UFW (Uncomplicated Firewall) provides a streamlined interface to Linux’s native firewall frameworks, translating simple commands into complex iptables or nftables rules automatically. Originally developed by Canonical for Ubuntu 8.04, UFW is now the standard firewall management tool on Debian-based systems. You need UFW when securing web servers running Apache or Nginx, hardening SSH access on remote systems, or implementing IP-based access control without learning low-level firewall syntax. This guide installs UFW on Debian, configures default policies, creates application-specific rules for common services, and sets up logging to monitor suspicious traffic attempts.
UFW simplifies common firewall tasks through an intuitive command structure that replaces hundreds of lines of
iptables rules with single-word commands. The tool ships with pre-configured application profiles for services like
Apache, Nginx, and OpenSSH, letting you enable access with commands as straightforward as
ufw allow OpenSSH. Built-in logging captures connection attempts and rule violations without external
tools, while native IPv6 support protects both address families simultaneously.
UFW automatically works with both iptables and nftables backends, detecting which framework your system uses. The commands in this guide apply universally across all supported Debian releases.
This guide covers installing and configuring UFW on Debian, with practical examples for managing firewall rules effectively.
Install UFW via APT Command
UFW installs directly from Debian’s default repositories. Before installation, update your system to avoid package conflicts:
sudo apt update && sudo apt upgradeNote that if your Linux Kernel was updated, you may need to reboot your system.
Once your system is updated, you can install UFW by running the following command:
sudo apt install ufwThe installation completes in seconds and you should see output confirming package configuration:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Setting up ufw (0.36.x) ...
Unlike other Debian-based distributions like Ubuntu, UFW is not installed by default in Debian.
UFW is now installed but the firewall is not yet active. Before enabling it, configure essential rules to avoid losing access to your system.
Allow SSH Before Enabling UFW
Critical: If you are connected via SSH, allow SSH access before enabling UFW to prevent lockout. Enabling UFW without an SSH rule will immediately terminate your remote session with no way to reconnect.
Allow SSH connections through the firewall:
sudo ufw allow sshUFW confirms the rule was added for both IPv4 and IPv6:
Rules updated Rules updated (v6)
If you use a custom SSH port instead of the default port 22, allow that port instead:
sudo ufw allow 2222/tcpReplace 2222 with your actual SSH port number.
Enable UFW Firewall
With SSH access secured, enable the firewall. UFW blocks all incoming traffic and allows all outbound traffic by default, protecting your system from unauthorized access while permitting normal internet use.
Enable UFW:
sudo ufw enableAfter running the command, you’ll receive a confirmation message that the firewall is active and will start automatically whenever you restart your system:
Firewall is active and enabled on system startup
Once the firewall is active, it will block all incoming traffic to your system, protecting you from unauthorized access. This may also prevent access to legitimate services you need.
Check UFW Status
After enabling the UFW firewall, verify that the rules are active and correctly configured. Check the status of your firewall using the following command:
sudo ufw status verboseRunning this command will show you the current status of the firewall, including any active rules and the default policies set for incoming and outgoing traffic. Example output:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
This output confirms the firewall is active with secure default policies: incoming connections are blocked while outgoing traffic is permitted.
To get a more concise view of your firewall rules, you can use the “numbered” option instead. This option shows your firewall rules in a numbered sequence, making identifying and managing them easier. Use the following command to list your firewall rules in numbered sequence:
sudo ufw status numberedThe numbered output displays the rules in a more organized manner, making it easier to identify and manage them. You can use the rule numbers to modify or delete specific rules using the “delete” command.
Verifying the status of your firewall is essential to ensure your system is protected from unauthorized access. Using the commands outlined in this section, you can quickly check the status of your UFW firewall and identify any misconfigurations.
Set UFW Default Policies
The UFW firewall’s default setting is to block all incoming connections and allow all outbound connections. This configuration is the most secure as it ensures no unauthorized users can connect to your system without explicit permission. To allow incoming connections, you must create specific rules that permit traffic based on IP addresses, programs, ports, or a combination of these factors.
