UFW (Uncomplicated Firewall) provides a streamlined interface for managing Linux firewall rules, translating simple commands into complex iptables or nftables configurations. Originally developed by Canonical for Ubuntu, UFW is now available on Arch Linux for users who prefer straightforward firewall management over direct iptables manipulation. You need UFW for securing SSH access on remote servers, controlling network traffic to web services, and implementing IP-based access restrictions without learning low-level firewall syntax.
This guide covers installing UFW on Arch Linux using pacman, configuring default security policies, creating rules for common services like SSH and HTTP, managing application profiles, monitoring firewall activity through logs, and optionally installing the GUFW graphical interface. By the end, you will have a fully configured firewall protecting your Arch Linux system from unauthorized network access.
UFW works with both iptables and nftables backends, automatically detecting which framework your system uses. The commands in this guide apply universally regardless of which backend is active. For additional configuration options and troubleshooting, see the Arch Wiki UFW page.
Install UFW via Pacman
UFW is available in the official Arch Linux extra repository. Before installation, update your system to ensure package compatibility:
sudo pacman -SyuInstall UFW:
sudo pacman -S ufwVerify the installation by checking the UFW version:
ufw versionExpected output confirming UFW is installed:
ufw 0.36.2 Copyright 2008-2023 Canonical Ltd.
UFW is now installed but not yet active. Before enabling the firewall, configure essential rules to avoid losing access to your system.
Set UFW Default Policies
Default policies define how UFW handles traffic that doesn’t match any specific rule. The recommended security posture denies all incoming connections (preventing unauthorized access) while allowing all outgoing connections (permitting your applications to reach external services):
sudo ufw default deny incoming
sudo ufw default allow outgoingExpected output confirming the policy changes:
Default incoming policy changed to 'deny' (be sure to update your rules accordingly) Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)
With these defaults in place, your system rejects all unsolicited incoming connections while allowing internal applications to communicate outward freely. You must now explicitly allow each service that needs to accept incoming traffic.
Allow SSH Connections
If you manage your server remotely via SSH, allow SSH connections before enabling UFW. Enabling the firewall without an SSH rule will immediately disconnect your session and lock you out.
If you have not yet configured SSH on Arch Linux, do so before proceeding. Allow SSH connections through the firewall:
sudo ufw allow sshUFW confirms the rule was added:
Rules updated Rules updated (v6)
If your SSH server uses a custom port instead of the default port 22, allow that port instead:
sudo ufw allow 2222/tcpReplace 2222 with your actual SSH port number.
Protect SSH with Rate Limiting
To protect SSH from automated brute-force attacks, UFW provides rate limiting that tracks connection attempts from each source IP address. When an IP attempts to initiate more than six connections within 30 seconds, UFW temporarily blocks further connections from that address:
sudo ufw limit sshExpected output:
Rules updated Skipping unsupported IPv6 'limit' rule
The IPv6 skip message is normal because UFW’s rate limiting only supports IPv4. IPv6 connections still pass through the standard allow rule created earlier.
For custom SSH ports, specify the port number with the protocol:
sudo ufw limit 2222/tcpRate limiting adds an extra security layer to services exposed to the internet without completely blocking legitimate users who may need multiple connections.
Enable UFW and the Service
On Arch Linux, you must both enable UFW through its command interface and enable the systemd service to ensure the firewall starts automatically at boot.
Preview Rules Before Activation
Before activating the firewall, preview which rules UFW will apply:
sudo ufw show addedExpected output showing your configured rules:
Added user rules (see 'ufw status' for running firewall): ufw limit 22 ufw allow 22
This verification step confirms that SSH access rules exist before you potentially lock yourself out. If the output is empty or missing your SSH rule, add it now before proceeding.
Activate the Firewall
Enable UFW:
sudo ufw enableUFW prompts you to confirm because enabling the firewall may disrupt existing connections:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Enter y to confirm. UFW now enforces your rules.
Enable the systemd Service
Enable the UFW service so the firewall starts automatically at boot:
sudo systemctl enable --now ufw.serviceVerify the service is running:
systemctl status ufw.serviceExpected output showing UFW is active:
● ufw.service - Uncomplicated firewall
Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; preset: disabled)
Active: active (exited) since Sun 2026-01-26 12:00:00 UTC; 5s ago
Docs: man:ufw(8)
Process: 1234 ExecStart=/usr/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
Main PID: 1234 (code=exited, status=0/SUCCESS)
CPU: 150ms
The active (exited) status is normal for UFW since it configures firewall rules and exits rather than running as a persistent daemon.
Do not enable
iptables.serviceorip6tables.servicesimultaneously withufw.service. UFW manages iptables rules directly, and running both services creates conflicts.
View Active UFW Rules and Status
After enabling UFW, verify that the rules are active and correctly configured:
sudo ufw status verboseThis displays the UFW status, default policies, and all configured rules:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 22 LIMIT IN Anywhere 22 (v6) ALLOW IN Anywhere (v6)
For a numbered list of rules that makes management easier, use:
sudo ufw status numberedExpected output:
Status: active
To Action From
-- ------ ----
[ 1] 22 LIMIT IN Anywhere
[ 2] 22 (v6) ALLOW IN Anywhere (v6)
The numbered output makes it easy to identify and manage specific rules using delete commands.
