ufw — Manage Firewall Rules the Easy Way
Practical guide to ufw — the simple firewall frontend for iptables/nftables: rules, profiles, rate limiting and logging on Ubuntu and Debian.
ufw (Uncomplicated Firewall) is the user-friendly firewall frontend on Ubuntu and Debian. Instead of unwieldy iptables or nftables rules, you type commands like ufw allow 22 or ufw enable – ufw translates them into the actual kernel rules behind the scenes. It is not a firewall of its own but a thin management layer over the Netfilter functions that are already there. This guide walks you through the commands you reach for daily – from first enabling the firewall to application profiles, rate limiting and logging.
Enable & Status
ufw enable — Enable the firewall (start on boot).
sudo ufw enableWarning – risk of lockout: If the default policy is set to
deny incomingand no SSH rule exists yet, enabling the firewall will lock you out of a remote server. Runsudo ufw allow OpenSSH(orsudo ufw allow 22) first, thensudo ufw enable.
ufw disable — Disable the firewall.
sudo ufw disableufw status — Show firewall status and rules.
sudo ufw statusufw status verbose — Show status with default policies and logging.
sudo ufw status verboseufw status numbered — Show rules with numbers (for deletion).
sudo ufw status numberedAllow & Deny
ufw allow <port> — Allow incoming traffic on a port (TCP and UDP).
sudo ufw allow 80ufw allow <port>/tcp — Allow only TCP traffic on a port.
sudo ufw allow 443/tcpufw allow <start>:<end>/tcp — Allow a range of TCP ports.
sudo ufw allow 3000:3100/tcpufw deny <port> — Deny incoming traffic on a port.
sudo ufw deny 23ufw allow from <ip> — Allow all traffic from a specific IP.
sudo ufw allow from 10.0.0.5ufw allow from <ip> to any port <port> — Allow a specific IP to access a port.
sudo ufw allow from 10.0.0.0/24 to any port 22ufw deny from <ip> — Block all traffic from a specific IP.
sudo ufw deny from 192.168.1.100Application Profiles
ufw app list — List available application profiles.
sudo ufw app listufw allow '<app>' — Allow traffic for an application profile.
sudo ufw allow 'Nginx Full'ufw app info '<app>' — Show details of an application profile.
sudo ufw app info 'OpenSSH'ufw delete allow '<app>' — Remove an application rule.
sudo ufw delete allow 'Nginx HTTP'Delete & Modify Rules
ufw delete allow <port> — Delete a rule by specification.
sudo ufw delete allow 8080ufw delete <number> — Delete a rule by its number (from status numbered).
sudo ufw delete 3ufw insert <number> allow from <ip> — Insert a rule at a specific position.
sudo ufw insert 1 allow from 10.0.0.1ufw reset — Reset all rules to defaults (disables firewall).
sudo ufw resetWarning:
ufw resetdeletes every rule and turns the firewall off. On a remote server, make sure your SSH access does not depend on a rule that is about to be removed.
Rate Limiting & Defaults
ufw limit <port>/tcp — Rate limit connections (6 per 30 seconds, then deny).
sudo ufw limit 22/tcpufw default deny incoming — Set default policy to deny incoming traffic.
sudo ufw default deny incomingufw default allow outgoing — Set default policy to allow outgoing traffic.
sudo ufw default allow outgoingufw default deny routed — Set default policy for routed/forwarded traffic.
sudo ufw default deny routedLogging & Common Patterns
ufw logging on — Enable firewall logging.
sudo ufw logging onufw logging <level> — Set log level (off, low, medium, high, full).
sudo ufw logging mediumufw allow out <port>/tcp — Allow outgoing traffic on a port.
sudo ufw allow out 587/tcpufw reject <port> — Reject (send ICMP unreachable) instead of silently dropping.
sudo ufw reject 23ufw allow proto tcp from <ip> to any port 22,80,443 — Allow multiple ports from a specific IP.
sudo ufw allow proto tcp from 10.0.0.5 to any port 22,80,443Conclusion
ufw takes the complexity out of iptables and nftables without taking away control: for most servers a restrictive default policy, a handful of allow rules and a limit on the SSH port are all you need. Always think of the SSH rule first before you enable or reset the firewall – otherwise you will lock yourself out. If you need finer-grained rules, pair ufw with tools like fail2ban or drop down to the underlying Netfilter rules directly.
Further Reading
- UFW – Ubuntu community documentation – detailed guide
- ufw(8) – manual page – every option at a glance
- Uncomplicated Firewall – Wikipedia – background and context