Overview
UFW (Uncomplicated Firewall) is a user-friendly interface to manage iptables firewall rules in Ubuntu and Debian-based systems. It simplifies the process of allowing and denying network traffic without complex command syntax.
Note
UFW is installed by default on most Ubuntu installations (18.04+), but it comes disabled. This prevents accidental lockouts during initial server setup.
Prerequisites
You’ll need:
- Root or sudo access on your Ubuntu server
- SSH connection for remote management (highly recommended)
- Basic understanding of network ports
Installation
UFW comes with Ubuntu by default. If it was removed or you’re on a minimal installation, install it with:
sudo apt updatesudo apt install ufwStep 1: Check Current Status
UFW is disabled by default. Check the current status and existing rules:
sudo ufw statusOutput will show Status: inactive on first run. No rules are loaded yet.
Warning (Critical: Secure SSH First)
Before enabling the firewall, you must add a rule allowing SSH. If you block SSH while connected remotely, you’ll lock yourself out and lose access to your server!
Step 2: Allow SSH Access (CRITICAL)
Add a rule to allow SSH connections before enabling the firewall:
sudo ufw allow sshAlternatively, allow by port number:
sudo ufw allow 22If SSH runs on a custom port (recommended for security), allow that port instead:
sudo ufw allow 2222Replace 2222 with your actual SSH port.
Tip (Why Allow SSH First?)
UFW defaults to deny all incoming connections. Once enabled, only explicitly allowed ports accept traffic. Without an SSH rule, you lose remote access immediately.
Step 3: Enable the Firewall
Now enable UFW:
sudo ufw enableYou’ll see a warning:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?Enter y — you’ve already whitelisted SSH, so your connection will remain active.
Note
UFW is now active! It denies all incoming connections except those you explicitly allow.
Step 4: Add Rules for Your Services
Allow Web Server (HTTP/HTTPS)
If running a web server, allow HTTP and HTTPS:
sudo ufw allow http # Port 80sudo ufw allow https # Port 443Or allow specific ports:
sudo ufw allow 80sudo ufw allow 443Allow Custom Application Ports
For any service, use the port number:
sudo ufw allow 3000 # Node.js development serversudo ufw allow 5432 # PostgreSQL databasesudo ufw allow 3306 # MySQL databasesudo ufw allow 6379 # Redis cacheAllow Specific Protocols
Allow TCP-only or UDP-only traffic:
sudo ufw allow 53/tcp # DNS over TCPsudo ufw allow 53/udp # DNS over UDPsudo ufw allow 1194/udp # OpenVPNAllow by Service Name
UFW recognizes common service names from /etc/services:
sudo ufw allow dns # Port 53sudo ufw allow ftp # Port 21sudo ufw allow smtp # Port 25sudo ufw allow imap # Port 143sudo ufw allow pop3 # Port 110Step 5: View and Manage Rules
Check Current Rules
sudo ufw statusOutput example:
Status: active
To Action From-- ------ ----22 ALLOW Anywhere80 ALLOW Anywhere443 ALLOW Anywhere22 (v6) ALLOW Anywhere (v6)80 (v6) ALLOW Anywhere (v6)443 (v6) ALLOW Anywhere (v6)For detailed rule information:
sudo ufw status numberedDeny Specific Ports
Explicitly deny a port (rarely needed due to default deny):
sudo ufw deny 80Delete Rules
Delete by allow/deny and port:
sudo ufw delete allow 80sudo ufw delete deny 80Or delete by rule number (from ufw status numbered):
sudo ufw delete 3Warning
Always verify the rule number before deletion. Removing the wrong rule could expose your server.
Advanced Usage
Allow from Specific IP Address
Restrict access to a service from a single IP:
sudo ufw allow from 192.168.1.100 to any port 3306This allows only 192.168.1.100 to access MySQL.
Allow Ranges of Ports
sudo ufw allow 6000:6007/tcp # Allow TCP ports 6000-6007 (X11)Enable/Disable Without Clearing Rules
sudo ufw disable # Deactivate temporarily (rules preserved)sudo ufw enable # Re-enable with existing rulesReset to Defaults
Danger (Destructive Operation)
This removes all rules and disables UFW. Use only for troubleshooting:
sudo ufw resetCommon Service Ports Reference
| Service | Port | Protocol | UFW Command |
|---|---|---|---|
| SSH | 22 | TCP | ufw allow ssh |
| HTTP | 80 | TCP | ufw allow http |
| HTTPS | 443 | TCP | ufw allow https |
| DNS | 53 | TCP/UDP | ufw allow dns |
| SMTP | 25 | TCP | ufw allow smtp |
| MySQL | 3306 | TCP | ufw allow 3306 |
| PostgreSQL | 5432 | TCP | ufw allow 5432 |
| MongoDB | 27017 | TCP | ufw allow 27017 |
| Redis | 6379 | TCP | ufw allow 6379 |
| OpenVPN | 1194 | UDP | ufw allow 1194/udp |
Troubleshooting
Problem (Locked Out of SSH)
If you can’t SSH after enabling UFW:
- Use the hosting provider’s console/IPMI to access the server
- Run:
sudo ufw allow 22 - Reconnect via SSH
Always allow SSH before enabling the firewall!
Problem (Application Not Accessible)
If your web server shows “connection refused”:
- Verify the application is running:
sudo netstat -tlnp | grep LISTEN - Check if port is allowed:
sudo ufw status | grep PORT_NUMBER - Add rule if missing:
sudo ufw allow PORT_NUMBER
Problem (UFW Not Starting After Reboot)
Some systems disable UFW on boot. Make it persistent:
sudo systemctl enable ufwsudo systemctl start ufwSecurity Best Practices
Tip (Security Hardening)
- Principle of Least Privilege: Only allow ports your services actually need
- Use Service Names:
ufw allow sshis clearer thanufw allow 22 - Document Rules: Comment your UFW configuration for future reference
- Review Regularly: Periodically run
sudo ufw statusto audit active rules - Monitor Denied Connections: Check logs with
sudo tail -f /var/log/ufw.log
Conclusion
UFW provides a simple yet powerful way to secure your Linux server with a default-deny firewall policy. By allowing only necessary ports and protocols, you significantly reduce your attack surface. Always prioritize SSH security to maintain remote access.