Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

Introduction

UFW (uncomplicated firewall) is a user-friendly firewall configuration tool built on top of iptables, found by default in Ubuntu distributions. It simplifies the task of managing common firewall scenarios through a command-line interface.

This cheat sheet guide serves as a quick reference for essential UFW commands and use cases, including examples on how to allow or block services based on port, network interface, and source IP address.

How To Use This Guide

  • This guide is structured like a cheat sheet with concise command-line snippets.
  • You can navigate directly to the section relevant to your current task.
  • When you see highlighted text in the commands, it indicates that those should correspond to IP addresses from your own network.

You can check your current UFW rules with sudo ufw status or sudo ufw status verbose.

Deploy your front-end applications from GitHub using DigitalOcean App Platform. Let DigitalOcean manage the scaling of your app.

Verify UFW Status

To determine if ufw is activated, execute:

$ sudo ufw status

Status: inactive

The output will reflect whether your firewall is on or off.

Enable UFW

If you receive a Status: inactive message when executing ufw status, it means the firewall isn’t enabled yet. You’ll need to run a command to activate it.

By default, once UFW is enabled, it will block external access to all ports on your server. Thus, if you are logged into a server via SSH and you enable ufw without permitting access through the SSH port beforehand, you will be disconnected. Ensure that you follow the section on enabling SSH access before enabling the firewall if that situation applies to you.

To enable UFW on your system, execute:

$ sudo ufw enable

You should see output similar to this:

Firewall is active and enabled on system startup

To see what is currently blocked or allowed, you may use the verbose parameter with ufw status:

$ sudo ufw status

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip

Disable UFW

If you find it necessary to disable UFW, you can execute the following command:

$ sudo ufw disable

Be cautious, as this command will entirely turn off the firewall service on your system.

Block an IP Address

To prevent all network connections from a specific IP address, use the following command, substituting the highlighted IP address with the one you wish to block:

$ sudo ufw deny from 203.0.113.100

Rule added

In this case, from 203.0.113.100 identifies the source IP address of “203.0.113.100”.

If you run sudo ufw status now, the specified IP address will appear as denied:

Status: active

To Action From

-- ------ ----

Anywhere DENY 203.0.113.100

This blocks all incoming or outgoing connections for the specified IP address.

Block a Subnet

If you want to block an entire subnet, simply use the subnet address as the from parameter in the ufw deny command. For instance, to block all IP addresses in the subnet 203.0.113.0/24:

$ sudo ufw deny from 203.0.113.0/24

Rule added

Block Incoming Connections to a Network Interface

To block incoming connections from a specific IP address to a designated network interface, execute the following command, substituting the highlighted IP address with the one you wish to block:

$ sudo ufw deny in on eth0 from 203.0.113.100

Rule added

The in specification directs ufw to apply the rule solely for incoming connections, while the on eth0 part indicates that the rule is only applicable to the eth0 interface. This is particularly helpful on systems with multiple network interfaces, including virtual ones, where you may want to selectively block access to certain interfaces but not all.

Allow an IP Address

To permit all network connections from a particular IP address, run the command below, replacing the highlighted IP address with the desired one:

$ sudo ufw allow from 203.0.113.101

Rule added

<pAfter executing sudo ufw status, you should see output indicating ALLOW next to the IP address just added:

Status: active

To Action From

-- ------ ----

...

Anywhere ALLOW 203.0.113.101

You can also permit connections from an entire subnet by specifying the subnet mask associated with a host, such as 203.0.113.0/24.

Allow Incoming Connections to a Network Interface

To allow incoming connections from a specific IP address to a designated network interface, execute the following command, substituting the highlighted IP address with the one you want to permit:

$ sudo ufw allow in on eth0 from 203.0.113.102

Rule added

The in directive instructs ufw to apply the rule only for incoming connections, and the on eth0 directive specifies that the rule applies only to the eth0 interface.

If you run sudo ufw status now, you will witness output similar to this:

Status: active

To Action From

-- ------ ----

...

