Uncomplicated Firewall (UFW) delivers straightforward network traffic control for Ubuntu servers and desktops. Built as a user-friendly frontend to iptables, UFW strips away configuration complexity while preserving robust firewall capabilities. The tool manages basic port rules, application-specific profiles, detailed security logging, and both IPv4 and IPv6 traffic through a consistent command-line interface.
This guide covers installing UFW on Ubuntu, configuring default security policies, managing firewall rules for SSH and common services, monitoring traffic with logs, and optionally using the GUFW graphical interface. You’ll establish secure policies, control service access, and maintain visibility into network activity.
Prerequisites
Before configuring UFW, ensure you have the following:
- A system running Ubuntu with sudo privileges.
- Access to a terminal window.
- UFW is pre-installed on Ubuntu. If it has been uninstalled, you can reinstall it with
sudo apt install ufw.
Verify UFW Installation
Before starting the installation and configuration process, checking if UFW has already been installed on your system is essential. You can do this by executing the following command:
ufw versionIf you see version information, UFW has already been installed. If not, you’ll see an error message. In that case, follow the steps below to install UFW:
sudo apt update
sudo apt install ufwAfter installation, you can verify that UFW is installed by running ufw version again.
Configure IPv6 with UFW (Optional)
UFW supports IPv6 by default on modern Ubuntu installations, so most systems already apply firewall rules to both protocols. If you’re working with legacy hosts or minimal server images, verify IPv6 support by opening the UFW configuration file:
sudo nano /etc/default/ufwFind the line that reads IPV6=no and change it to IPV6=yes. On most current Ubuntu installations, this will already be set to yes, but it’s worth verifying if you’re working with legacy systems or custom configurations.
Save the changes and exit the editor.
Set UFW Default Policies
Setting up default policies is essential to control incoming and outgoing traffic. Additionally, the standard security posture denies all incoming connections (preventing unauthorized access) while allowing all outgoing connections (permitting your applications to reach external services). The default policies apply to any traffic that doesn’t match specific rules you create later. To set up default policies, use the following commands:
sudo ufw default deny incoming
sudo ufw default allow outgoingThese commands deny all incoming connections and allow all outgoing connections by default. Furthermore, this approach ensures that only explicitly permitted services can accept incoming traffic.
Allow SSH Remote Connections (Situational)
To allow SSH connections, execute the following command:
sudo ufw allow sshThis command will allow incoming SSH connections on the default port (22). Alternatively, if you’re using a custom port for SSH, you can specify it like this:
sudo ufw allow 2222/tcpThis will allow incoming connections on port 2222, assuming you have configured your SSH server to listen on this port.
Protect SSH with Rate Limiting
To protect SSH from automated brute-force attacks, UFW provides a rate-limiting feature that tracks connection attempts from each source IP address. When an IP address attempts to initiate more than six connections within 30 seconds, UFW temporarily blocks further connections from that address. This approach distinguishes between normal use and likely malicious behavior without completely blocking legitimate users.
To enable rate limiting for SSH, use the limit command instead of allow:
sudo ufw limit sshFor custom SSH ports, specify the port number with the protocol:
sudo ufw limit 2222/tcpRate limiting adds an extra security layer to services exposed to the internet. Consider using this feature for any service that accepts authentication attempts, as it significantly reduces the effectiveness of automated credential-stuffing attacks.
Enable UFW on Ubuntu
If you are using SSH to connect to a remote Ubuntu server, ensure you have completed the previous step to allow UFW before proceeding with this section.
After setting up the default policies and allowing SSH connections, you can enable the UFW firewall with the following command:
sudo ufw enableYou will be prompted to confirm your action, as enabling UFW may disrupt existing connections. Enter y to proceed with the operation.
Verify Rules Before Enabling
Before activating the firewall, you can preview which rules will be applied without actually enabling UFW:
sudo ufw show addedThis displays all rules you’ve configured, allowing you to catch any mistakes before the firewall becomes active. This verification step is particularly important when managing remote servers, as it confirms you have the necessary SSH access rules in place before potentially locking yourself out.
Configure Common Service Rules
After enabling UFW and securing SSH access, you can allow other connections, such as HTTP, HTTPS, or FTP, using the ufw allow command followed by the service name or port number.
For example:
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 21/tcpThese commands allow incoming connections for HTTP (port 80), HTTPS (port 443), and FTP (port 21). Moreover, if you need to allow connections for a range of ports, you can specify the range like this:
sudo ufw allow 8000:9000/tcpThis command allows incoming connections on TCP ports 8000 through 9000. Port ranges are particularly useful when hosting multiple development servers or microservices that need consecutive port assignments.
Allow Access from Specific IP Addresses
To restrict access to a specific IP address, use the from parameter:
sudo ufw allow from 203.0.113.4This grants full access to the specified IP address. Consequently, to allow access to a specific port from a particular IP address:
sudo ufw allow from 203.0.113.4 to any port 22Allow Access from Subnets
To allow an entire subnet of IP addresses, use CIDR notation to specify a netmask. For instance, to allow all IP addresses ranging from 192.168.1.1 to 192.168.1.254:
sudo ufw allow from 192.168.1.0/24You can combine subnet filtering with specific ports:
sudo ufw allow from 192.168.1.0/24 to any port 22This limits SSH access to the specified subnet only, which is particularly useful for restricting administrative access to your local network.
