How to install and configure UFW firewall on Ubuntu Linux

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article. You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

UPDATED: 9 months ago | Elijah Were

$5.50 Monthly

4 vCPU Cores | 8GB RAM

$15.50 Monthly

6 vCPU Cores | 16GB RAM

$17.50 Monthly

8 vCPU Cores | 24GB RAM

UFW is also known as uncomplicated Firewall and is a firewall system commonly used in Linux platforms and distributions. It is used to manage and regulate both incoming and outgoing traffic based on certain rules like port numbers, protocols, or IP address ranges. This means that you can use UFW firewall to determine which port, protocol, or IP address is allowed to send requests to the server and vice-versa.

Incoming & Outgoing traffic and the role of UFW Firewall

It’s important to first understand what incoming and outgoing traffic means as you’re likely to use these two terms more often, especially when setting up UFW firewall on your server.

Now in the context of server computing and firewalls, incoming traffic also known as inbound traffic refers to data that is being sent from a source outside of the server or network and is destined for a resource located within the server or network. This can include requests for web pages, incoming emails, or data from other servers.

On the other hand, outgoing traffic also known as outbound traffic refers to data that is being sent from a resource within the server or network and is destined for a destination outside of the server or network. This can include data being sent to a remote server, outgoing email, or data being sent to a user accessing a web page.

As we said at the beginning of this article], firewalls are used to filter incoming and outgoing traffic based on a set of predefined rules. For example, a firewall may be configured to block all incoming traffic except for web requests on port 80 or to allow outgoing traffic only to certain IP addresses or ports.

How to install ufw on Ubuntu

In most cases, UFW firewall usually comes preinstalled, and to check if it’s running on the system, you can run the following command;

service ufw status

If UFW firewall is running on your server, then you will be able to see something like this on your terminal:

 ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: active (exited) since Mon 2023-04-03 08:43:06 UTC; 1 weeks 3 days ago
       Docs: man:ufw(8)
    Process: 442 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
   Main PID: 442 (code=exited, status=0/SUCCESS)

Now, assuming UFW isn’t installed on your server or your Ubuntu machine, you can run the following commands to install it;

sudo apt update
sudo apt install ufw

Setting up SSH with UFW Firewall

It is generally recommended to first allow SSH traffic through UFW firewall before you do anything. This is to ensure that you’re not locked out of your server should anything go wrong.

There are two ways to allow SSH traffic through UFW firewall;

Using the port number parameter: SSH by default uses Port 22 and we can use the following command to configure it through UFW firewall:

sudo ufw allow 22

Using SSH service parameter: We can also allow SSH through UFW firewall by defining the service name of the default port 22 as seen in the command below:

sudo ufw allow ssh

Allowing Custom SSH Port

As we know it, the default SSH port is 22, but for some reason, you can choose to configure a custom port for SSH connection. Let’s say the custom SSH port you’ve set is 2222. This means that we will have to allow this port through UFW firewall just like any other port using the following command

sudo ufw allow 2222

Allow only specific IP addresses to connect to SSH

Whitelisting only specific IP addresses to establish an SSH connection to your server could be an extra layer of security. For example, if you wanted to allow SSH traffic from IP addresses like 192.168.1.100 and 192.168.1.101 only, you can run the following commands;

sudo ufw allow from 192.168.1.100 to any port 22 
sudo ufw allow from 192.168.1.101 to any port 22

But it’s important to note that activating these rules that only whitelist specific IP addresses through the firewall can be delicate. And this means that you will only SSH into your server using these specific IP addresses you’ve defined. You must know what you’re doing if you choose this firewall configuration on your server.

Deny SSH access to the server

On the other hand, if you wanted to totally deny SSH traffic to the server, then we can just run the following command;

sudo ufw deny 22

In the same way, we can also deny SSH access by just defining the SSH service parameter as seen in the following command;

sudo ufw deny ssh

Alternatively, you can also blacklist specific IP addresses from having SSH access to your server using the following command,

sudo ufw deny from 192.168.1.100 to any port 22
sudo ufw deny from 192.168.1.101 to any port 22

Setting UFW for default incoming and Outgoing traffic

Now that we’ve allowed SSH through UFW firewall, we can go ahead and deny any incoming traffic by default unless “specific rules” are added to allow it. On the other hand, outgoing traffic will be allowed by default, which means any application on the system will be able to initiate outbound connections without the need for explicit rules.

For example, if you have a web server running on your machine, it won’t be accessible from outside the network by default as incoming traffic is denied. However, the web server can make outgoing requests to other servers on the internet without any restrictions.

When we deny incoming traffic, we are essentially blocking any unsolicited network traffic from reaching our system. This can prevent various types of attacks, such as port scanning, network reconnaissance, and denial-of-service attacks, from being successful. This ensures that our system is only accessible to the specific services and protocols that we have explicitly allowed. And it can allow us to have better control over what traffic is allowed to access our system, minimizing the potential for security vulnerabilities and exploits.

