Introduction

In this guide, the basics of the ufw firewall tool will be explained. The ufw firewall tool is used by default on Ubuntu 18.x however the tool can also be installed on other distributions of Linux. Ufw is a very straightforward command. Ufw stands for Uncomplicated Firewall. By default ufw is disabled. Below we will highlight a few of the basic commands of ufw.

Basic commands

In order to check the status of ufw the following command can be used:

[root@worldstream ~]# ufw status

The output of this command will most likely be:

Status: inactive

The ufw firewall can be enabled with the following command:

[root@worldstream ~]# ufw enable

After running the above command the ufw will be active and also be activated on startup. The ufw can be disabled with the disable option.

With the following command, you are able to change the default policy of ufw. In the below command the default policy of incoming traffic will be denied:

[root@worldstream ~]# ufw default deny incoming

In the above command, you can change deny and incoming for other options. Deny can be replaced for allow and incoming can be changed to one of the other two policy’s. The other two policies are outgoing and routed.

Allowing services

With the following command, you are able to check the app list provided by ufw. The list of apps shown will depend on what packages you have installed on your system:

[root@worldstream ~]# ufw app list

An example of the output can be found below:

[root@worldstream ~]# ufw app list
Available applications:
Apache
Apache Full
Apache Secure
Lighttpd Full
Lighttpd HTTP
Lighttpd HTTPS
OpenSSH
Postfix
Postfix SMTPS
Postfix Submission

With the following command you are able to find more information on the app:

[root@worldstream ~]# ufw app info 'Lighttpd HTTP'

The output will be as following:

[root@worldstream ~]# ufw app info 'Lighttpd HTTP'
Profile: Lighttpd HTTP
Title: Web Server (lighttpd, HTTP)
Description: A fast webserver with minimal memory footprint

Port:
80/tcp

As you can see in the output above the Lighttpd HTTP profile will open port 80. 

There are a few ways to allow connections to the firewall. Below you will find a few examples:

[root@worldstream ~]# ufw allow ssh
[root@worldstream ~]# ufw allow https
[root@worldstream ~]# ufw allow 443/tcp
[root@worldstream ~]# ufw allow 'Lighttpd HTTPS'

How to secure your own connection to the server

If you wish to make sure that you are always able to connect to your server you will have to allow your connection in ufw. The one thing you need for this is your own public IP. The IP address you use at home or at work will be used to create a rule which will allow the connection. The below command can be used to make sure your IP is allowed in ufw:

[root@worldstream ~]# ufw allow from [Your public IP address]

The above command will allow your IP on all ports of the server. You are also able to only allow your IP for SSH (port 22) for example:

[root@worldstream ~]# ufw allow from [Your public IP address] to any port 22

With ufw you are also able to allow a certain subnet. The below command will allow all connections from the private subnet 192.168.1.0/24:

[root@worldstream ~]# ufw allow from 192.168.1.0/24

In case you wish to block certain IP’s or whole subnets this can be done with the deny option. Just change the allow part for deny and you are then able to block IP’s.

How to delete rules from ufw

In order to delete rules from ufw you can display the current rules in a numbered list:

[root@worldstream ~]# ufw status numbered
[root@worldstream ~]# ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 5201 ALLOW IN Anywhere
[ 4] 443/tcp ALLOW IN Anywhere
[ 5] Lighttpd HTTPS ALLOW IN Anywhere
[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 5201 (v6) ALLOW IN Anywhere (v6)
[ 9] 443/tcp (v6) ALLOW IN Anywhere (v6)
[10] Lighttpd HTTPS (v6) ALLOW IN Anywhere (v6)

With the numbered output you are able to remove any rules by indicating the number with the following command:

[root@worldstream ~]# ufw delete 1

With the above command, the first rule which is port 80/tcp will be removed from ufw. In case you wish to reset ufw the following command can be used. With this command, all rules will be deleted and ufw will be disabled:

[root@worldstream ~]# ufw reset

In case ufw is not the firewall tool you wish to use make sure to check out our articles on iptables and firewalld.

If you are facing any difficulties with the configuration of ufw feel free to contact us at my.ws.