Setup firewall in Ubuntu using ufw

There are two types of firewalls available in Linux, a packet filtering firewall and a proxy-based firewall. Most Linux users use a packet filtering firewall to setup a basic firewall for their system because Linux already came with firewall package by default.

Linux kernel came with a module called netfilter. Netfilter is used to manipulate incoming and outgoing traffic in Linux system. You can use locate command to find netfilter in your Linux system like in the example below:

[email protected]:~$ locate netfilter

However, netfilter by itself cannot do anything without being configured. Thereby, Linux has iptables, a command line user interface to manipulate and configure rules. The netfilter will refer to that rules to accept or reject incoming or outgoing packets in Linux system.

Ubuntu ufw configuration

Ubuntu ufw is a user friendly interface to configure firewall in Ubuntu system. It is an alternative for users who find iptables is difficult to use. ufw stands for uncomplicated firewall. Here is a part of ufw manual page:

ufw - program for managing a netfilter firewall

This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.

ufw [--dry-run] enable|disable

ufw [--dry-run] default allow|deny

ufw [--dry-run] logging on|off

ufw [--dry-run] status

ufw [--dry-run] [delete] allow|deny PORT[/protocol]

ufw [--dry-run] [delete] allow|deny [proto protocol] [from ADDRESS [port PORT]]
[to ADDRESS [port PORT]]

ufw is not enabled by default. Check ufw status with this command:

[email protected]:~$ sudo ufw status
Firewall not loaded
[email protected]:~$

To use ufw to configure rules for Ubuntu firewall, we need to enable it. Here's the command to enable ufw:

[email protected]:~$ sudo ufw enable
[sudo] password for luzar:
Firewall started and enabled on system startup
[email protected]:~$

To disable ufw, use this command:

[email protected]:~$ sudo ufw disable
Firewall stopped and disabled on system startup
[email protected]:~$

To add a firewall rule, use ufw allow command. Make sure to enable ufw before running this command. Here is an example to allow ssh service to firewall rules:

[email protected]:~$ sudo ufw allow ssh
Rule added
[email protected]:~$ sudo ufw status verbose
Firewall loaded

To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere

[email protected]:~$

We can also use --dry-run option to check the rules applied. The --dry-run option do not modify anything, it just show the changes. Here is an example:

[email protected]:~$ sudo ufw --dry-run allow http
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
### RULES ###

### tuple ### allow any 22 any
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -j ACCEPT

### tuple ### allow tcp 80 any
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
Rules updated
[email protected]:~$

Here are other commands that you can use with ufw:

Usage: ufw COMMAND

enable Enables the firewall
disable Disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information

You should enable firewall log so you can always check all activity running in your system. To enable firewall log using ufw, use this command:

[email protected]:~$ sudo ufw logging on
Logging enabled
[email protected]:~$

Firewall logs can be checked in /var/log/kern.log, /var/log/syslog and /var/log/messages.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.