Configure Common Service Rules
After securing SSH access, you can allow other connections using the ufw allow command followed by the service name or port number.
Allow HTTP and HTTPS
For web servers, allow HTTP (port 80) and HTTPS (port 443):
sudo ufw allow http
sudo ufw allow httpsOr using port numbers directly:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpAllow Port Ranges
To allow a range of ports, specify the protocol:
sudo ufw allow 8000:8005/tcpThis allows TCP connections on ports 8000 through 8005. Port ranges are useful for applications that require multiple consecutive ports.
Allow Access from Specific IP Addresses
To restrict access to a specific IP address, use the from parameter:
sudo ufw allow from 192.168.1.0/24This allows all IP addresses from 192.168.1.1 to 192.168.1.254. To allow a specific IP to access a particular port:
sudo ufw allow from 203.0.113.4 to any port 22This restricts SSH access to connections only from the specified IP address.
Allow Connections to Specific Network Interfaces
For servers with multiple network interfaces, create rules that apply only to a specific interface:
sudo ufw allow in on eth0 to any port 80This allows HTTP traffic only on the eth0 interface, preventing accidental exposure on other networks.
Deny Specific Connections
UFW denies all incoming connections by default, but you can create explicit deny rules for logging purposes or to block specific addresses. To deny incoming connections on a port:
sudo ufw deny 23/tcpThis explicitly denies Telnet connections. To block a specific IP address:
sudo ufw deny from 203.13.56.121To block an entire subnet:
sudo ufw deny from 203.13.56.0/24Delete Firewall Rules
When rules become outdated, delete them using the ufw delete command. First, view your numbered rules:
sudo ufw status numberedExample output:
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
Delete a rule by number:
sudo ufw delete 3UFW asks for confirmation:
Deleting: allow 443 Proceed with operation (y|n)? y Rule deleted
Alternatively, delete by specifying the original rule:
sudo ufw delete allow 443/tcpWhen you delete a rule by number, remaining rules are renumbered. Always run
sudo ufw status numberedagain before deleting additional rules to ensure you target the correct rule.
Manage UFW Application Profiles
UFW includes predefined application profiles that bundle the correct ports and protocols for common services. View available profiles:
sudo ufw app listExample output showing available applications:
Available applications: AIM Bonjour CIFS DNS Deluge IMAP IMAPS IPP KTorrent Kerberos Admin Kerberos Full Kerberos KDC Kerberos Password LDAP LDAPS LPD MSN MSN SSL Mail submission NFS POP3 POP3S PeopleNearby SMTP SSH Socks Telnet Transmission Transparent Proxy VNC WWW WWW Cache WWW Full WWW Secure XMPP Yahoo qBittorrent svnserve
To view details about a specific profile:
sudo ufw app info SSHExpected output:
Profile: SSH Title: SSH server Description: SSH server Port: 22/tcp
To allow traffic using an application profile:
sudo ufw allow DelugeCreate Custom Application Profiles
Application profiles are stored in /etc/ufw/applications.d/. Create custom profiles for applications running on non-standard ports by adding a file in this directory:
sudo nano /etc/ufw/applications.d/customAdd your custom profile:
[MyApp] title=My Application description=Custom application on ports 9000-9005 ports=9000:9005/tcp
Save the file and verify the profile appears in the list:
sudo ufw app list | grep MyAppDo not modify the default profile files in
/etc/ufw/applications.d/as they may be overwritten during package updates. Always create custom profiles in a separate file.
Enable IPv6 Support
UFW supports IPv6 by default, applying firewall rules to both IPv4 and IPv6 traffic. Verify IPv6 is enabled:
grep IPV6 /etc/default/ufwExpected output:
IPV6=yes
If you need to modify this setting, edit the configuration file:
sudo nano /etc/default/ufwAfter making changes, reload UFW:
sudo ufw disable && sudo ufw enableEnable and Monitor UFW Logs
UFW logging tracks firewall activity and helps identify potential security issues. Configure the logging level:
sudo ufw logging mediumExpected output:
Logging enabled
UFW supports four log levels:
| Level | What It Logs |
|---|---|
| low | Blocked packets only |
| medium | Blocked packets + new connections |
| high | Packets with rate limiting |
| full | Everything without rate limiting |
The medium level provides a good balance between detail and log file size for most servers.
View UFW Logs
On Arch Linux with systemd, UFW logs are written to the journal. View recent UFW entries:
journalctl -k | grep UFWMonitor logs in real-time:
journalctl -kf | grep UFWA typical blocked connection appears as:
[UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00 SRC=198.51.100.42 DST=203.0.113.10 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=54321 PROTO=TCP SPT=54892 DPT=23
Key log fields to monitor: SRC (source IP), DPT (destination port), PROTO (protocol). Use grep to filter specific events, or see our guide on the tail command for real-time log monitoring techniques.