Allow Connections to Specific Network Interfaces
For servers with multiple network interfaces, you can create rules that apply only to a specific interface. First, identify your network interfaces:
ip addrNetwork interfaces are typically named eth0, eth1, enp3s2, or similar. To allow HTTP traffic only on the public-facing interface eth0:
sudo ufw allow in on eth0 to any port 80Similarly, for database servers that should only accept connections on a private network interface eth1:
sudo ufw allow in on eth1 to any port 3306Interface-specific rules provide fine-grained control over which networks can reach particular services, preventing accidental exposure of internal services to public networks.
Deny Specific Connections
Conversely, to deny specific connections, use the ufw deny command followed by the service name or port number. For example:
sudo ufw deny 25/tcpThis command will deny incoming connections on port 25 (SMTP).
Delete Firewall Rules
When rules become outdated or unnecessary, you can delete them using the ufw delete command followed by the rule’s parameters. For example:
sudo ufw delete allow 21/tcpThis command deletes the rule that allows incoming connections on port 21 (FTP).
Delete Rules by Number
For complex firewall configurations with many rules, deleting by number is more efficient than retyping the entire rule. Initially, display the numbered list of rules:
sudo ufw status numberedThis displays each rule with its assigned number. To delete a rule by number:
sudo ufw delete 3This removes the third rule from the list. Note that when deleting IPv6 rules by number, you must delete the IPv4 and IPv6 versions separately since they appear as distinct numbered entries. Deleting by name (e.g., sudo ufw delete allow http) removes both IPv4 and IPv6 rules automatically.
View Active UFW Rules and Status
Once you’ve configured rules, you can check the status of the UFW firewall and view the current rules using the following command:
sudo ufw status verboseThis command will display the UFW status, default policies, and specific rules you’ve created. The verbose flag provides additional details beyond the standard output, including default policy information and numbered rule lists.
Enable and Monitor UFW Logs
UFW provides logging functionality to track its actions and monitor potential issues. In this section, we’ll discuss how to configure and view logs to maintain visibility into firewall activity.
Configure UFW Log Settings
To enable logging for UFW, use the ufw logging command followed by the desired log level. UFW supports four log levels that determine the amount of detail captured:
| Level | What It Logs |
|---|---|
| low | Blocked packets only |
| medium | Blocked packets + new connections |
| high | Packets with rate limiting |
| full | Everything without rate limiting |
For most users, medium provides a good balance between detail and log file size:
sudo ufw logging medium
The medium level logs blocked packets and new connections, providing visibility into denied traffic and established connections without overwhelming your disk with every packet detail.
View UFW Logs
UFW logs are stored in the /var/log/ufw.log file by default. To view the log file, you can use a command like less, tail, or cat. For example:
sudo less /var/log/ufw.logThis command displays the log file using the less command, which allows you to scroll through the contents.
Manage Application Profiles
UFW supports application profiles, which are predefined rules for popular applications. These profiles simplify the process of allowing or denying connections for specific applications by bundling the correct ports and protocols into a single named rule. Application profiles are particularly useful when software packages include multiple ports or both TCP and UDP requirements, reducing the chance of misconfiguration compared to manual port rules. You can view available application profiles with the following command:
sudo ufw app listTo view the details of a specific profile, use the ufw app info command followed by the profile name:
sudo ufw app info 'Apache Full'To allow or deny connections for an application profile, use the ufw allow or ufw deny command followed by the profile name:
sudo ufw allow 'Apache Full'Test UFW Rules
Before applying new rules to production systems, you may want to test them to ensure they work as expected. To simulate a connection and test UFW rules, you can use the nc (netcat) tool.
First, install netcat if it’s not already installed:
sudo apt install netcat-openbsdNext, on the server-side, run the following command, replacing <port> with the port number you want to test:
nc -l -p <port>For example, to test port 8080:
nc -l -p 8080On the client-side, connect to the server using the following command, replacing <server_ip> with the server’s IP address and <port> with the port number:
nc <server_ip> <port>If the connection is successful, you can send messages between the server and the client by typing in the terminal. Conversely, if the connection fails, the respective UFW rule might be blocking the traffic. Make sure to adjust your UFW rules accordingly and test again.
Disable or Reset UFW
For comprehensive firewall management on Ubuntu, you may need to temporarily disable UFW for troubleshooting network issues or testing application connectivity. Use the following command:
sudo ufw disableTo reset UFW to its default settings and remove all rules, use the ufw reset command. This is useful when you want to start fresh after experimenting with complex rule sets or when transitioning to a new security configuration:
sudo ufw resetPlease note that this action will erase all your custom rules, and you must reconfigure UFW from scratch.
Install GUFW
As an alternative to command-line management, GUFW is a graphical front-end for managing UFW rules. To install GUFW on Ubuntu, use the following commands:
sudo apt update
sudo apt install gufwAfter installation, you can launch GUFW from your application menu. The graphical interface makes it easy to manage your firewall rules without using the command line, particularly useful for users who prefer visual tools over terminal commands.
