Configure Uncomplicated Firewall (UFW) in Ubuntu

The Uncomplicated Firewall (UFW) is a tool available in Ubuntu distribution to configure iptables. In other words, it is a front-end for iptables. The tool enables us to set up a host-based firewall. A host-based firewall is best suited for individual devices which are connected to internet. With host-based firewalls we could protect our devices from potential threats like viruses, malware, hackers etc. Although, the package for UFW is available in Ubuntu distributions but it is not enabled by default. And, in some cases we need to install the package also. Therefore, first we will discuss how to install the relevant package. Thereafter, we would discuss how to configure Uncomplicated Firewall (UFW) in Ubuntu distributions.

Following operations would require you to have superuser privileges. In case you don’t have one, then contact your System Administrator for assistance.

Install UFW in Ubuntu

Installing Uncomplicated Firewall (UFW) is pretty straight-forward. All we need to do is issue the following in terminal –

sudo apt update
sudo apt install ufw

Once the installation gets completed, check the status of ufw. By default, ufw is in inactive state.

sudo ufw status
Configure Uncomplicated Firewall (UFW) in Ubuntu

First, we need to enable the firewall. Therefore, issue the following in terminal –

sudo ufw enable

Next, we need to check the status of ufw managed rules.

sudo ufw status verbose

It would return with the message –

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

Observe, by default all incoming connections have been denied while all outgoing connections have been allowed.

Though already set, we could issue following command to set the default configuration –

sudo ufw default deny incoming
sudo ufw default allow outgoing

For most users, the default configuration is more than enough. But for advanced users, default configuration will not suffice. For instance, if we want to allow SSH connections then we need to create a rule which allows SSH service. This could be done by –

sudo ufw allow ssh

To confirm whether ssh connections have been allowed or not –

sudo ufw status verbose

and, the output should resemble –

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                 Action         From
--                 ------         ----
22/tcp             ALLOW IN       Anywhere 
22/tcp (v6)        ALLOW IN       Anywhere (v6)

To delete a rule, add delete prefix to the existing rule –

sudo ufw delete allow ssh

Similarly, we could create or delete rules for other protocols too. The syntax comes out to be –

To allow a specific rule-

sudo ufw allow <port>/<optional-protocol>

To deny a specific rule-

sudo ufw deny <port>/<optional-protocol>

For instance,

sudo ufw allow 53/tcp
sudo ufw deny 53/udp

For port ranges –

sudo ufw allow 99:999/tcp

We can also allow/deny connection from a specific ip

sudo ufw allow from <ip-address>
sudo ufw deny from <ip-address>

For instance,

sudo ufw allow from 192.168.100.1
sudo ufw deny from 192.168.100.1

Allow/Deny connection by specific port and ip address

sudo ufw allow from <target> to <destination> port <port-number>
sudo ufw deny from <ip-address> to <protocol> port <port-number>

For instance,

sudo ufw allow from 192.168.100.1 to any port 22
sudo ufw deny from 192.168.100.1 to any port 22

Sometimes, it necessary to let the sender know that its traffic is being denied. In such cases, use reject instead of deny.

In conclusion, we discussed a bit about Uncomplicated Firewall (UFW) in Ubuntu. Through the command-line tool we can manage Linux firewall with ease.