# ufw — Manage Firewall Rules the Easy Way

> Practical guide to ufw — the simple firewall frontend for iptables/nftables: rules, profiles, rate limiting and logging on Ubuntu and Debian.

Source: https://www.jpkc.com/db/en/cheatsheets/security/ufw/

<!-- PROSE:intro -->
ufw (Uncomplicated Firewall) is the user-friendly firewall frontend on Ubuntu and Debian. Instead of unwieldy iptables or nftables rules, you type commands like `ufw allow 22` or `ufw enable` – ufw translates them into the actual kernel rules behind the scenes. It is not a firewall of its own but a thin management layer over the Netfilter functions that are already there. This guide walks you through the commands you reach for daily – from first enabling the firewall to application profiles, rate limiting and logging.
<!-- PROSE:intro:end -->

## Enable & Status

`ufw enable` — Enable the firewall (start on boot).

```bash
sudo ufw enable
```

> **Warning – risk of lockout:** If the default policy is set to `deny incoming` and no SSH rule exists yet, enabling the firewall will lock you out of a remote server. Run `sudo ufw allow OpenSSH` (or `sudo ufw allow 22`) first, then `sudo ufw enable`.

`ufw disable` — Disable the firewall.

```bash
sudo ufw disable
```

`ufw status` — Show firewall status and rules.

```bash
sudo ufw status
```

`ufw status verbose` — Show status with default policies and logging.

```bash
sudo ufw status verbose
```

`ufw status numbered` — Show rules with numbers (for deletion).

```bash
sudo ufw status numbered
```

## Allow & Deny

`ufw allow <port>` — Allow incoming traffic on a port (TCP and UDP).

```bash
sudo ufw allow 80
```

`ufw allow <port>/tcp` — Allow only TCP traffic on a port.

```bash
sudo ufw allow 443/tcp
```

`ufw allow <start>:<end>/tcp` — Allow a range of TCP ports.

```bash
sudo ufw allow 3000:3100/tcp
```

`ufw deny <port>` — Deny incoming traffic on a port.

```bash
sudo ufw deny 23
```

`ufw allow from <ip>` — Allow all traffic from a specific IP.

```bash
sudo ufw allow from 10.0.0.5
```

`ufw allow from <ip> to any port <port>` — Allow a specific IP to access a port.

```bash
sudo ufw allow from 10.0.0.0/24 to any port 22
```

`ufw deny from <ip>` — Block all traffic from a specific IP.

```bash
sudo ufw deny from 192.168.1.100
```

## Application Profiles

`ufw app list` — List available application profiles.

```bash
sudo ufw app list
```

`ufw allow '<app>'` — Allow traffic for an application profile.

```bash
sudo ufw allow 'Nginx Full'
```

`ufw app info '<app>'` — Show details of an application profile.

```bash
sudo ufw app info 'OpenSSH'
```

`ufw delete allow '<app>'` — Remove an application rule.

```bash
sudo ufw delete allow 'Nginx HTTP'
```

## Delete & Modify Rules

`ufw delete allow <port>` — Delete a rule by specification.

```bash
sudo ufw delete allow 8080
```

`ufw delete <number>` — Delete a rule by its number (from status numbered).

```bash
sudo ufw delete 3
```

`ufw insert <number> allow from <ip>` — Insert a rule at a specific position.

```bash
sudo ufw insert 1 allow from 10.0.0.1
```

`ufw reset` — Reset all rules to defaults (disables firewall).

```bash
sudo ufw reset
```

> **Warning:** `ufw reset` deletes every rule and turns the firewall off. On a remote server, make sure your SSH access does not depend on a rule that is about to be removed.

## Rate Limiting & Defaults

`ufw limit <port>/tcp` — Rate limit connections (6 per 30 seconds, then deny).

```bash
sudo ufw limit 22/tcp
```

`ufw default deny incoming` — Set default policy to deny incoming traffic.

```bash
sudo ufw default deny incoming
```

`ufw default allow outgoing` — Set default policy to allow outgoing traffic.

```bash
sudo ufw default allow outgoing
```

`ufw default deny routed` — Set default policy for routed/forwarded traffic.

```bash
sudo ufw default deny routed
```

## Logging & Common Patterns

`ufw logging on` — Enable firewall logging.

```bash
sudo ufw logging on
```

`ufw logging <level>` — Set log level (off, low, medium, high, full).

```bash
sudo ufw logging medium
```

`ufw allow out <port>/tcp` — Allow outgoing traffic on a port.

```bash
sudo ufw allow out 587/tcp
```

`ufw reject <port>` — Reject (send ICMP unreachable) instead of silently dropping.

```bash
sudo ufw reject 23
```

`ufw allow proto tcp from <ip> to any port 22,80,443` — Allow multiple ports from a specific IP.

```bash
sudo ufw allow proto tcp from 10.0.0.5 to any port 22,80,443
```

<!-- PROSE:outro -->
## Conclusion

ufw takes the complexity out of iptables and nftables without taking away control: for most servers a restrictive default policy, a handful of `allow` rules and a `limit` on the SSH port are all you need. Always think of the SSH rule first before you enable or reset the firewall – otherwise you will lock yourself out. If you need finer-grained rules, pair ufw with tools like fail2ban or drop down to the underlying Netfilter rules directly.

## Further Reading

- [UFW – Ubuntu community documentation](https://help.ubuntu.com/community/UFW) – detailed guide
- [ufw(8) – manual page](https://manpages.ubuntu.com/manpages/noble/en/man8/ufw.8.html) – every option at a glance
- [Uncomplicated Firewall – Wikipedia](https://en.wikipedia.org/wiki/Uncomplicated_Firewall) – background and context
<!-- PROSE:outro:end -->

## Related Commands

- [age](https://www.jpkc.com/db/en/cheatsheets/security/age/) – modern, simple file encryption
- [clamav](https://www.jpkc.com/db/en/cheatsheets/security/clamav/) – open-source virus scanner for Linux
- [fail2ban](https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/) – bans IPs after failed login attempts