UFW (Uncomplicated Firewall) is a frontend for iptables. Here's how to use it.
Installation
Debian/Ubuntu:
sudo apt update sudo apt install ufw
AlmaLinux:
sudo dnf install epel-release sudo dnf install ufw
Basic Commands
# Enable firewall sudo ufw enable # Check status sudo ufw status verbose # Disable firewall sudo ufw disable
Common Rules
Allow services:
sudo ufw allow ssh sudo ufw allow 80 sudo ufw allow 443
Allow from specific IP:
sudo ufw allow from 192.168.1.100 sudo ufw allow from 192.168.1.100 to any port 22
Deny connections:
sudo ufw deny 3306
Delete rules:
sudo ufw status numbered sudo ufw delete 2
Default Policies
sudo ufw default deny incoming sudo ufw default allow outgoing
Rate Limiting
Prevent brute force:
sudo ufw limit ssh
Limits to 6 connections per 30 seconds.
Application Profiles
# List profiles sudo ufw app list # Allow application sudo ufw allow 'Nginx Full'
Advanced Examples
Port ranges:
sudo ufw allow 6000:6010/tcp
Specific interface:
sudo ufw allow in on eth0 to any port 80
Subnet access:
sudo ufw allow from 192.168.1.0/24
Logging
# Enable logging sudo ufw logging on # View logs tail -f /var/log/ufw.log
IPv6
Edit /etc/default/ufw:
IPV6=yes
Troubleshooting
Reset everything:
sudo ufw --force reset
Check rules file:
cat /etc/ufw/user.rules
Backup rules:
sudo cp /etc/ufw/*.rules ~/ufw-backup/
Common Setups
Web server:
sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443 sudo ufw enable
Database server:
sudo ufw allow from 10.0.0.0/24 to any port 22 sudo ufw allow from 10.0.0.0/24 to any port 3306 sudo ufw enable
Lock down SSH:
sudo ufw allow from YOUR_IP to any port 22 sudo ufw deny 22
Important Notes
- Always allow SSH before enabling UFW to avoid lockout
- UFW rules persist across reboots
- Order matters - rules are evaluated top to bottom
- Use
--dry-runto test complex rules