Anywhere on eth0 ALLOW 203.0.113.102

Delete UFW Rule

To remove a previously established rule in UFW, utilize ufw delete followed by the rule type (allow or deny) and the target specification. In the following instance, we would delete a rule that previously allowed all connections from the IP address 203.0.113.101:

$ sudo ufw delete allow from 203.0.113.101

Rule deleted

Alternatively, you can specify which rule to remove by providing the rule ID, which can be obtained using the following command:

$ sudo ufw status numbered

Status: active

To Action From

-- ------ ----

[ 1] Anywhere DENY IN 203.0.113.100

[ 2] Anywhere on eth0 ALLOW IN 203.0.113.102

This output reveals that two active rules exist: the first denies all connections from the IP address 203.0.113.100, while the second allows connections on the eth0 interface from 203.0.113.102.

Since UFW already prevents all external access unless specified otherwise, the first rule is redundant. To delete a rule by its ID, execute:

$ sudo ufw delete 1

You will be asked to confirm the action and ensure that the provided ID corresponds to the intended rule to be deleted.

Deleting:

deny from 203.0.113.100

Proceed with operation (y|n)? y

Rule deleted

By listing your rules again with sudo ufw status, you will see that the rule was successfully removed.

List Available Application Profiles

When installations occur, applications that depend on network connections will generally create a UFW profile you can use to permit external connections. This serves as a shortcut that abstracts specific port numbers a service uses and provides a user-friendly identifier for referenced services.

To list currently available profiles, run:

$ sudo ufw app list

For a service such as a web server or other network-dependent application that lacks a profile within UFW, first ensure that the service is running. With remote servers, you will typically find OpenSSH already available:

Available applications:

OpenSSH

Enable Application Profile

To enable a UFW application profile, execute ufw allow followed by the name of the application profile obtained from sudo ufw app list. For instance, enabling the OpenSSH profile will allow all incoming SSH connections on the default port.

$ sudo ufw allow "OpenSSH"

Rule added

Rule added (v6)

Be sure to encapsulate profile names with multiple words in quotes, such as "Nginx HTTPS".

Disable Application Profile

To disable an application profile previously established within UFW, remove its corresponding rule. For example, consider the output from sudo ufw status:

$ sudo ufw status

Status: active

To Action From

-- ------ ----

OpenSSH ALLOW Anywhere

Nginx Full ALLOW Anywhere

OpenSSH (v6) ALLOW Anywhere (v6)

Nginx Full (v6) ALLOW Anywhere (v6)

The output indicates that the Nginx Full profile is enabled, allowing all connections to the web server over both HTTP and HTTPS. If you wish to permit only HTTPS requests, enable the more restrictive rule, Nginx HTTPS, then disable the currently active Nginx Full rule:

$ sudo ufw allow "Nginx HTTPS"

$ sudo ufw delete allow "Nginx Full"

Remember, you can list all available application profiles using sudo ufw app list.

Allow SSH

When utilizing remote servers, ensuring that the SSH port is accessible is vital for logging into your server from a distance.

The command below will enable the OpenSSH UFW profile, permitting all connections to the default SSH port:

$ sudo ufw allow OpenSSH

Rule added

Rule added (v6)

A less user-friendly alternative would be to indicate the explicit port number for the SSH service, typically set to 22:

$ sudo ufw allow 22

Rule added

Rule added (v6)

Allow Incoming SSH from Specific IP Address or Subnet

To permit incoming connections from a specific IP address or subnet, include a from statement to specify the connection’s origin. Additionally, designate the destination address using a to parameter. To confine this rule to SSH, limit the proto (protocol) to tcp and indicate the port parameter to 22, which is the default SSH port.

The command below will allow only SSH connections from the IP address 203.0.113.103:

$ sudo ufw allow from 203.0.113.103 proto tcp to any port 22

Rule added

You can also utilize a subnet address as the from parameter to enable incoming SSH connections from an entire network:

$ sudo ufw allow from 203.0.113.0/24 proto tcp to any port 22

Rule added

Allow Incoming Rsync from Specific IP Address or Subnet

The Rsync program, which operates on port 873, is used for transferring files between two computers.

To allow incoming rsync connections from a specific IP address or subnet, use the from parameter to define the source IP address and the port parameter to designate the destination port 873.

