ufw (Uncomplicated Firewall)
ufw (Uncomplicated Firewall) is a simplified firewall management tool included by default in Ubuntu-based Linux distributions. It wraps the low-level iptables command and lets you manage packet filtering rules with intuitive commands such as ufw allow, ufw deny, and ufw status. By default, ufw is inactive, so after configuring your rules you need to run ufw enable to activate it. Before enabling, always add a rule to allow SSH so you do not accidentally cut off your own connection.
Syntax
# -----------------------------------------------
# Enable / Disable ufw
# -----------------------------------------------
# ufw enable
# → Activates the firewall and applies all rules.
# → ufw will also start automatically on the next boot.
# Example: sudo ufw enable
# ufw disable
# → Deactivates the firewall (rules are preserved).
# Example: sudo ufw disable
# ufw reload
# → Reloads the rules (use this after making changes).
# Example: sudo ufw reload
# ufw reset
# → Deletes all rules and returns ufw to its default state.
# → Also runs ufw disable automatically.
# Example: sudo ufw reset
# -----------------------------------------------
# Check status
# -----------------------------------------------
# ufw status
# → Shows whether the firewall is active and lists registered rules.
# Example: sudo ufw status
# ufw status verbose
# → Shows the default policy, registered rules, and logging level in detail.
# Example: sudo ufw status verbose
# ufw status numbered
# → Lists rules with numbers (you can use the numbers to delete rules).
# Example: sudo ufw status numbered
# -----------------------------------------------
# Add rules (allow)
# -----------------------------------------------
# ufw allow {port}
# → Allows incoming connections to the specified port for both TCP and UDP.
# Example: sudo ufw allow 80
# ufw allow {port}/{protocol}
# → Allows connections to the specified port for TCP or UDP only.
# Example: sudo ufw allow 22/tcp
# ufw allow {service name}
# → Allows connections by service name as registered in /etc/services.
# Example: sudo ufw allow ssh
# Example: sudo ufw allow http
# Example: sudo ufw allow https
# ufw allow from {IP address}
# → Allows all incoming connections from the specified IP address.
# Example: sudo ufw allow from 203.0.113.10
# ufw allow from {IP address} to any port {port}
# → Allows connections from the specified IP address to a specific port only.
# Example: sudo ufw allow from 203.0.113.10 to any port 22
# ufw allow from {CIDR}
# → Allows connections from a subnet specified in CIDR notation.
# Example: sudo ufw allow from 192.168.1.0/24
# -----------------------------------------------
# Add rules (deny / reject)
# -----------------------------------------------
# ufw deny {port}
# → Blocks connections silently (does not send an unreachable message to the sender).
# Example: sudo ufw deny 23
# ufw reject {port}
# → Rejects connections and notifies the sender with a rejection message.
# Example: sudo ufw reject 23
# -----------------------------------------------
# Delete rules
# -----------------------------------------------
# ufw delete {rule number}
# → Deletes the rule identified by its number from ufw status numbered.
# Example: sudo ufw delete 3
# ufw delete allow {port}
# → Deletes a rule by specifying it the same way it was added.
# Example: sudo ufw delete allow 80
# -----------------------------------------------
# Rate limiting (brute-force protection)
# -----------------------------------------------
# ufw limit {port}/{protocol}
# → Automatically blocks IP addresses that attempt to connect
# 6 or more times within 30 seconds.
# → Useful for protecting SSH against brute-force attacks.
# Example: sudo ufw limit 22/tcp
# -----------------------------------------------
# Logging
# -----------------------------------------------
# ufw logging {level}
# → Sets the logging level.
# → Levels: off / low / medium / high / full
# Example: sudo ufw logging low
Command reference
| Command | Description |
|---|---|
ufw enable | Activates the firewall. Rules are also applied automatically on the next boot. |
ufw disable | Deactivates the firewall. Existing rules are preserved. |
ufw reload | Reloads the rules to apply any configuration changes. |
ufw reset | Deletes all rules and restores ufw to its default state. |
ufw status | Displays whether the firewall is active and lists the registered rules. |
ufw status verbose | Displays the default policy, registered rules, and logging level in detail. |
ufw status numbered | Lists rules with numbers. You can use the numbers to specify rules when deleting them. |
ufw allow {port} | Allows incoming connections to the specified port for both TCP and UDP. |
ufw allow {port}/{protocol} | Allows connections to the specified port for TCP or UDP only. |
