Introduction
UFW (uncomplicated firewall) is a user-friendly firewall configuration tool built on top of iptables
, found by default in Ubuntu distributions. It simplifies the task of managing common firewall scenarios through a command-line interface.
This cheat sheet guide serves as a quick reference for essential UFW commands and use cases, including examples on how to allow or block services based on port, network interface, and source IP address.
How To Use This Guide
- This guide is structured like a cheat sheet with concise command-line snippets.
- You can navigate directly to the section relevant to your current task.
- When you see highlighted text in the commands, it indicates that those should correspond to IP addresses from your own network.
You can check your current UFW rules with sudo ufw status
or sudo ufw status verbose
.
Deploy your front-end applications from GitHub using DigitalOcean App Platform. Let DigitalOcean manage the scaling of your app.
Verify UFW Status
To determine if ufw
is activated, execute:
$ sudo ufw status
Status: inactive
The output will reflect whether your firewall is on or off.
Enable UFW
If you receive a Status: inactive
message when executing ufw status
, it means the firewall isn’t enabled yet. You’ll need to run a command to activate it.
By default, once UFW is enabled, it will block external access to all ports on your server. Thus, if you are logged into a server via SSH and you enable ufw
without permitting access through the SSH port beforehand, you will be disconnected. Ensure that you follow the section on enabling SSH access before enabling the firewall if that situation applies to you.
To enable UFW on your system, execute:
$ sudo ufw enable
You should see output similar to this:
Firewall is active and enabled on system startup
To see what is currently blocked or allowed, you may use the verbose
parameter with ufw status
:
$ sudo ufw status
Status: activeLogging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
Disable UFW
If you find it necessary to disable UFW, you can execute the following command:
$ sudo ufw disable
Be cautious, as this command will entirely turn off the firewall service on your system.
Block an IP Address
To prevent all network connections from a specific IP address, use the following command, substituting the highlighted IP address with the one you wish to block:
$ sudo ufw deny from 203.0.113.100
Rule added
In this case, from 203.0.113.100
identifies the source IP address of “203.0.113.100”.
If you run sudo ufw status
now, the specified IP address will appear as denied:
Status: activeTo Action From
-- ------ ----
Anywhere DENY 203.0.113.100
This blocks all incoming or outgoing connections for the specified IP address.
Block a Subnet
If you want to block an entire subnet, simply use the subnet address as the from
parameter in the ufw deny
command. For instance, to block all IP addresses in the subnet 203.0.113.0/24
:
$ sudo ufw deny from 203.0.113.0/24
Rule added
Block Incoming Connections to a Network Interface
To block incoming connections from a specific IP address to a designated network interface, execute the following command, substituting the highlighted IP address with the one you wish to block:
$ sudo ufw deny in on eth0 from 203.0.113.100
Rule added
The in
specification directs ufw
to apply the rule solely for incoming connections, while the on eth0
part indicates that the rule is only applicable to the eth0
interface. This is particularly helpful on systems with multiple network interfaces, including virtual ones, where you may want to selectively block access to certain interfaces but not all.
Allow an IP Address
To permit all network connections from a particular IP address, run the command below, replacing the highlighted IP address with the desired one:
$ sudo ufw allow from 203.0.113.101
Rule added
<pAfter executing sudo ufw status
, you should see output indicating ALLOW
next to the IP address just added:
Status: activeTo Action From
-- ------ ----
...
Anywhere ALLOW 203.0.113.101
You can also permit connections from an entire subnet by specifying the subnet mask associated with a host, such as 203.0.113.0/24
.
Allow Incoming Connections to a Network Interface
To allow incoming connections from a specific IP address to a designated network interface, execute the following command, substituting the highlighted IP address with the one you want to permit:
$ sudo ufw allow in on eth0 from 203.0.113.102
Rule added
The in
directive instructs ufw
to apply the rule only for incoming connections, and the on eth0
directive specifies that the rule applies only to the eth0
interface.
If you run sudo ufw status
now, you will witness output similar to this:
Status: activeTo Action From
-- ------ ----
...