UFW Security Best Practices
Maintaining effective firewall protection requires ongoing attention and adherence to security principles. Following these practices ensures your UFW configuration remains secure and aligned with your system’s evolving needs.
Apply the Principle of Least Privilege
The principle of least privilege dictates that you should only grant the minimum level of access necessary for a service to function. UFW’s default deny-incoming policy aligns with this principle, requiring you to explicitly allow each connection type.
Be specific when creating rules. Instead of allowing broad port ranges, open only the exact ports your applications require. When a service only needs access from specific locations, restrict the rule to that source IP address or subnet. For example, to allow MySQL access only from an application server at 203.0.113.100:
sudo ufw allow from 203.0.113.100 to any port 3306Audit Firewall Rules Regularly
Server requirements change over time as services are added, removed, or reconfigured. Therefore, set a recurring reminder to review your firewall rules quarterly. List your rules with sudo ufw status numbered and evaluate each one:
- Is the service associated with this port still running and in use?
- Is the level of access (from anywhere vs. specific IP) still appropriate?
- Could this rule be made more restrictive without breaking functionality?
To view your numbered rules, run:
sudo ufw status numberedThis displays output similar to:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 3306/tcp ALLOW IN 192.168.1.100
[ 5] 8080/tcp ALLOW IN Anywhere
[ 6] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 9] 8080/tcp (v6) ALLOW IN Anywhere (v6)
If you identify an outdated rule, such as port 8080 for a development server that no longer runs, remove it by number:
sudo ufw delete 5Remember to delete both IPv4 and IPv6 versions when removing rules by number. After deleting rule 5 (8080/tcp), you would need to run sudo ufw status numbered again and delete the corresponding IPv6 rule. Alternatively, delete by service name to remove both versions simultaneously:
sudo ufw delete allow 8080/tcpRemove unnecessary rules immediately. Furthermore, a rule that was essential six months ago might now represent an unnecessary security risk.
Monitor UFW Logs for Suspicious Activity
Firewall logs provide valuable intelligence about traffic reaching your server, including blocked malicious attempts. Keep logging at the medium level with sudo ufw logging medium (or adjust to the level you selected earlier) and regularly review /var/log/ufw.log for patterns.
To monitor logs in real-time, use:
sudo tail -f /var/log/ufw.logA typical blocked connection appears in the log as:
Nov 8 14:23:45 server kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00 SRC=198.51.100.42 DST=203.0.113.10 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=54321 PROTO=TCP SPT=54892 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0
Key log fields to monitor:
- SRC: Source IP address (who sent the packet) –
198.51.100.42in this example - DPT: Destination port (which service they tried to reach) – port
23(Telnet) in this case - PROTO: Protocol (TCP or UDP) –
TCPhere - SPT: Source port (originating port from the sender) –
54892
To check for repeated connection attempts from a specific IP address across multiple ports (indicating port scanning), run:
sudo grep "SRC=198.51.100.42" /var/log/ufw.log | grep "BLOCK" | wc -lA high count (50+ attempts within a short timeframe) indicates automated scanning activity. Specifically, watch for single IP addresses repeatedly attempting to connect to multiple blocked ports, which indicates port scanning activity and potential attack reconnaissance.
Verify IPv4 and IPv6 Coverage
Modern Ubuntu distributions enable IPv6 by default, and UFW applies rules to both protocols automatically when IPV6=yes in /etc/default/ufw. Therefore, verify this setting to ensure you’re not accidentally leaving IPv6 traffic unprotected.
Check your UFW IPv6 configuration:
grep IPV6 /etc/default/ufwThis should return IPV6=yes. When checking sudo ufw status verbose, look for (v6) entries corresponding to each IPv4 rule:
sudo ufw status verboseExample output showing dual-protocol coverage:
Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6)
Notice how each service rule appears twice: once for IPv4 and once with (v6) for IPv6, confirming dual-protocol coverage. To verify if your system actually has IPv6 connectivity, check your network interfaces:
ip -6 addr show scope globalIf this command returns IPv6 addresses (starting with 2000::/3 for global unicast), your system uses IPv6 and requires firewall protection on both protocols. Additionally, if your network doesn’t use IPv6, consider disabling it entirely at the kernel level to eliminate it as a potential attack vector.
Integrate with Intrusion Prevention Systems
While UFW enforces a static ruleset, it doesn’t dynamically react to active threats. Integrate UFW with Fail2ban to automatically block repeated attack attempts. Fail2ban monitors log files for patterns like failed login attempts and creates temporary UFW deny rules to block offending IP addresses, providing automated, responsive protection against brute-force attacks and other malicious behavior.
Conclusion
UFW provides robust network security for Ubuntu through straightforward command-line controls and optional graphical management. The firewall handles default deny policies that block unwanted traffic, application profiles that simplify service configuration, and detailed logging that tracks connection attempts. Your Ubuntu system now maintains controlled network access with visible traffic monitoring, balancing security requirements against legitimate service availability. For additional intrusion prevention, consider pairing UFW with Fail2ban to automatically block repeated attack attempts.