To disable logging entirely:
sudo ufw logging offDisable or Reset UFW
To temporarily disable the firewall for troubleshooting:
sudo ufw disableExpected output:
Firewall stopped and disabled on system startup
Your rules are preserved. Re-enable with sudo ufw enable.
To reset UFW to default settings and remove all rules:
sudo ufw resetUFW backs up existing rules before resetting:
Resetting all rules to installed defaults. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20260126_120000' Backing up 'before.rules' to '/etc/ufw/before.rules.20260126_120000' Backing up 'after.rules' to '/etc/ufw/after.rules.20260126_120000' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20260126_120000' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20260126_120000' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20260126_120000'
Resetting UFW deletes all firewall rules including SSH access. If connected remotely, you will be locked out immediately. Only reset when you have local console access.
Install GUFW
GUFW provides a graphical interface for managing UFW rules, useful for desktop users who prefer visual tools over terminal commands. Install GUFW from the official Arch Linux extra repository:
sudo pacman -S gufwAfter installation, launch GUFW from your application menu or run gufw from the terminal. The graphical interface allows you to enable and disable the firewall, create and delete rules, manage application profiles, and view logs without typing commands. GUFW requires root privileges and will prompt for your password when launched.
UFW Security Best Practices
Following these practices ensures your UFW configuration remains secure.
Apply the Principle of Least Privilege
Only grant the minimum access necessary for services to function. Instead of broad port ranges, open only exact ports your applications require. Restrict rules to specific source IPs when possible:
sudo ufw allow from 203.0.113.100 to any port 3306This allows MySQL access only from a specific application server rather than from anywhere.
Audit Firewall Rules Regularly
Set a recurring reminder to review your firewall rules. List your rules with sudo ufw status numbered and evaluate each one:
- Is the service associated with this port still running?
- Is the level of access still appropriate?
- Could this rule be made more restrictive?
Remove unnecessary rules immediately. A rule that was essential months ago might now represent an unnecessary security risk.
Troubleshoot Common UFW Issues
Locked Out After Enabling UFW
If you enabled UFW without allowing SSH and lost remote access, you need local console access. Once at the console, disable the firewall and add the SSH rule:
sudo ufw disable
sudo ufw allow ssh
sudo ufw enableUFW Not Starting at Boot
If UFW does not start automatically after rebooting, ensure the systemd service is enabled:
sudo systemctl enable ufw.service
sudo systemctl start ufw.serviceVerify both the service and UFW status:
systemctl status ufw.service
sudo ufw statusRules Not Taking Effect
If newly added rules do not work, first confirm UFW is active:
sudo ufw statusCheck rule ordering with sudo ufw status numbered. UFW processes rules from top to bottom and stops at the first match. If a broad deny rule appears before a specific allow rule, traffic gets blocked. Delete the problematic rule and re-add it in the correct order.
UFW and Docker
Docker modifies iptables directly, bypassing UFW rules. Container ports remain accessible from external networks even when UFW appears to block them. For Docker installations, see the ufw-docker project which provides scripts to manage the interaction between UFW and Docker’s iptables rules.
Remove UFW from Arch Linux
In most cases, simply disabling UFW with sudo ufw disable is sufficient. Complete removal is only necessary when switching to a different firewall solution.
First, disable and stop the service:
sudo ufw disable
sudo systemctl disable --now ufw.serviceRemove the UFW package:
sudo pacman -Rns ufwIf you installed GUFW, remove it as well:
sudo pacman -Rns gufwVerify UFW is no longer installed:
ufw versionExpected output confirming removal:
-bash: ufw: command not found
If you modified any UFW configuration files before removal, pacman saves them with a .pacsave extension in /etc/ufw/. You can safely remove these backup files if you no longer need them.
The following command permanently deletes all UFW configuration files and backups. Only run this if you are certain you no longer need any custom firewall rules or application profiles.
sudo rm -rf /etc/ufw/Removing UFW leaves your system without a firewall. Ensure you have an alternative solution like iptables, nftables, or firewalld configured before removing UFW.
Frequently Asked Questions
The systemd service manages the UFW backend, but the firewall rules themselves must be explicitly enabled. If systemctl status ufw shows “active (exited)” but sudo ufw status says “inactive,” run sudo ufw enable to activate the firewall rules.
No. Running multiple firewall managers simultaneously leads to conflicting rules and connection issues. Disable other firewall services (like Firewalld) before enabling UFW to ensure consistent security.
Unlike Debian or Ubuntu, many Arch Linux packages do not include pre-configured UFW profiles. You often need to manually verify required ports and add them using sudo ufw allow or create a custom profile in /etc/ufw/applications.d/.
Always run sudo ufw allow ssh (or your custom SSH port) before running sudo ufw enable. If you enable the firewall without an allow rule for your current connection, your session will drop immediately.
Conclusion
UFW now protects your Arch Linux system with configured default policies, service-specific port rules, and logging for security monitoring. The firewall blocks unauthorized incoming connections while allowing legitimate services to function. For additional protection, pair UFW with fail2ban to automatically block IP addresses after repeated failed login attempts, or configure SSH key authentication to eliminate password-based attacks entirely.