To deny default incoming and allow default outgoing traffic, we can use the following commands;

sudo ufw default deny incoming
sudo ufw default allow outgoing

Enabling UFW

When you enable UFW, it will block all incoming traffic by default, except for the traffic that is explicitly allowed by the rules. This is why it’s important to first allow SSH access through the firewall before attempting other steps. Now, to enable UFW firewall on Ubuntu, you have to run the following command;

sudo ufw enable

After enabling UFW, you can now run the following command to see if it’s active:

sudo ufw status verbose

Allowing default Ports and Protocols

You should know that there are a total of 65,535 network ports that exist. These ports are identified by numbers ranging from 0 to 65535. Out of these ports, a number of them have been assigned to default services.

So, you can use UFW firewall to allow traffic to and from any port assigned to a particular service. Here is how:

Open HTTP on port 80

HTTP stands for Hypertext Transfer Protocol, and it’s a protocol used by web servers to receive and respond to client “unencrypted” requests for webpages and files. HTTP is assigned Port 80 as the default port number. This means that whenever you install a Web server like Apache or Nginx, you have to open Port 80 so traffic can pass through. We can achieve this using UFW firewall by running the following command:

sudo ufw allow 80

Alternatively, you can also use the following command, and it will work just in the same way as the first one above:

sudo ufw allow http

Open HTTPS on Port 443

HTPPS is the encrypted version of HTPP and it stands for Secure Hypertext Transfer Protocol. This is the protocol used by web servers to receive and respond to “encrypted” client requests for web pages. The transit of encrypted data like passwords, or Credit Card info uses the HTTPS protocol on the internet. By default, HTTPS is assigned Port 443.

This means that if you configured a web server and you wanted to accept encrypted HTPPS traffic, you would have to open port 443. We can achieve this using UFW firewall by running the following command:

sudo ufw allow 443

Or you can just use the service name instead of its port number using the following command:

sudo ufw allow https

Other Ports and services

Obviously, we can’t exhaust and configure the entire list of ports and their default services. You can only open and configure ports through the firewall when you need to use services attached to them. And for your reference, here is a table containing some of the commonly used default ports and their corresponding services:

Port Number	Assigned Service	Description
20	FTP Data	File Transfer Protocol (FTP) data transfer
21	FTP Control	File Transfer Protocol (FTP) control
22	SSH	Secure Shell (SSH) remote login protocol
23	Telnet	Telnet remote terminal protocol
25	SMTP	Simple Mail Transfer Protocol (SMTP) email transfer
53	DNS	Domain Name System (DNS) name resolution
67	DHCP Server	Dynamic Host Configuration Protocol (DHCP) server
68	DHCP Client	Dynamic Host Configuration Protocol (DHCP) client
80	HTTP	Hypertext Transfer Protocol (HTTP) web server
110	POP3	Post Office Protocol version 3 (POP3) email retrieval
119	NNTP	Network News Transfer Protocol (NNTP) news retrieval
123	NTP	Network Time Protocol (NTP) time synchronization
143	IMAP	Internet Message Access Protocol (IMAP) email retrieval
161	SNMP	Simple Network Management Protocol (SNMP) network management
194	IRC	Internet Relay Chat (IRC) chat protocol
443	HTTPS	HTTP Secure (HTTPS) web server
465	SMTPS (SMTP over SSL)	Simple Mail Transfer Protocol (SMTP) over SSL encrypted email transfer
587	SMTP Submission	SMTP Submission email submission protocol
993	IMAPS (IMAP over SSL)	Internet Message Access Protocol (IMAP) over SSL encrypted email retrieval
995	POP3S (POP3 over SSL)	Post Office Protocol version 3 (POP3) over SSL encrypted email retrieval
3389	RDP (Remote Desktop)	Remote Desktop Protocol (RDP) remote access and control of Windows-based systems over the network

There are a ton of default ports assigned to specific protocols and services, and you can’t exhaust all of them. You can also learn more about them here

Allowing Specific Port ranges

When setting up Uncomplicated Firewall (UFW), you can also specify a port range to allow or block traffic to or from specific ports.

A port range is a set of consecutive port numbers, such as 8000-9000, which allows traffic to pass through all ports within that range. You may need to open a port range when you want to allow incoming or outgoing network traffic to a range of ports, rather than just a single port. This can be useful for applications or services that require access to multiple ports to function properly.

So, you can use UFW firewall to allow a specific port range. To do this, you need also to specify the category of protocol whether TCP or UDP which the rules should apply.