The command below will allow only Rsync connections from the IP address 203.0.113.103:

$ sudo ufw allow from 203.0.113.103 to any port 873

Rule added

To allow the entire 203.0.113.0/24 subnet access to rsync on your server, execute:

$ sudo ufw allow from 203.0.113.0/24 to any port 873

Rule added

Allow Nginx HTTP / HTTPS

After installation, the Nginx web server establishes various UFW profiles on the server. Once Nginx is installed and enabled as a service, you can run the command below to find available profiles:

$ sudo ufw app list | grep Nginx

  Nginx Full

Nginx HTTP

Nginx HTTPS

To allow both HTTP and HTTPS traffic, choose Nginx Full. Otherwise, select either Nginx HTTP for HTTP alone or Nginx HTTPS for HTTPS only.

The following command will enable both HTTP and HTTPS traffic on the server (ports 80 and 443):

$ sudo ufw allow "Nginx Full"

Rule added

Rule added (v6)

Allow Apache HTTP / HTTPS

When installed, the Apache web server likewise sets up various UFW profiles on the server. Once Apache is installed and enabled as a service, run the command below to check for available profiles:

$ sudo ufw app list | grep Apache

  Apache

Apache Full

Apache Secure

To allow both HTTP and HTTPS traffic, select Apache Full. For HTTP, opt for Apache, and for HTTPS, select Apache Secure.

The following command will permit both HTTP and HTTPS traffic on the server (ports 80 and 443):

$ sudo ufw allow "Apache Full"

Rule added

Rule added (v6)

Allow All Incoming HTTP (port 80)

Web servers such as Apache and Nginx typically listen for HTTP requests on port 80. If your default policy for incoming connections is to drop or deny, you must create a UFW rule allowing external access on port 80. You can specify either the port number or the service name (http) as the parameter for this command.

To permit all incoming HTTP (port 80) connections, execute:

$ sudo ufw allow http

Rule added

Rule added (v6)

An alternative syntax is to specify the port number for the HTTP service:

$ sudo ufw allow 80

Rule added

Rule added (v6)

Allow All Incoming HTTPS (port 443)

HTTPS generally operates over port 443. If your default policy for incoming traffic is to drop or deny, you’ll need to create a UFW rule permitting external access on port 443. You can use either the port number or the service name (https) for this command.

To allow all incoming HTTPS (port 443) connections, run:

$ sudo ufw allow https

Rule added

Rule added (v6)

An alternative syntax is to specify the port number for the HTTPS service:

$ sudo ufw allow 443

Rule added

Rule added (v6)

Allow All Incoming HTTP and HTTPS

To permit both HTTP and HTTPS traffic, create a singular rule that allows both ports. This requires defining the protocol using the proto parameter, which should be set to tcp.

To allow all incoming HTTP and HTTPS (ports 80 and 443) connections, run:

$ sudo ufw allow proto tcp from any to any port 80,443

Rule added

Rule added (v6)

Allow MySQL Connection from Specific IP Address or Subnet

MySQL listens on port 3306 for client connections. If your MySQL database server serves a client on a remote server, you need to establish a UFW access rule.

To permit incoming MySQL connections from a specific IP or subnet, utilize the from parameter to specify the source IP and the port parameter to set the destination port 3306.

The following command will allow the IP address 203.0.113.103 to connect to your MySQL server:

$ sudo ufw allow from 203.0.113.103 to any port 3306

Rule added

To allow the entire 203.0.113.0/24 subnet access to your MySQL server, execute:

$ sudo ufw allow from 203.0.113.0/24 to any port 3306

Rule added

Allow PostgreSQL Connection from Specific IP Address or Subnet

PostgreSQL listens on port 5432 for client connections. If a client on a remote server uses your PostgreSQL database server, you must allow this traffic.

To permit incoming PostgreSQL connections from a specific IP address or subnet, indicate the source with from and set the port to 5432:

$ sudo ufw allow from 203.0.113.103 to any port 5432

Rule added

To grant the whole 203.0.113.0/24 subnet access to your PostgreSQL server, run:

$ sudo ufw allow from 203.0.113.0/24 to any port 5432

Rule added

Block Outgoing SMTP Mail

Mail servers such as Sendmail and Postfix typically utilize port 25 for SMTP. If your server shouldn’t be sending outgoing mail, it may be beneficial to block such traffic. To halt outgoing SMTP connections, execute:

$ sudo ufw deny out 25

Rule added

Rule added (v6)

This configures your firewall to drop all outgoing traffic on port 25. If you need to deny outgoing connections on a different port, you can repeat this command, substituting 25 with the desired port number.