ufw allow {service name} | Allows connections by service name such as ssh, http, or https. |
ufw allow from {IP} | Allows all incoming connections from the specified IP address. |
ufw allow from {IP} to any port {port} | Allows connections from the specified IP address to a specific port only. |
ufw allow from {CIDR} | Allows connections from a subnet specified in CIDR notation. |
ufw deny {port} | Blocks connections silently without sending an unreachable message to the sender. |
ufw reject {port} | Rejects connections and sends a rejection notice (RST) to the sender. |
ufw delete {number} | Deletes the rule identified by its number from ufw status numbered. |
ufw delete allow {port} | Deletes a rule by specifying it the same way it was added. |
ufw limit {port}/{protocol} | Automatically blocks IP addresses that attempt to connect 6 or more times within 30 seconds. Useful for SSH brute-force protection. |
ufw default deny incoming | Sets the default policy for incoming packets to deny. |
ufw default allow outgoing | Sets the default policy for outgoing packets to allow. |
ufw logging {level} | Sets the logging level (off / low / medium / high / full). |
Examples
Example commands
# ----------------------------------------------- # Initial setup flow # Note: if you are connected via SSH, add the SSH rule first. # ----------------------------------------------- # Set the default policies. # The standard approach is to deny all incoming and allow all outgoing. sudo ufw default deny incoming sudo ufw default allow outgoing # Allow SSH (port 22/tcp). # Skipping this step will cut off your SSH connection after ufw enable. sudo ufw allow ssh # Allow HTTP and HTTPS for the web server. sudo ufw allow http sudo ufw allow https # Activate the firewall. sudo ufw enable # Verify the configuration. sudo ufw status verbose
Run the following command:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443 ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6)
Allow SSH connections from a specific IP address only
# ----------------------------------------------- # Allow SSH only from a trusted IP (203.0.113.10) # and deny SSH from all other addresses. # ----------------------------------------------- # Remove the existing "allow SSH from anywhere" rule. sudo ufw delete allow ssh # Allow SSH only from the trusted IP address. sudo ufw allow from 203.0.113.10 to any port 22 # Verify the rules with numbering. sudo ufw status numbered
Run the following command:
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN 203.0.113.10
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 443 (v6) ALLOW IN Anywhere (v6)
Allow database port access from an internal LAN subnet
# ----------------------------------------------- # Allow MySQL (port 3306) connections only from # the internal subnet 192.168.10.0/24. # ----------------------------------------------- # Allow the MySQL port from the subnet using CIDR notation. sudo ufw allow from 192.168.10.0/24 to any port 3306 # To remove the rule later, use its number. sudo ufw status numbered # Example: if the rule number is 4 sudo ufw delete 4
Protect SSH against brute-force attacks with rate limiting
# ----------------------------------------------- # Protect the server from suspicious access. # Automatically blocks IPs that attempt to connect # 6 or more times within 30 seconds. # ----------------------------------------------- # Use limit instead of allow for the SSH rule. sudo ufw limit 22/tcp # Enable logging to record suspicious access. sudo ufw logging medium # Logs are written to /var/log/ufw.log. # sudo tail -f /var/log/ufw.log
Run the following command:
$ sudo ufw status verbose Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp LIMIT IN Anywhere 80/tcp ALLOW IN Anywhere 443 ALLOW IN Anywhere 22/tcp (v6) LIMIT IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6)
Overview
ufw is a frontend tool for managing firewalls on Ubuntu-based Linux systems with ease. Under the hood it operates iptables (IPv4) and ip6tables (IPv6), letting you define rules without dealing directly with the complex iptables syntax. When you run ufw enable, systemctl registers ufw.service for automatic startup, so your rules persist across server reboots. The standard workflow is: set the default policy to deny incoming, allow the ports you need, then enable. If you are configuring ufw over an active SSH session, always add the SSH allow rule before running enable. If you get locked out due to a misconfiguration, you will need to connect via the server console or review sshd_config. On RHEL- and AlmaLinux-based systems, firewalld is used as the standard firewall instead, and is managed with the firewall-cmd command.
If you find any errors or copyright issues, please contact us.
シェアする