Anywhere on eth0 ALLOW 203.0.113.102
Delete UFW Rule
To remove a previously established rule in UFW, utilize ufw delete
followed by the rule type (allow
or deny
) and the target specification. In the following instance, we would delete a rule that previously allowed all connections from the IP address 203.0.113.101
:
$ sudo ufw delete allow from 203.0.113.101
Rule deleted
Alternatively, you can specify which rule to remove by providing the rule ID, which can be obtained using the following command:
$ sudo ufw status numbered
Status: active To Action From
-- ------ ----
[ 1] Anywhere DENY IN 203.0.113.100
[ 2] Anywhere on eth0 ALLOW IN 203.0.113.102
This output reveals that two active rules exist: the first denies all connections from the IP address 203.0.113.100
, while the second allows connections on the eth0
interface from 203.0.113.102
.
Since UFW already prevents all external access unless specified otherwise, the first rule is redundant. To delete a rule by its ID, execute:
$ sudo ufw delete 1
You will be asked to confirm the action and ensure that the provided ID corresponds to the intended rule to be deleted.
Deleting: deny from 203.0.113.100
Proceed with operation (y|n)? y
Rule deleted
By listing your rules again with sudo ufw status
, you will see that the rule was successfully removed.
List Available Application Profiles
When installations occur, applications that depend on network connections will generally create a UFW profile you can use to permit external connections. This serves as a shortcut that abstracts specific port numbers a service uses and provides a user-friendly identifier for referenced services.
To list currently available profiles, run:
$ sudo ufw app list
For a service such as a web server or other network-dependent application that lacks a profile within UFW, first ensure that the service is running. With remote servers, you will typically find OpenSSH already available:
Available applications: OpenSSH
Enable Application Profile
To enable a UFW application profile, execute ufw allow
followed by the name of the application profile obtained from sudo ufw app list
. For instance, enabling the OpenSSH profile will allow all incoming SSH connections on the default port.
$ sudo ufw allow "OpenSSH"
Rule addedRule added (v6)
Be sure to encapsulate profile names with multiple words in quotes, such as "Nginx HTTPS"
.
Disable Application Profile
To disable an application profile previously established within UFW, remove its corresponding rule. For example, consider the output from sudo ufw status
:
$ sudo ufw status
Status: activeTo Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
The output indicates that the Nginx Full
profile is enabled, allowing all connections to the web server over both HTTP and HTTPS. If you wish to permit only HTTPS requests, enable the more restrictive rule, Nginx HTTPS
, then disable the currently active Nginx Full
rule:
$ sudo ufw allow "Nginx HTTPS"$ sudo ufw delete allow "Nginx Full"
Remember, you can list all available application profiles using sudo ufw app list
.
Allow SSH
When utilizing remote servers, ensuring that the SSH port is accessible is vital for logging into your server from a distance.
The command below will enable the OpenSSH UFW profile, permitting all connections to the default SSH port:
$ sudo ufw allow OpenSSH
Rule addedRule added (v6)
A less user-friendly alternative would be to indicate the explicit port number for the SSH service, typically set to 22
:
$ sudo ufw allow 22
Rule addedRule added (v6)
Allow Incoming SSH from Specific IP Address or Subnet
To permit incoming connections from a specific IP address or subnet, include a from
statement to specify the connection’s origin. Additionally, designate the destination address using a to
parameter. To confine this rule to SSH, limit the proto
(protocol) to tcp
and indicate the port
parameter to 22
, which is the default SSH port.
The command below will allow only SSH connections from the IP address 203.0.113.103
:
$ sudo ufw allow from 203.0.113.103 proto tcp to any port 22
Rule added
You can also utilize a subnet address as the from
parameter to enable incoming SSH connections from an entire network:
$ sudo ufw allow from 203.0.113.0/24 proto tcp to any port 22
Rule added
Allow Incoming Rsync from Specific IP Address or Subnet
The Rsync program, which operates on port 873
, is used for transferring files between two computers.
To allow incoming rsync
connections from a specific IP address or subnet, use the from
parameter to define the source IP address and the port
parameter to designate the destination port 873
.
