How to work with your firewall (UFW - Uncomplicated Firewall)

Last updated: January 10th 2024

Introduction

UFW or Uncomplicated Firewall is a command-line interface to iptables and is specially designed to simplify the process of configuring a firewall.

Iptables is an extremely flexible firewall utility that was built for Linux operating systems. Iptables is a great tool with many functionalities that can be used to secure your Linux system from unwanted traffic. However, it can be difficult for beginners to learn how to use it properly when configuring the firewall. As a result, the UFW is well-suited for beginners, and you can learn, configure and use it easily.

UFW is a great firewall tool that is designed to be run on hosts or servers. It allows or blocks incoming and outgoing connections to and from the server. You can block ports, IPs or even entire subnets using UFW. It is not as flexible as iptables but is vastly easier for basic operations. It aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing.

In this tutorial, we will show you how to use the UFW firewall with hands-on examples.

Please note: Doing these actions bring the risk of downtime for your server if you are not careful. Do not do this on a live site if you do not know exactly what you are doing. It is recommended to create a new server from a snapshot and test this out - then migrate your changes back to your live server once you've verified everything is working.

Prerequisites

Verify UFW is installed

The UFW firewall is pre-installed on Webdock stacks. By default, it is configured to allow incoming connections to the ports 21, 22, 80, 443 and 50000-50099.

You can check all the rules added by the UFW firewall using the following command:

ufw status verbose

You should get the following output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
21                         ALLOW IN    Anywhere                  
50000:50099/tcp            ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
21 (v6)                    ALLOW IN    Anywhere (v6)             
50000:50099/tcp (v6)       ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             

20/tcp                     ALLOW OUT   Anywhere                  
20/tcp (v6)                ALLOW OUT   Anywhere (v6)  

As you can see, UFW firewall is configured to allow HTTP, HTTPS, SSH and FTP services from the outside network.

Note : Don't delete any of the above rules unless you know what you are doing as they are necessary for our LAMP/LEMP stack to function.

Allowing Incoming Connections with UFW

You can add UFW rules by specifying a service or port number.

For example, to add the UFW rule to allow the TCP port 80 and 443, run the following command:

ufw allow 80/tcp
ufw allow 443/tcp

You can also allow the MySQL and HTTPS service by referencing them by name. The following command is equivalent to the above:

ufw allow mysql
ufw allow https

Add the UFW rule to allow the UDP port 21 using the following command:

ufw allow 21/udp

You can also allow specific port range through the UFW firewall. For example, add the UFW rule to allow TCP port 6000 to 6500, run the following command:

ufw allow 6000:6500/tcp

You can also allow a specific IP (192.168.0.100) to access all port with the UFW firewall as shown below:

ufw allow from 192.168.0.100

To allow a specific IP (192.168.0.200) to access a specific port 8088, run the following command:

ufw allow from 192.168.0.200 to any port 8088

To allow a specific network subnet (192.168.2.0/24) to access all port, run the following command:

ufw allow from 192.168.2.0/24

Denying Incoming Connections with UFW

Per default UFW blocks all incoming connections so usually it is not required to add specific deny rules. However, if you have allowed a range of ports for example, adding specific deny rules might be appropriate, or if you want to deny traffic from specific IP addresses for example.

As an example, the UFW rule to deny the service SMTP, run the following command:

ufw deny smtp

To deny the TCP port 389, run the following command:

ufw deny 389/tcp

To deny the UDP port 137, run the following command:

ufw deny 137/udp

To deny all connections from a specific IP (192.168.0.150), run the following command:

ufw deny from 192.168.0.150

To deny a specific port range (8000:8200), run the following command:

ufw deny 8000:8200/tcp

To combine the two commands in order to deny traffic from a specific ip to a specific port range you would simply do

ufw deny from 192.168.0.150 to any port 8000:8200/tcp

Listing UFW Rules

If you want to list all UFW rules which are added, run the following command:

ufw show added

You should see all UFW rules in the following output:

Added user rules (see 'ufw status' for running firewall):
ufw allow 21
ufw allow 50000:50099/tcp
ufw allow out 20/tcp
ufw allow 22
ufw allow 80
ufw allow 443
ufw allow 6000:6500/tcp
ufw allow from 192.168.0.200 to any port 8088
ufw allow from 192.168.0.100
ufw allow from 192.168.2.0/24
ufw deny 25/tcp
ufw deny 8000:8200/tcp
ufw allow 3306

Deleting UFW Rules

There are two ways to delete the UFW rules.