To modify the UFW rules, you can enter the following command in the terminal:
Deny all incoming connections:
sudo ufw default deny incomingAllow all outgoing connections:
sudo ufw default allow outgoingBy default, UFW is already enabled with these rules. However, you can modify them to suit your specific needs.
Block All Outgoing Traffic
Warning: Blocking all outgoing traffic will prevent your system from making any network connections, including DNS lookups, package updates, and web requests. Only use this on systems where you explicitly allow each required outbound service.
To block all outgoing connections:
sudo ufw default deny outgoingAfter blocking outgoing traffic, you must explicitly allow each service your system needs. For example, to allow DNS and HTTP/HTTPS:
sudo ufw allow out 53/udp
sudo ufw allow out 80/tcp
sudo ufw allow out 443/tcpTo restore normal outbound connectivity:
sudo ufw default allow outgoingThe default UFW firewall policies live in the /etc/default/ufw file. This file contains the
configuration settings for UFW, including the default policies for incoming and outgoing traffic. By modifying the
settings in this file, you can customize the firewall rules to meet your specific security needs.
Configure UFW Application Profiles and Advanced Rules
The following sections will cover some of the fundamental aspects of UFW. By default, most desktop users will benefit from simply blocking incoming connections and allowing all outgoing traffic, which is suitable for most environments. However, UFW provides additional configurations that are useful for desktops and servers. Some examples of what you can do with UFW will be shown below.
View UFW Application Profiles
If you’re interested in learning more about the application profiles available through UFW, you can view them by running the following command:
sudo ufw app listThis will display a list of all the available application profiles. Example output on a fresh Debian install:
Available applications: OpenSSH
The list of applications may vary depending on what software you have installed on your system. Web servers like Nginx and Apache add their own profiles.
One helpful feature of UFW application profiles is getting more information about a specific profile. To do this, run the following command:
sudo ufw app info OpenSSHExpected output showing the application profile details:
Profile: OpenSSH Title: Secure shell server, an rshd replacement Description: OpenSSH is a free implementation of the Secure Shell protocol. Port: 22/tcp
Replace OpenSSH with the name of the application you want to learn more about. This command provides a description of the application and the ports it uses, which is helpful when investigating open ports.
Enable IPv6 on UFW
If your Debian system is configured with IPv6, you must ensure that UFW is configured to support IPv6 and IPv4 traffic. By default, UFW should automatically enable support for both versions of IP; however, it’s a good idea to confirm this.
To do so, open the default UFW firewall file using the following command:
sudo nano /etc/default/ufwOnce the file is open, locate the following line:
IPV6=yesIf the value is set to “no,” change it to “yes” and save the file by pressing CTRL+O and then
CTRL+X to exit.
After making changes to the file, restart the UFW firewall service:
sudo systemctl restart ufwUFW now handles both IPv4 and IPv6 traffic. When you create rules, UFW automatically applies them to both protocols.
For example, sudo ufw allow 80/tcp opens port 80 for both IPv4 and IPv6 connections, as shown in the rule
confirmation:
Rule added Rule added (v6)
Configure SSH Access Rules
SSH (Secure Shell) is crucial for remotely accessing Linux servers. If you have not yet configured SSH on your system, see how to install and enable SSH on Debian. The basic SSH rule was added during initial setup, but this section covers additional SSH configurations.
Change SSH Port
If you change the SSH listening port (configured in /etc/ssh/sshd_config), update UFW rules to match. The correct sequence prevents lockout:
Step 1: Allow the new SSH port before changing the SSH configuration:
sudo ufw allow 3541/tcpStep 2: Update SSH configuration to use the new port and restart the service.
Step 3: Test the new connection in a separate terminal before closing your current session.
Step 4: Once confirmed working, remove the old port rule:
sudo ufw delete allow 22/tcpCritical: Never close the old SSH port until you have confirmed the new port works. Keep your current SSH session open while testing the new connection from another terminal.
