How to work with your firewall (UFW - Uncomplicated Firewall)
Last updated: November 10th 2022
UFW or Uncomplicated Firewall is a command-line interface to iptables and is specially designed to simplify the process of configuring a firewall.
Iptables is an extremely flexible firewall utility that was built for Linux operating systems. Iptables is a great tool with many functionalities that can be used to secure your Linux system from unwanted traffic. However, it can be difficult for beginners to learn how to use it properly when configuring the firewall. As a result, the UFW is well-suited for beginners, and you can learn, configure and use it easily.
UFW is a great firewall tool that is designed to be run on hosts or servers. It allows or blocks incoming and outgoing connections to and from the server. You can block ports, IPs or even entire subnets using UFW. It is not as flexible as iptables but is vastly easier for basic operations. It aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing.
In this tutorial, we will show you how to use the UFW firewall with hands-on examples.
Please note: Doing these actions bring the risk of downtime for your server if you are not careful. Do not do this on a live site if you do not know exactly what you are doing. It is recommended to create a new server from a snapshot and test this out - then migrate your changes back to your live server once you've verified everything is working.
- A Webdock cloud Ubuntu instance
- You have shell (SSH) access to your VPS.
Verify UFW is installed
The UFW firewall is pre-installed on Webdock servers. By default, it is configured to allow incoming connections to the ports 21, 22, 80, 443 and 50000-50099.
You can check all the rules added by the UFW firewall using the following command:
ufw status verbose
You should get the following output:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 21 ALLOW IN Anywhere 50000:50099/tcp ALLOW IN Anywhere 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 21 (v6) ALLOW IN Anywhere (v6) 50000:50099/tcp (v6) ALLOW IN Anywhere (v6) 22 (v6) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6) 20/tcp ALLOW OUT Anywhere 20/tcp (v6) ALLOW OUT Anywhere (v6)
As you can see, UFW firewall is configured to allow HTTP, HTTPS, SSH and FTP services from the outside network.
Note : Don't delete any of the above rules unless you know what you are doing as they are necessary for our LAMP/LEMP stack to function.
Allowing Incoming Connections with UFW
You can add UFW rules by specifying a service or port number.
For example, to add the UFW rule to allow the TCP port 80 and 443, run the following command:
ufw allow 80/tcp ufw allow 443/tcp
You can also allow the MySQL and HTTPS service by referencing them by name. The following command is equivalent to the above:
ufw allow mysql ufw allow https
Add the UFW rule to allow the UDP port 21 using the following command:
ufw allow 21/udp
You can also allow specific port range through the UFW firewall. For example, add the UFW rule to allow TCP port 6000 to 6500, run the following command:
ufw allow 6000:6500/tcp
You can also allow a specific IP (192.168.0.100) to access all port with the UFW firewall as shown below:
ufw allow from 192.168.0.100
To allow a specific IP (192.168.0.200) to access a specific port 8088, run the following command:
ufw allow from 192.168.0.200 to any port 8088
To allow a specific network subnet (192.168.2.0/24) to access all port, run the following command:
ufw allow from 192.168.2.0/24
Denying Incoming Connections with UFW
Per default UFW blocks all incoming connections so usually it is not required to add specific deny rules. However, if you have allowed a range of ports for example, adding specific deny rules might be appropriate, or if you want to deny traffic from specific IP addresses for example.
As an example, the UFW rule to deny the service SMTP, run the following command:
ufw deny smtp
To deny the TCP port 389, run the following command:
ufw deny 389/tcp
To deny the UDP port 137, run the following command:
ufw deny 137/udp
To deny all connections from a specific IP (192.168.0.150), run the following command:
ufw deny from 192.168.0.150
To deny a specific port range (8000:8200), run the following command:
ufw deny 8000:8200/tcp
To combine the two commands in order to deny traffic from a specific ip to a specific port range you would simply do
ufw deny from 192.168.0.150 to any port 8000:8200/tcp
Listing UFW Rules
If you want to list all UFW rules which are added, run the following command:
ufw show added
You should see all UFW rules in the following output:
Added user rules (see 'ufw status' for running firewall): ufw allow 21 ufw allow 50000:50099/tcp ufw allow out 20/tcp ufw allow 22 ufw allow 80 ufw allow 443 ufw allow 6000:6500/tcp ufw allow from 192.168.0.200 to any port 8088 ufw allow from 192.168.0.100 ufw allow from 192.168.2.0/24 ufw deny 25/tcp ufw deny 8000:8200/tcp ufw allow 3306
Deleting UFW Rules
There are two ways to delete the UFW rules.
