Configure UFW firewall on Ubuntu

UFW(uncomplicated firewall) is a default firewall comes pre-installed on all Ubuntu servers. UFW is a simple firewall to use and you can easily manage it. We will talk about how to configure UFW firewall on Ubuntu for a web server.

With UFW you can block ports and services, authorize and allow only access to specific services you would like the world to reach.

It comes pre-installed, but if not you can just install it with apt install ufw.

Note: do not enable it until make sure at least the ports you access the server with are allowed. e.g: ssh

Check it’s status through systemctl.

systemctl status ufw

You will see it is running but not enabled yet.

Running it’s status command(ufw status) will give you:

Status: inactive

Basic configuration

ufw default allow outgoing

This will allow the server to reach to the Internet for anything you want to download or update etc.

ufw default deny incoming

This will block all the incoming traffic to the server as we would like to selectively allow handful of services only.

Allow the SSH port so we can access the server, change the port number if it’s different.

Bonus: you can add a comment flag to write an explanation for future references.

ufw allow 22 comment 'Allow ssh port 22'

Rule updated
Rule updated (v6)

You can also allow/deny services by it’s name. e.g: ufw allow ssh

Allow access to web server ports.

ufw allow 80
ufw allow 443

You can allow another port if you have any other application running on it.

At this point if you only want to allow ssh from a specific IP, you can do that by:

ufw allow from 192.168.0.1 to any port 22

Note: be very careful with allowing only IP for ssh if your IP is dynamic. It will lock you out when the IP changes.

You can now enable the firewall.

ufw enable

You will be prompted to type y or n to proceed.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Run ufw status to know the status and allowed/denied ports and services.

Filtering

Allowing only IP to access a specific service could be useful. For example, you want to allow only port 21(ftp) for a specific user/client to access for downloading/uploading files.

ufw allow from 192.168.0.1 to any port 21

This will only allow access to port 21 from 192.168.0.1.

Also while at it, you can add flags for outgoing or incoming traffic with out and in.

ufw allow in 21

This will allow traffic on port 21 to the server.

Service specific access

As mentioned above you can allow services by it’s name too if you do not the know the port number. For example smtp, imap, mysql, ftp, http, https etc. The point is to allow access where it is needed and block anything else for better security.

ufw allow mysql

Delete rules

You can delete a port or service from the ufw list. For that run ufw status numbered to list the entries with numbers.

Status: active

 To                         Action      From
 --                         ------      ----
[ 1] 22                     ALLOW IN    Anywhere
[ 2] 80                     ALLOW IN    Anywhere
[ 3] 443                    ALLOW IN    Anywhere    
[ 4] 22                     ALLOW IN    192.168.0.1               

We have two entries for port 22 here, one with access from anywhere. This one we can remove if the IP is what we want.

ufw delete 1

You can also delete rules by specifying the port. This will remove both v4 and v6 IP addresses. Careful with this approach it will delete all entries for that port.

ufw delete allow 22/tcp

Disable/reload/reset UFW

Here are the common commands to perform certain tasks.

Reload ufw rules:

ufw reload

Disable ufw:

ufw disable

Enable:

ufw enable

Reset will reset all the changes made to the rules and default settings will be applied.

ufw reset

You will be prompted with:

Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)?