Block SSH Access
Warning: Blocking SSH will permanently lock you out of remote access. Only proceed if you have local console access or another way to reach the server.
To block all SSH connections:
sudo ufw deny sshEnable UFW Ports
UFW can allow access to specific ports for applications or services. This section covers how to open HTTP (port 80) and HTTPS (port 443) ports for web servers and how to allow port ranges. If you are setting up a web server, see our guides on installing Nginx on Debian or installing Apache on Debian. For additional web server security, consider pairing UFW with ModSecurity for Apache or Let’s Encrypt SSL certificates for Nginx.
To allow HTTP port 80, you can use any of the following commands:
Allow by application profile:
sudo ufw allow 'Nginx HTTP'Each method produces the same result with confirmation output:
Rule added Rule added (v6)
Allow by service name:
sudo ufw allow httpAllow by port number:
sudo ufw allow 80/tcpTo allow HTTPS port 443, you can use any of the following commands:
Allow by application profile:
sudo ufw allow 'Nginx HTTPS'Allow by service name:
sudo ufw allow httpsAllow by port number:
sudo ufw allow 443/tcpIf you want to allow both HTTP and HTTPS ports, you can use the following command:
sudo ufw allow 'Nginx Full'UFW Allow Port Ranges
You can allow individual ports and port ranges. When opening a port range, specify the protocol. Use TCP for connection-oriented services (web servers, SSH, databases) and UDP for stateless protocols (DNS, VPN, streaming media).
To allow a port range with TCP and UDP protocols, use the following commands:
sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udpAlternatively, you can allow multiple ports in one hit using the following commands:
sudo ufw allow 6500,6501,6505,6509/tcp
sudo ufw allow 6500,6501,6505,6509/udpAllow IP-Based Access Control
UFW supports IP-based access control for restricting services to specific networks or hosts. This section covers allowing connections from individual IPs, subnets, and specific network interfaces.
UFW Allow Specific IP Addresses
You can use the following command to allow specific IP addresses to connect to your system. This is useful when you need to allow only specific systems to connect to your server, and you can specify their IP addresses.
sudo ufw allow from 192.168.55.131UFW confirms the rule:
Rule added
UFW Allow Specific IP Addresses on Specific Port
You can use the following command to allow an IP to connect to a specific port on your system. For instance, if you need to allow an IP to connect to your system’s port 3900, you can use this command:
sudo ufw allow from 192.168.55.131 to any port 3900Allow Subnet Connections to a Specified Port
You can use the following command to allow connections from a range of IPs in a subnet to a specific port. This is useful when you need to allow connections from a specific range of IPs, and you can specify the subnet to allow connections.
sudo ufw allow from 192.168.1.0/24 to any port 3900This command will connect all IP addresses from 192.168.1.1 to 192.168.1.254 to port 3900.
Allow Specific Network Interface
If you need to allow connections to a specific network interface, you can use the following command. This is useful when you have multiple network interfaces and need to allow connections to a specific interface.
sudo ufw allow in on eth2 to any port 3900By using these commands, you can easily allow remote connections to your system through UFW while maintaining its security.
Deny Remote Connections on UFW
If you’ve noticed suspicious or unwanted traffic coming from a particular IP address, you can deny connections from that address using UFW. UFW denies all incoming connections by default, but you can create rules to block connections from specific IPs or IP ranges.
For example, to block connections from a single IP address, you can use the following command:
sudo ufw deny from 203.13.56.121The rule takes effect immediately:
Rule added
If an attacker is using multiple IP addresses within the same subnet to target your system, you can block the entire subnet by specifying the IP range in CIDR notation:
sudo ufw deny from 203.13.56.0/24This command blocks all 256 addresses from 203.13.56.0 to 203.13.56.255.
You can also create rules to deny access to specific ports for the blocked IP or IP range. For example, to block connections from the same subnet to ports 80 and 443, you can use the following commands:
sudo ufw deny from 203.13.56.0/24 to any port 80
sudo ufw deny from 203.13.56.0/24 to any port 443Blocking incoming connections provides effective security, but IP spoofing can still bypass address-based filtering. Implement multiple security layers rather than relying solely on IP blocking.