Deleting Rules By Specification

The simple and easiest way to delete the UFW rule is by specifying the actual rule.

To delete the "allow mysql" UFW rule, run the following command:

ufw delete allow mysql

To delete the "allow 443/tcp" UFW rule, run the following command:

ufw delete allow 443/tcp

To delete the "allow 21/udp" UFW rule, run the following command:

ufw delete allow 21/udp

Deleting Rules By Rule Number

If you want to delete the UFW rules using rule number, you will first need to list all your UFW rules by rule number.

You can run the following command to list all firewall rules by numbers.

ufw status numbered

You should get the following output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 21                         ALLOW IN    Anywhere                  
[ 2] 50000:50099/tcp            ALLOW IN    Anywhere                  
[ 3] 20/tcp                     ALLOW OUT   Anywhere                   (out)
[ 4] 22                         ALLOW IN    Anywhere                  
[ 5] 80                         ALLOW IN    Anywhere                  
[ 6] 443                        ALLOW IN    Anywhere                  
[ 7] 6000:6500/tcp              ALLOW IN    Anywhere                  
[ 8] 8088                       ALLOW IN    192.168.0.200             
[ 9] Anywhere                   ALLOW IN    192.168.0.100             
[10] Anywhere                   ALLOW IN    192.168.2.0/24            
[11] 25/tcp                     DENY IN     Anywhere                  
[12] 8000:8200/tcp              DENY IN     Anywhere                  
[13] 3306                       ALLOW IN    Anywhere                  
[14] 21 (v6)                    ALLOW IN    Anywhere (v6)             
[15] 50000:50099/tcp (v6)       ALLOW IN    Anywhere (v6)             
[16] 20/tcp (v6)                ALLOW OUT   Anywhere (v6)              (out)
[17] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[18] 80 (v6)                    ALLOW IN    Anywhere (v6)             
[19] 443 (v6)                   ALLOW IN    Anywhere (v6)             
[20] 6000:6500/tcp (v6)         ALLOW IN    Anywhere (v6)             
[21] 25/tcp (v6)                DENY IN     Anywhere (v6)             
[22] 8000:8200/tcp (v6)         DENY IN     Anywhere (v6)             
[23] 3306 (v6)                  ALLOW IN    Anywhere (v6)             

Once you have all UFW rules with the number, you can use the "ufw delete" command followed by the rule number that you want to remove.

For example, to delete the UFW rule with number 20, run the following command:

ufw delete 20

You will be asked to confirm that you want to delete the rule:

Deleting:
 allow 6000:6500/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

Type y and hit Enter to delete the rule.

Important: The rule number will change automatically after deleting a rule. So it is recommended to list the rules before deleting another rule.

Disabling UFW Firewall

If you want to disable the UFW firewall, run the following command:

ufw disable

You can re-enable the UFW firewall any time by just running the following command:

ufw enable

If you want to reset UFW firewall completely and remove all existing rules, you can use the following command:

ufw reset

You will be asked to reset all rules to the default one as shown below:

Resetting all rules to installed defaults. Proceed with operation (y|n)? y

Type y and press Enter to remove all rules:

Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200408_160447'
Backing up 'user.rules' to '/lib/ufw/user.rules.20200408_160447'
Backing up 'before.rules' to '/etc/ufw/before.rules.20200408_160447'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200408_160447'
Backing up 'after.rules' to '/etc/ufw/after.rules.20200408_160447'
Backing up 'user6.rules' to '/lib/ufw/user6.rules.20200408_160447'

Please Note: If you are managing your server over SSH, don't delete the UFW rule that allows SSH traffic (typically port 22) as that will make you loose shell access. You will be locked out of your server and unable to connect to your Webdock server without contacting support so we can enable access once again.

Checking if your rules have worked

Please Note: Some applications, such as Docker, may modify IPTables directly where UFW will not list these exceptions when running ufw status. This may lead to ports being open to the internet. The solution is to manually insert deny rules to after.rules and after6.rules.As the warning above states, you may still have open ports despite UFW claiming otherwise, especially if you are running Docker applications. To see how to check if there are any open ports, please see our guide on the topic.

Conclusion

As you can see, the UFW is a simple and easy to use tool to configure and manage your iptables  firewall. All commands which you have seen in the above guide are important for understanding how the UFW firewall works and how you can use it in a production environment. Hopefully you now know how you can now limit any unwanted connections using UFW firewall.

Related articles