The command below will allow only Rsync connections from the IP address 203.0.113.103
:
$ sudo ufw allow from 203.0.113.103 to any port 873
Rule added
To allow the entire 203.0.113.0/24
subnet access to rsync
on your server, execute:
$ sudo ufw allow from 203.0.113.0/24 to any port 873
Rule added
Allow Nginx HTTP / HTTPS
After installation, the Nginx web server establishes various UFW profiles on the server. Once Nginx is installed and enabled as a service, you can run the command below to find available profiles:
$ sudo ufw app list | grep Nginx
Nginx Full Nginx HTTP
Nginx HTTPS
To allow both HTTP and HTTPS traffic, choose Nginx Full
. Otherwise, select either Nginx HTTP
for HTTP alone or Nginx HTTPS
for HTTPS only.
The following command will enable both HTTP and HTTPS traffic on the server (ports 80
and 443
):
$ sudo ufw allow "Nginx Full"
Rule addedRule added (v6)
Allow Apache HTTP / HTTPS
When installed, the Apache web server likewise sets up various UFW profiles on the server. Once Apache is installed and enabled as a service, run the command below to check for available profiles:
$ sudo ufw app list | grep Apache
Apache Apache Full
Apache Secure
To allow both HTTP and HTTPS traffic, select Apache Full
. For HTTP, opt for Apache
, and for HTTPS, select Apache Secure
.
The following command will permit both HTTP and HTTPS traffic on the server (ports 80
and 443
):
$ sudo ufw allow "Apache Full"
Rule addedRule added (v6)
Allow All Incoming HTTP (port 80
)
Web servers such as Apache and Nginx typically listen for HTTP requests on port 80
. If your default policy for incoming connections is to drop or deny, you must create a UFW rule allowing external access on port 80
. You can specify either the port number or the service name (http
) as the parameter for this command.
To permit all incoming HTTP (port 80
) connections, execute:
$ sudo ufw allow http
Rule addedRule added (v6)
An alternative syntax is to specify the port number for the HTTP service:
$ sudo ufw allow 80
Rule addedRule added (v6)
Allow All Incoming HTTPS (port 443
)
HTTPS generally operates over port 443
. If your default policy for incoming traffic is to drop or deny, you’ll need to create a UFW rule permitting external access on port 443
. You can use either the port number or the service name (https
) for this command.
To allow all incoming HTTPS (port 443
) connections, run:
$ sudo ufw allow https
Rule addedRule added (v6)
An alternative syntax is to specify the port number for the HTTPS service:
$ sudo ufw allow 443
Rule addedRule added (v6)
Allow All Incoming HTTP and HTTPS
To permit both HTTP and HTTPS traffic, create a singular rule that allows both ports. This requires defining the protocol using the proto
parameter, which should be set to tcp
.
To allow all incoming HTTP and HTTPS (ports 80
and 443
) connections, run:
$ sudo ufw allow proto tcp from any to any port 80,443
Rule addedRule added (v6)
Allow MySQL Connection from Specific IP Address or Subnet
MySQL listens on port 3306
for client connections. If your MySQL database server serves a client on a remote server, you need to establish a UFW access rule.
To permit incoming MySQL connections from a specific IP or subnet, utilize the from
parameter to specify the source IP and the port
parameter to set the destination port 3306
.
The following command will allow the IP address 203.0.113.103
to connect to your MySQL server:
$ sudo ufw allow from 203.0.113.103 to any port 3306
Rule added
To allow the entire 203.0.113.0/24
subnet access to your MySQL server, execute:
$ sudo ufw allow from 203.0.113.0/24 to any port 3306
Rule added
Allow PostgreSQL Connection from Specific IP Address or Subnet
PostgreSQL listens on port 5432
for client connections. If a client on a remote server uses your PostgreSQL database server, you must allow this traffic.
To permit incoming PostgreSQL connections from a specific IP address or subnet, indicate the source with from
and set the port to 5432
:
$ sudo ufw allow from 203.0.113.103 to any port 5432
Rule added
To grant the whole 203.0.113.0/24
subnet access to your PostgreSQL server, run:
$ sudo ufw allow from 203.0.113.0/24 to any port 5432
Rule added
Block Outgoing SMTP Mail
Mail servers such as Sendmail and Postfix typically utilize port 25
for SMTP. If your server shouldn’t be sending outgoing mail, it may be beneficial to block such traffic. To halt outgoing SMTP connections, execute:
$ sudo ufw deny out 25
Rule addedRule added (v6)
This configures your firewall to drop all outgoing traffic on port 25
. If you need to deny outgoing connections on a different port, you can repeat this command, substituting 25
with the desired port number.
