UFW Firewall Basic Rules and Commands

Install and Enable UFW

#sudo apt-get install ufw
#sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Enter Y, and proceed to allow connections to your server

Firewall is active and enabled on system startup

Check whether UFW is running:

#sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

Allow Connections to Your Server

#sudo ufw allow 80
#sudo ufw allow 80/tcp
#sudo ufw allow 443/tcp

If you are unsure of its port number. For example, to enable MySQL:

#sudo ufw allow mysql

Specify Filtering Mode

Incoming Traffic.

#sudo ufw allow in ftp

Outgoing Traffic.

#sudo ufw allow out smtp

Deny Connections to Your Server

#sudo ufw deny 3306

Removing Firewall Rules

 Checking UFW status with the parameter numbered. This allows you to select a rule by entry number.

#sudo ufw status numbered
Status: active
 To                         Action      From
 --                         ------      ----
[ 1] Apache                     DENY IN     Anywhere
[ 2] 80                         DENY IN     Anywhere
[ 3] 22                         ALLOW IN    Anywhere

Delete the rules by the numbers in square brackets[]

#sudo ufw delete 3

Set Logging Level

By default, the Uncomplicated Firewall logging level is set to low. However, multiple logging levels are supported, and you have a preferred setting based on what firewall logs you wish to keep.

off disables ufw logging.

low logs blocked packets that don’t match your set rules and packets matching logged rules.

medium logs low level, allowed packets that don’t match the set policy, invalid packets, and all new connections to your server.

high logs medium without attempts/rate-limiting and all packets with attempt limiting.

full logs all firewall packets without rate/access attempts limiting.

To set your UFW logging level, use the command below.

#sudo ufw logging LEVEL

For example:

#sudo ufw logging medium

To enable logging for a specific firewall rule, such as SSH, use the command.

#sudo allow log 22/tcp

Enable IPV6 Support

#sudo vim /etc/default/ufw

Locate the IPV6 line and make sure it is set to yes


Disable / Reload UFW

To disable (stop) Uncomplicated Firewall, run the command.

#sudo ufw disable

If you need to reload UFW (reload rules), use the reload parameter.

#sudo ufw reload

To restart UFW, you will need to disable it first and then enable it again.

#sudo ufw disable

#sudo ufw enable

Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.

Back to Default Settings

If you need to reset UFW back to default settings, type the following command. This will delete all existing rules and reset the firewall to default values.

user@example:~#ufw reset

Resetting all rules to installed defaults. This may disrupt existing ssh

connections. Proceed with operation (y|n)?