Uncomplicated Firewall (UFW) is the default firewall configuration tool on Ubuntu and most of the debian based distributions. It offers a simplified interface for managing complex iptables rules, making it more straightforward to control incoming and outgoing traffic.
This article explains the most commonly used UFW commands to help secure your server.
Prerequisites
Before you begin, you need to:
- Have access to a Linux server with UFW installed as a non-root user with sudo privileges.
Check UFW Status
Check the status of the firewall. By default, UFW is active on Vultr Compute instances..
$ sudo ufw status
If the output displays the status as
inactive, run the below command to enable UFW.console$ sudo ufw enable && sudo ufw allow ssh
The command above enables UFW and instantly adds a rule to allow SSH, ensuring your session stays active.
Manage the Firewall
Enable UFW
Activate the UFW firewall to start enforcing the configured rules.
console$ sudo ufw enable
Disable UFW
To disable the firewall and stop enforcing rules.
console$ sudo ufw disable
Reset UFW
To delete all existing rules and restore UFW to its default inactive state.
console$ sudo ufw reset
Common UFW Configuration Examples
To guard your servers against unauthorized access and reduce exposure to potential threats, it's important to allow only the traffic necessary for your applications. This section demonstrates practical UFW configurations for common server scenarios, helping you build a secure and controlled network environment by explicitly permitting essential services while blocking all other unsolicited connections.
Allow SSH and Deny All Other Inbound Traffic
In this section, you configure UFW to allow only SSH connections and block all other inbound traffic. This setup provides a secure baseline for newly deployed servers that do not yet run public-facing services.
Set the default policies to deny all incoming traffic and allow all outgoing traffic.
console$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Allow SSH connections.
console$ sudo ufw allow ssh
View the
ufwstatus.console$ sudo sudo ufw status
Output:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
Allow Web Server Traffic
To host websites or web applications, your server must be accessible over standard web ports. This configuration allows traffic for essential services HTTP (port 80), and HTTPS (port 443), while blocking all other unsolicited connections.
Allow HTTP traffic.
console$ sudo ufw allow http
Allow HTTPS traffic.
console$ sudo ufw allow https
View the
ufwstatus.console$ sudo sudo ufw status
Output:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443 ALLOW Anywhere ......
Allow a Specific Port
To expose a specific service running on your server, you can allow traffic on its associated port. This is useful for enabling access to applications like databases, VPNs, or custom services.
To allow traffic on a specific port using the TCP protocol, such as MySQL (port
3306):console$ sudo ufw allow 3306/tcp
The command above allows the TCP traffic on port
3306.To allow traffic on a specific port using the UDP protocol, such as for an OpenVPN server (port
1194):console$ sudo ufw allow 1194/udp
The command above allows the UDP traffic on port
1194.
Allow a Specific IP Address
In cases where you want to limit access to specific, trusted sources such as office networks, VPN gateways, or monitoring systems you can allow traffic from a specific IP address.
To allow all traffic from a trusted IP:
console$ sudo ufw allow from 192.0.2.4
To allow a trusted IP access to a specific port (e.g., SSH):
console$ sudo ufw allow from 203.0.113.100 to any port 22
Delete a UFW Rule
If you no longer need a rule or have added one incorrectly, you can remove it using its rule number.
Run the below command to list all the
activerules with numbering:console$ sudo ufw status numbered
Delete a rule using it's number.
console$ sudo ufw delete 2
Conclusion
In this article, you have explored how to secure your Linux server using UFW. You configured default firewall policies, allowed essential services like SSH and web traffic, opened specific ports and protocols, whitelisted trusted IP addresses, and also have deleted unwanted firewall rules.