Delete UFW Rules
Deleting unnecessary or unwanted UFW rules is essential for maintaining an organized and efficient firewall. You can delete UFW rules in two different ways. Firstly, to delete a UFW rule using its number, you need to list the rule numbers by typing the following command:
sudo ufw status numberedThe output will display a list of numbered UFW rules, allowing you to identify the rule you want to delete. Once you have determined the number of the rule you wish to remove, type the following command:
sudo ufw delete [rule number]For instance, suppose you want to delete the third rule for IP Address 1.1.1.1. In that case, you need to find the rule number by running the “sudo ufw status numbered” command and type the following command in your terminal:
sudo ufw delete 3Deleting rules that are no longer required helps to maintain the security and efficiency of your firewall.
Access and View UFW Logs
The UFW firewall logs all events. Review these logs periodically to identify potential security breaches or troubleshoot network issues. By default, UFW logging is set to low, which is adequate for most desktop systems. However, servers may require a higher level of logging to capture more details.
You can adjust the logging level of UFW to low, medium, or high or disable it entirely. To set the UFW logging level to low, use the following command:
sudo ufw logging lowExpected output:
Logging enabled
To set UFW logging to medium:
sudo ufw logging mediumTo set UFW logging to high:
sudo ufw logging highTo disable logging entirely:
sudo ufw logging offThe logging levels capture different amounts of detail:
- Low: Logs blocked packets not matching default policy
- Medium: Adds logging for packets matching rules (allows and denies)
- High: Logs all packets with rate limiting disabled
To view UFW logs, you can find them in the default location of /var/log/ufw.log. Using the tail command,
you can view live logs or print out a specified number of recent log lines. For instance, to view the last 30 lines of
the log, use the following command:
sudo tail -n 30 /var/log/ufw.logReviewing the logs can help you determine which IP addresses are attempting to connect to your system and identify any suspicious or unauthorized activities. Furthermore, reviewing the logs can help you understand network traffic patterns, optimize network performance, and identify any issues that may arise.
Test UFW Rules Before Applying
The --dry-run flag previews changes without applying them, useful for critical systems where mistakes
could cause lockouts or service disruptions.
Test firewall state changes:
sudo ufw --dry-run enableTest adding a rule:
sudo ufw --dry-run allow 8080/tcpThe output shows what would happen without modifying your active firewall configuration. Review the output, then run
the command without --dry-run to apply changes.
Reset UFW Rules
Warning: Resetting UFW deletes ALL firewall rules, including SSH access. If you are connected remotely via SSH, you will be locked out immediately after the reset completes. Only perform a reset when you have local console access or can immediately re-add SSH rules before disconnecting.
To reset your firewall back to its original state with all rules removed:
sudo ufw resetUFW prompts for confirmation and backs up existing rules:
Resetting all rules to installed defaults. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20251205_120000' Backing up 'before.rules' to '/etc/ufw/before.rules.20251205_120000' Backing up 'after.rules' to '/etc/ufw/after.rules.20251205_120000' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20251205_120000' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20251205_120000' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20251205_120000'
Verify the reset completed:
sudo ufw statusStatus: inactive
After a reset, UFW is inactive and all rules are cleared. If you need to restore your previous configuration, the backup files are stored in /etc/ufw/ with timestamps. To re-enable the firewall, first allow SSH access, then enable UFW:
sudo ufw allow ssh
sudo ufw enableScan for Open Ports with Nmap
Your system’s security should be a top priority, and one way to ensure it is by checking for open ports regularly. UFW blocks all incoming connections by default, but sometimes ports may be left open inadvertently or for legitimate reasons. In this case, knowing which ports are open and why is essential.