Conclusion

UFW is an effective tool that significantly enhances your servers’ security when properly configured. This reference guide outlines some common UFW rules typically utilized to set up a firewall on Ubuntu.

The majority of commands in this guide can be tailored to suit various scenarios and use cases by modifying parameters such as source IP address and/or destination port. For more comprehensive information regarding each command’s parameters and available modifiers, consult the man utility to access UFW’s manual:

$ man ufw

The official UFW page on Ubuntu’s documentation offers another resource for more advanced use cases and examples.

Easily secure your infrastructure and define which services are visible on your servers using DigitalOcean Cloud Firewalls. Our Cloud Firewalls are free and ideal for staging and production deployments.

Learn more here

Dev/Ops passionate about open source, PHP, and Linux.

Updated on November 11, 2024

Was this tutorial updated sooner than before?

For Apache code check this resource.

I believe there is an error in the code:

sudo ufw allow "Nginx Full"

This should be amended to:

sudo ufw allow "Apache Full"

Very informative. Many thanks.

This article is great, but I have a few suggestions to enhance its security. I recommend using app definitions instead of port numbers whenever possible. While most services correspond to single ports, there are exceptions (like mosh and FTP), and referring to app names makes the rules much clearer.

I would suggest using ufw limit "OpenSSH" to manage SSH access. This approach implements automatic rate limiting for new connections to your SSH port, which serves as a valuable defense against brute-force attacks.

If you wish to completely block an inbound IP address, ufw insert 1 deny from <ip> is an effective command. Placing it at the top of your rules ensures that it won’t be overlooked due to other rules permitting access to ports such as 22 or 80 that might be targeted.

Concerning the initial ufw enable command, despite the existing warning, it requires significantly more emphasis. This step is the most critical and potentially dangerous, as it can easily lock you out. Therefore, be sure to establish rules that allow SSH beforehand and verify that alternative access routes are functional (for example, hypervisor console access and ensuring you know your password) before proceeding.

A handy tip:

Often, a UFW profile, such as OpenSSH, is established when you install the openssh-server package. By leveraging the pre-existing profile, you can limit access to a specific subnet, such as the one used by your home network. The command for that would be: sudo ufw allow from 192.168.0.0/24 to any app OpenSSH. Make sure to adjust the subnet as needed.

This is how it appears in practice when using only profiles:

To                         Action      From

-- ------ ----

137,138/udp (Samba) ALLOW IN Anywhere

139,445/tcp (Samba) ALLOW IN Anywhere

80,443/tcp (Nginx Full) ALLOW IN Anywhere

3389/tcp (MySQL) ALLOW IN Anywhere

3389/udp (MySQL) ALLOW IN Anywhere

22/tcp (OpenSSH) ALLOW IN 192.168.0.0/24

137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)

139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)

80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)

3389/tcp (MySQL (v6)) ALLOW IN Anywhere (v6)

3389/udp (MySQL (v6)) ALLOW IN Anywhere (v6)

Could you also explain how to save the rules so they remain persistent? I seem to be unable to find this information anywhere.

What configurations are necessary for a WordPress installation?

I have completed the initial server setup on Ubuntu 16.04, installed LEMP, configured virtual hosts, and set up WordPress following the tutorials on Digital Ocean.

I have installed Wowza on my server, and during the process, I was required to open port 1935. After I executed the command “sudo ufw enable”, I lost access to my SSH! How can I regain access to my SSH? I really need your assistance.

After enabling UFW, I am unable to execute sudo apt-get update; it consistently states that it could not resolve the DigitalOcean mirror.

Here is my UFW status:

Incoming: Deny all

Outgoing: Allow all


Port Action From

3690 ALLOW Anywhere

9418/tcp ALLOW Anywhere

80 ALLOW Anywhere

443 ALLOW Anywhere

80 ALLOW OUT Anywhere

443 ALLOW OUT Anywhere

53 ALLOW OUT Anywhere

Thank you, Mitchell Anicas, for the informative article. It has been extremely useful. I have a question: Is it possible for me to create rules that either deny or permit specific MAC addresses?


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x