Configuring Port range for incoming traffic

The following rule will open the port range 6000–6007 for incoming TCP traffic:

sudo ufw allow 6000:6007/tcp

If it is incoming UDP traffic, then this is the rule you would use;

sudo ufw allow 6000:6007/udp

Configuring the Port range for outgoing traffic

The following rule will open the port range 100-200 for outgoing TCP traffic:

sudo ufw allow out 100:200/tcp

Allowing Specific IP Addresses

Just as we did for SSH, we can use UFW to allow connection to the server from only specified IP addresses. For example, the following rule will whitelist this IP address: 203.0.113.4, through the firewall:

sudo ufw allow from 203.0.113.4

You can also specify which port number a whitelisted IP address is allowed to connect to using a rule like this one:

sudo ufw allow from 203.0.113.4 to any port 22

This means that this IP address: 203.0.113.4 is only allowed to connect to port 22 which is the default port for SSH.

Whitelisting Subnets

A subnet is a range of IP addresses. This means that you can define a particular subnet and whitelist it through UFW firewall. Let’s assume you want to whitelist this Subnet 203.0.113.0/24, here is the rule you would use:

sudo ufw allow from 203.0.113.0/24

Similarly, you can define a specific port to which you want a particular subnet to connect to. In this example, we’re assuming you want your subnet to connect to port 22 which is the default port for SSH. Here is the rule you would apply:

sudo ufw allow from 203.0.113.0/24 to any port 22

Allowing specific Network Interfaces

The network interface allows the server to send and receive data over a network, and it typically has a unique identifier called a Media Access Control (MAC) address. It can be a physical hardware device, such as a network card or Ethernet adapter, or it can be a virtual interface created by the virtualization software, especially in the VPS environment.

Now, it is possible to set up a firewall rule that only applies to a specific network interface. To do this, you can start by listing all your network interfaces integrated into your system. For example, you can use this command on your Linux system to know which interfaces you have;

ip addr

Once you run the command above, your network interfaces will be listed as seen below;

Output Excerpt
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .

In our case, we see that we have two network interfaces named eth0 and eth1. We can use any of these interfaces to allow specific traffic connections.

Let’s say we wanted to use a Network Interface named eth0 to allow incoming HTTP traffic through port 80, here is the UFW firewall rule we would use:

sudo ufw allow in on eth0 to any port 80

So, you can apply any rule for any port using this same format above.

Denying connections

By default, UFW is set to deny all incoming connections This makes it easy to harden the security of your system by only creating rules that allow specific ports or IP addresses.

On the other hand, UFW also allows you to deny connections from specific ports, IP addresses, or subnets. To set up any deny rule using UFW, you can just replace allow with deny in the syntax. For example, if you wanted to block HTTP connections to your server, here is the deny rule you would apply;

sudo ufw deny http

When you close HTTP port 80, this means that your web server won’t respond to any request for web pages by clients.

In the same way, you can deny traffic for a specific IP address using a rule like this below:

sudo ufw deny from 203.0.113.4

Deleting UFW Firewall rules

You can either delete UFW rules by number or by the rule itself. What does this mean?

Deleting by rule number

UFW rules are listed by numbers on the system. For example, when you have rules configured on the system, you can list all of them using the following command:

sudo ufw status numbered

And the output on your terminal will look like this below;

Numbered Output:
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    15.15.15.0/24
[ 2] 80                         ALLOW IN    Anywhere

We see in this example that we have two UFW rules listed with numbers 1 & 2. Assuming we needed to delete the second rule, we would use its assigned list number: 2 as seen in the following command:

sudo ufw delete 2

Deleting by the actual rule

Alternatively, you can remove UFW rules by the actual rules themselves. For example, as we know it, the rule that opens HTTP is allow http. We can now delete this rule using a command like this:

sudo ufw delete allow http

We can also delete the same rule using the Port number instead of using the service name, HTTP. And here is the command we would use;

sudo ufw delete allow 80

Checking UFW status and rules

To check if UFW firewall is active, you can run the following command;

sudo ufw status verbose

UFW firewall is not enabled by default. And so if it’s not configured yet, you’re likely to see something like this on your terminal, indicating that UFW is inactive.

Output
Status: inactive

On the other hand, when UFW is active, you will be able to see the list of all the available rules configured like in this example below;

Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere

Disabling or Resetting UFW

If you no longer need to use UFW firewall, you can disable it on the system by running the following command:

sudo ufw disable

This means that all the rules you had previously configured on the system will also be deactivated. You can always re-enable UFW firewall and the previously configured rules will apply again. Here is the command to enable UFW on your system:

sudo ufw enable

On the other hand, if you want to totally reset your UFW, erasing all the rules you’ve configured, here is the command you would use to do it;

sudo ufw reset

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

Website migration, troubleshooting, and maintenance.
Server & application deployment, scaling, troubleshooting, and maintenance
Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx, OpenVPN, cPanel, WHMCS, WordPress, and more
Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.