UFW (uncomplicated firewall) is a firewall configuration tool that runs on top of iptables, included by default within Ubuntu distributions. It provides a streamlined interface for configuring common firewall use cases via the command line.
This cheat sheet-style guide provides a quick reference to common UFW use cases and commands, including examples of how to allow and block services by port, network interface, and source IP address.
Verify UFW Status #
To check if ufw is enabled, run:
sudo ufw status Status: inactive
Enable UFW #
If you got a Status: inactive message when running ufw status, it means the firewall is not yet enabled on the system. You’ll need to run a command to enable it.
To enable UFW on your system, run:
sudo ufw enable Output Firewall is active and enabled on system startup
See current status and firewall rules #
To see what is currently blocked or allowed, you may use the verbose parameter when running ufw status, as follows:
sudo ufw status verbose Output Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip
Disable UFW #
sudo ufw disable
Block an IP Address #
sudo ufw deny from 192.168.1.1 Output Rule added
In this example, from 192.168.1.1 specifies a source IP address of “192.168.1.1”.
If you run sudo ufw status now, you’ll see the specified IP address listed as denied:
OutputStatus: active To Action From -- ------ ---- Anywhere DENY 192.168.1.1
Block a Subnet #
sudo ufw deny from 192.168.1.0/24
Allow an IP Address #
sudo ufw allow from 192.168.1.1
Allow Incoming Connections to a Network Interface
sudo ufw allow in on eth0 from 192.168.1.1
Delete UFW Rule #
To delete a rule that you previously set up within UFW, use ufw delete followed by the rule (allow or deny) and the target specification. The following example would delete a rule previously set to allow all connections from an IP address of 192.168.1.1:
sudo ufw delete allow from 192.168.1.1
Another way to specify which rule you want to delete is by providing the rule ID. This information can be obtained with the following command:
sudo ufw status numbered Output Status: active To Action From -- ------ ---- [ 1] Anywhere DENY IN 192.168.1.1 [ 2] Anywhere on eth0 ALLOW IN 192.168.1.1
All rules are numbered starting with the number or ID of 1 and increasing by 1. If we want to remove rule number 1 we would run:
sudo ufw delete 1
List Available Application Profiles #
Upon installation, applications that rely on network communications will typically set up a UFW profile that you can use to allow connection from external addresses. This is often the same as running ufw allow from, with the advantage of providing a shortcut that abstracts the specific port numbers a service uses and provides a user-friendly nomenclature to referenced services.
To list which profiles are currently available, run the following:
sudo ufw app list Output Available applications: OpenSSH
Enable Application Profile #
sudo ufw allow “OpenSSH” Output Rule added Rule added (v6)
Disable Application Profile #
sudo ufw delete allow "OpenSSH"
Allow Incoming PORT from Specific IP Address or Subnet #
sudo ufw allow from 192.168.1.1 proto tcp to any port 7788 sudo ufw allow from 192.168.1.0/24 proto tcp to any port 1584
Allow All Incoming Connections to Port #
sudo ufw allow proto tcp from any to any port 80,443
UFW is a powerful tool that can greatly improve the security of your servers when properly configured. This reference guide covers some common UFW rules that are often used to configure a firewall on Ubuntu. The official UFW page on Ubuntu’s documentation is another resource you can use as reference for more advanced use cases and examples.