Deleting Rules By Specification
The simple and easiest way to delete the UFW rule is by specifying the actual rule.
To delete the "allow mysql" UFW rule, run the following command:
ufw delete allow mysql
To delete the "allow 443/tcp" UFW rule, run the following command:
ufw delete allow 443/tcp
To delete the "allow 21/udp" UFW rule, run the following command:
ufw delete allow 21/udp
Deleting Rules By Rule Number
If you want to delete the UFW rules using rule number, you will first need to list all your UFW rules by rule number.
You can run the following command to list all firewall rules by numbers.
ufw status numbered
You should get the following output:
Status: active To Action From -- ------ ---- [ 1] 21 ALLOW IN Anywhere [ 2] 50000:50099/tcp ALLOW IN Anywhere [ 3] 20/tcp ALLOW OUT Anywhere (out) [ 4] 22 ALLOW IN Anywhere [ 5] 80 ALLOW IN Anywhere [ 6] 443 ALLOW IN Anywhere [ 7] 6000:6500/tcp ALLOW IN Anywhere [ 8] 8088 ALLOW IN 192.168.0.200 [ 9] Anywhere ALLOW IN 192.168.0.100  Anywhere ALLOW IN 192.168.2.0/24  25/tcp DENY IN Anywhere  8000:8200/tcp DENY IN Anywhere  3306 ALLOW IN Anywhere  21 (v6) ALLOW IN Anywhere (v6)  50000:50099/tcp (v6) ALLOW IN Anywhere (v6)  20/tcp (v6) ALLOW OUT Anywhere (v6) (out)  22 (v6) ALLOW IN Anywhere (v6)  80 (v6) ALLOW IN Anywhere (v6)  443 (v6) ALLOW IN Anywhere (v6)  6000:6500/tcp (v6) ALLOW IN Anywhere (v6)  25/tcp (v6) DENY IN Anywhere (v6)  8000:8200/tcp (v6) DENY IN Anywhere (v6)  3306 (v6) ALLOW IN Anywhere (v6)
Once you have all UFW rules with the number, you can use the "ufw delete" command followed by the rule number that you want to remove.
For example, to delete the UFW rule with number 20, run the following command:
ufw delete 20
You will be asked to confirm that you want to delete the rule:
Deleting: allow 6000:6500/tcp Proceed with operation (y|n)? y Rule deleted (v6)
Type y and hit Enter to delete the rule.
Important: The rule number will change automatically after deleting a rule. So it is recommended to list the rules before deleting another rule.
Disabling UFW Firewall
If you want to disable the UFW firewall, run the following command:
You can re-enable the UFW firewall any time by just running the following command:
If you want to reset UFW firewall completely and remove all existing rules, you can use the following command:
You will be asked to reset all rules to the default one as shown below:
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Type y and press Enter to remove all rules:
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200408_160447' Backing up 'user.rules' to '/lib/ufw/user.rules.20200408_160447' Backing up 'before.rules' to '/etc/ufw/before.rules.20200408_160447' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200408_160447' Backing up 'after.rules' to '/etc/ufw/after.rules.20200408_160447' Backing up 'user6.rules' to '/lib/ufw/user6.rules.20200408_160447'
Please Note: If you are managing your server over SSH, don't delete the UFW rule that allows SSH traffic (typically port 22) as that will make you loose shell access. You will be locked out of your server and unable to connect to your Webdock server without contacting support so we can enable access once again.
Checking if your rules have worked
Please Note: Some applications, such as Docker, may modify IPTables directly where UFW will not list these exceptions when running ufw status. This may lead to ports being open to the internet. The solution is to manually insert deny rules to after.rules and after6.rules.As the warning above states, you may still have open ports despite UFW claiming otherwise, especially if you are running Docker applications. To see how to check if there are any open ports, please see our guide on the topic.
As you can see, the UFW is a simple and easy to use tool to configure and manage your iptables firewall. All commands which you have seen in the above guide are important for understanding how the UFW firewall works and how you can use it in a production environment. Hopefully you now know how you can now limit any unwanted connections using UFW firewall.