One way to check for open ports is to use Nmap, a well-known and trusted network exploration tool. To install Nmap, first type the following command to install it.
sudo apt install nmapNext, find your system’s internal IP address by typing:
hostname -IExample output:
192.168.50.45
With the IP address, run the following command:
nmap 192.168.50.45Nmap scans your system and lists all open ports. Example output:
Starting Nmap 7.x ( https://nmap.org ) Nmap scan report for 192.168.50.45 Host is up (0.00012s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
If you find any open ports you are unsure about, investigate them before closing or blocking them, as it may break services or lock you out of your system.
Based on the information in this tutorial, you can create custom UFW rules to close or restrict open ports. UFW blocks all incoming connections by default, so ensure you do not block legitimate traffic before implementing changes.
Disable or Remove UFW
Temporarily Disable or Permanently Remove UFW
UFW is a valuable tool for managing firewall rules and securing your Debian system. However, there may be situations where you need to disable or remove it.
Warning: Disabling UFW allows all network traffic through your system. Only disable the firewall temporarily for troubleshooting and re-enable it as soon as possible.
To disable UFW temporarily:
sudo ufw disableExpected output:
Firewall stopped and disabled on system startup
Your firewall rules are preserved. To re-enable UFW:
sudo ufw enableRemove UFW
To remove UFW from your system completely, first disable it and flush any remaining iptables rules:
sudo ufw disable
sudo ufw resetRemove the package:
sudo apt remove ufw
sudo apt autoremoveRefresh the package cache and verify removal:
sudo apt update
apt-cache policy ufwExpected output confirming UFW is not installed:
ufw:
Installed: (none)
Candidate: 0.36.2-1
Version table:
0.36.2-1 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
Removing UFW altogether from your system may leave it vulnerable to external attacks. Unless you have a solid alternative to manage your system’s firewall or understand how to use iptables, do not remove UFW.
Therefore, before removing UFW, ensure you have an alternative solution to maintain your system’s security and prevent unauthorized access. If you prefer a zone-based approach, consider installing firewalld on Debian as an alternative. For mandatory access control beyond network filtering, explore SELinux on Debian to enforce security policies at the kernel level.
Troubleshoot Common UFW Issues
Locked Out After Enabling UFW
If you enabled UFW on a remote server without allowing SSH first, you cannot connect remotely. Access the server through a local console or recovery mode, then allow SSH:
sudo ufw allow ssh
sudo ufw reloadVerify the rule appears in the status output:
sudo ufw status numberedUFW Conflicts with Docker
Docker modifies iptables directly, bypassing UFW rules. Container ports remain accessible from external networks even when UFW appears to block them. This occurs because Docker inserts its rules before UFW rules in the iptables chain.
Do not set
"iptables": falsein Docker’s daemon.json. While this stops Docker from modifying iptables, it also breaks container networking entirely—containers cannot communicate with each other or the host, and published ports stop working.
The recommended approach uses the DOCKER-USER chain, which Docker processes before its own rules. Add rules to /etc/ufw/after.rules before the final COMMIT line in the *filter section:
sudo nano /etc/ufw/after.rulesAdd these rules at the end of the file, after the existing COMMIT line:
*filter
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --dport 0:65535 -j DROP
COMMITThis configuration allows internal Docker networks while blocking external access to container ports. Adjust the IP ranges if your Docker networks use different subnets. Reload UFW after changes:
sudo ufw reloadFor detailed Docker networking and firewall configuration, see the official Docker iptables documentation.
Rules Not Taking Effect
After adding rules, reload UFW to ensure changes apply:
sudo ufw reloadIf rules still do not work, check rule order with sudo ufw status numbered. UFW processes rules
top-to-bottom; earlier deny rules can block later allow rules. Delete conflicting rules and recreate them in the
correct order.
Conclusion
UFW now protects your Debian system with configured default policies, application-specific port rules, IP-based access controls, and logging enabled for security monitoring. The firewall blocks unauthorized incoming connections while allowing legitimate services like SSH, HTTP, and HTTPS to function normally. Strengthen your security posture further by installing Fail2ban to automatically block IP addresses after repeated failed login attempts, or add ModSecurity for web application firewall protection on Apache servers.
Thank you