use :
in between the ports such as 30000:32767
, then add the following protocol for the port (TCP or UDP).
Enter the following command to allow connections to ports between 30000-32767
with the protocol TCP
.
sudo ufw allow 30000:32767/tcp
Once added, you should see the output Rules added
.
6. Allow Incoming Traffic from a Specific IP Address
Implement this when you need to secure your services or server from outsiders by limiting remote access via UFW. This way, only IP addresses that listen in the UFW rule will be allowed to access the server/services.
Enter the following command to allow incoming traffic from the IP address 192.168.5.100
to your server.
sudo ufw allow from 192.168.5.100 to any
For specific ports, add the parameter to any port 8080
to the command.
sudo ufw allow from 192.168.5.1 to any port 8080
Now verify the list of UFW rules using the following command.
sudo ufw status
In the From
section, you should see the allowed IP address 192.168.5.1
to port 8080
.
7. Allow Incoming Traffic from Subnet
To allow a port from a specific network, you must include the subnet netmask of the target network such as IP/24
.
Enter the following command to allow incoming traffic from the network 192.168.5.0/24
to the server.
sudo ufw allow from 192.168.5.0/24
Now if you want to specify the target port, you can use the following command. This will allow incoming traffic from 192.168.1.0/24
to only port 8080
.
sudo ufw allow from 192.168.1.0/24 to any port 8080
Verify the details of the UFW rule using the following command.
sudo ufw status
On the output, you should see port 8080
is allowed from the specific network 192.168.1.0/24
.
8. Block Incoming Traffic from a Specific IP Address
To block incoming connections from the IP address, you can run the ufw deny
command below. This will deny the IP address 192.168.5.15
to access the server.
sudo ufw deny from 192.168.1.15 to any
To block access to a specific port, you can add a parameter such as to any port 80
. In this case, you will block the IP address 192.168.1.25
to access the port 80
on the server.
sudo ufw deny from 192.168.1.25 to any port 80
Now check the list of UFW rules using the below command. You should see in the new rule Action
section with DENY
.
sudo ufw status
9. Block Incoming Traffic from Subnet
To block incoming connections from the network with UFW, you can add the subnet mask of your network like the following command.
sudo ufw deny from 192.168.1.0/24 to any
Now if you want to block network connection to a specific port, use the following command.
sudo ufw deny from 192.168.5.0/24 to any port 80
10. Listing UFW Rules in Numbered Format
UFW provides a command line that allows you to show the list of rules in the numbered format. Each of the available rules will be assigned a number. This way, you can easily delete or modify available rules without a headache.
Type the following command to get the list of rules in numbered format.
sudo ufw status numbered
You should see the list of UFW rules with the number at the beginning.
11. Deleting Enabled Rule in UFW
To delete a rule in UFW is by using the rule_number
. Before you delete the rule, verify the list of rules in the numbered format.
sudo ufw status numbered
Check which rule number that you want to delete and run the command ufw delete rule-number
below. This example will delete the rule number 3
on UFW.
sudo ufw delete 3
Input y
to confirm, then press ENTER to proceed. Once downloaded, you should get an output such as Rule deleted
.
12. Disable ICMP/Ping on Ubuntu via UFW
In some cases, you may want to disable ping or ICMP echo requests via UFW on your server. This can mitigate stealth scans from applications such as Nmap.
By default, the ICMP requests are allowed in UFW. To disable it, you must modify the UFW configuration.
First, enter the following command to backup the default UFW config file /etc/ufw/before.rules
.
sudo cp /etc/ufw/before.rules /etc/ufw/before.rules_orig
Open the file /etc/ufw/before.rules
using your preferred text editor, this demo uses nano
.
sudo nano /etc/ufw/before.rules
Delete the following lines:
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
And replace with this:
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Save and exit the file.
There are multiple ICMP requests in computer networking, such as destination-unreachable
, source-quench
, time-exceeded
, parameter-problem
, and echo-request
. Implementing this configuration will completely disable ICMP requests to the server. If you want to allow specific ICMP requests, you can replace the parameter DROP
to ACCEPT
in the target ICMP request.
Now run the following command to reload UFW and apply the changes. You should get an output such as Firewall reloaded
.
sudo ufw reload
13. Enable UFW Application Profiles
In UFW, there is a feature called application profiles that contains predefined rules for specific applications or services. For example, the OpenSSH server comes with an application profile called OpenSSH
, the Apache2 web server comes with Apache Full
, and the Nginx web server comes with Nginx Full
.
The default UFW application profiles are stored in the /etc/ufw/applications.d/
directory. Each profile can contain multiple ports, also you can set up custom application profiles by creating a new config file in the /etc/ufw/applications.d/
directory.
Verify the list of available application profiles using the following command.
sudo ufw app list
You can now allow incoming traffic to the application profile using the ufw
command below. In this case, the Nginx web server is installed, and you will add the application profile Nginx Full
to your Ubuntu Server.
sudo ufw allow 'Nginx Full'
Additionally, you can also show the details of the UFW application profile by running the ufw app
command below.
sudo ufw app info 'Nginx Full'
14. Creating Custom Application Profile in UFW
To create a custom application profile in UFW, you need to create a new config file in the directory /etc/ufw/applications.d/
. Below is a template of the UFW application profile that you can use to create your custom profile.