Conclusion
UFW is an effective tool that significantly enhances your servers’ security when properly configured. This reference guide outlines some common UFW rules typically utilized to set up a firewall on Ubuntu.
The majority of commands in this guide can be tailored to suit various scenarios and use cases by modifying parameters such as source IP address and/or destination port. For more comprehensive information regarding each command’s parameters and available modifiers, consult the man
utility to access UFW’s manual:
$ man ufw
The official UFW page on Ubuntu’s documentation offers another resource for more advanced use cases and examples.
Easily secure your infrastructure and define which services are visible on your servers using DigitalOcean Cloud Firewalls. Our Cloud Firewalls are free and ideal for staging and production deployments.
Learn more here
Dev/Ops passionate about open source, PHP, and Linux.
Updated on November 11, 2024
Was this tutorial updated sooner than before?
For Apache code check this resource.
I believe there is an error in the code:
sudo ufw allow "Nginx Full"
This should be amended to:
sudo ufw allow "Apache Full"
Very informative. Many thanks.
This article is great, but I have a few suggestions to enhance its security. I recommend using app definitions instead of port numbers whenever possible. While most services correspond to single ports, there are exceptions (like mosh and FTP), and referring to app names makes the rules much clearer.
I would suggest using ufw limit "OpenSSH"
to manage SSH access. This approach implements automatic rate limiting for new connections to your SSH port, which serves as a valuable defense against brute-force attacks.
If you wish to completely block an inbound IP address, ufw insert 1 deny from <ip>
is an effective command. Placing it at the top of your rules ensures that it won’t be overlooked due to other rules permitting access to ports such as 22 or 80 that might be targeted.
Concerning the initial ufw enable
command, despite the existing warning, it requires significantly more emphasis. This step is the most critical and potentially dangerous, as it can easily lock you out. Therefore, be sure to establish rules that allow SSH beforehand and verify that alternative access routes are functional (for example, hypervisor console access and ensuring you know your password) before proceeding.
A handy tip:
Often, a UFW profile, such as OpenSSH, is established when you install the openssh-server
package. By leveraging the pre-existing profile, you can limit access to a specific subnet, such as the one used by your home network. The command for that would be: sudo ufw allow from 192.168.0.0/24 to any app OpenSSH
. Make sure to adjust the subnet as needed.
This is how it appears in practice when using only profiles:
To Action From-- ------ ----
137,138/udp (Samba) ALLOW IN Anywhere
139,445/tcp (Samba) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
3389/tcp (MySQL) ALLOW IN Anywhere
3389/udp (MySQL) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN 192.168.0.0/24
137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)
139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
3389/tcp (MySQL (v6)) ALLOW IN Anywhere (v6)
3389/udp (MySQL (v6)) ALLOW IN Anywhere (v6)
Could you also explain how to save the rules so they remain persistent? I seem to be unable to find this information anywhere.
What configurations are necessary for a WordPress installation?
I have completed the initial server setup on Ubuntu 16.04, installed LEMP, configured virtual hosts, and set up WordPress following the tutorials on Digital Ocean.
I have installed Wowza on my server, and during the process, I was required to open port 1935. After I executed the command “sudo ufw enable”, I lost access to my SSH! How can I regain access to my SSH? I really need your assistance.
After enabling UFW, I am unable to execute sudo apt-get update
; it consistently states that it could not resolve the DigitalOcean mirror.
Here is my UFW status:
Incoming: Deny all
Outgoing: Allow all
Port Action From
3690 ALLOW Anywhere
9418/tcp ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW OUT Anywhere
443 ALLOW OUT Anywhere
53 ALLOW OUT Anywhere
Thank you, Mitchell Anicas, for the informative article. It has been extremely useful. I have a question: Is it possible for me to create rules that either deny or permit specific MAC addresses?
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.