[Name]
title=Title of profile
description=Description of profile
ports=port1,port2/tcp
Create a new file /etc/ufw/applications.d/tomcat
using your preferred editor.
sudo nano /etc/ufw/applications.d/tomcat
Add the following configurations to the file.
[Tomcat]
title=Apache Tomcat Default
description=Apache Tomcat default port 8080
ports=8080/tcp
Save the file and exit the editor.
Now reload the UFW and verify the list of available application profiles in UFW.
sudo ufw reload
sudo ufw app list
You should see the new profile called Tomcat
is available, which means that you’ve successfully added the custom application profile to UFW.
Run the following command to get details of the Tomcat
application profile, then enable it.
sudo ufw app info Tomcat
sudo ufw allow Tomcat
The Tomcat
application profile will open the TCP port 8080
on the server.
15. Setting up Forwarding in UFW
There are two port forwarding that you can achieve with UFW, below is an example:
- Port Forwarding port via REDIRECT: When you need to redirect an external port to an internal port in the same server.
- Port Forwarding port via DNAT: When you need to redirect a port to another port on a different server.
To set up port forwarding, you must enable the kernel parameter net/ipv4/ip_forward=1
on your system.
Run the following command to add the kernel parameter net/ipv4/ip_forward=1
to the /etc/sysctl.conf
file. Then, apply the changes on the current session via the sysctl
command.
sudo echo 'net/ipv4/ip_forward=1' >> /etc/sysctl.conf
sudo sysctl -p
Then, open the file /etc/default/ufw
using vim
.
sudo vim /etc/default/vim
Change the default DEFAULT_FORWARD_POLICY
to ACCEPT
.
DEFAULT_FORWARD_POLICY="ACCEPT"
Save and close the file when you’re done.
Now, open the UFW configuration file /etc/ufw/before.rules
using the nano editor.
sudo nano /etc/ufw/before.rules
15.1 – Setting up Port Forwarding via REDIRECT
Add the following lines to the file before the *filter
parameter. In this case, you will redirect incoming traffic from port 80
to port 8080
.
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT
Save the file, then exit the editor.
Next, run the following command to open both ports 80
and 8080
on your server, then reload the UFW.
sudo ufw allow 80,8080/tcp
sudo ufw reload
15.2 – Setting up Port Forwarding via DNAT
if you want to redirect port to port on a different server, you can use DNAT via UFW. Mostly, this helps you when you have an internal application z
Add the following configuration to the file /etc/ufw/before.rules
before the *filter
parameter. In this example, all incoming traffic to the interface eth0
within port 80
will be forwarded to the server 192.168.5.10
with port 80
.
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.5.22
COMMIT
Save the file and exit the editor.
Now, run the following command to reload open port 80
on the current machine, then reload the UFW to apply the changes.
sudo ufw allow 80/tcp
sudo ufw reload
16. Enable Logging in UFW
UFW comes with a logging feature that allows you to get detailed information on your firewall, which includes events like IN and OUT connections, blocked connections,
To enable logging in UFW, execute the following command. This will show you an output Logging enabled
.
sudo ufw logging on
Now, input the following command to check the detailed UFW status, including the log level and default policy.
sudo ufw status verbose
As seen in the following, logging on UFW is enabled at a level low.
Below are five logging levels available in UFW:
- off: This means logging is disabled completely on UFW.
- low: This will log all blocked packets that do not match with the current policy/rule and also log packets with a matching policy.
- medium: In addition to level Low, this also logs all packets that match with the current policy, all INVALID packets, and new connections. And all is done with rate limiting.
- high: This includes the level Medium but without rate limiting and also logs all packets with rate limiting.
- full: This is log level High but without rate limiting.
Next, you can change the logging level in UFW by executing the following command. In this case, you will change the logging level to medium
.
sudo ufw logging medium
Lastly, you can check the UFW log file /var/log/ufw.log
by using the tail
or grep
commands.
sudo tail -f /var/log/ufw.log
sudo grep "UFW BLOCK" /var/log/ufw.log
17. Setting up Connection Rate Limits
In addition to allow
, block
, and reject
rules, UFW offers a limit
rule, which enforces connection rate limits and provides additional protection against brute-force and DoS attacks. By default, the limit
rule allows only 6 connection attempts every 30 seconds. And when the attmpt exceeds, the new connection will be blocked.
Execute the ufw limit
command below to enable connection rate limits for the OpenSSH
application profile.
sudo ufw limit OpenSSH
Now, run the command below to check the UFW status and list enabled rules. You should see the OpenSSH rule action is changed to LIMIT
.
sudo ufw status
Lastly, you can check blocked connections on /var/log/ufw.log
using the log event UFW LIMIT BLOCK
via the grep
command below.
grep "UFW LIMIT BLOCK" /var/log/ufw.log
Conclusion
To sum up, you’ve now mastered 17 practical examples of UFW (Uncomplicated Firewall) on the Ubuntu server. With this knowledge, you can implement each example to your server to enhance your server security. Or, you can also integrate UFW with fail2ban to block brute-force attacks.