One of the keystones of any operating system is a properly configured firewall for complete system security. Ubuntu uses IP tables; however, most users will use software that works as a front end with UFW (Uncomplicated Firewall).
Some of the great benefits of UFW are its simplicity, user-friendly and easy-to-use command line, making it great for beginners in Linux to the most advanced power users.
In the following tutorial, you will learn to install and set up UFW Firewall on Ubuntu 22.04 LTS Jammy Jellyfish desktop or server using the command line terminal along with some basic examples of using UFW. Please note that the tutorial covers some points that are commonly used. UFW can achieve much more and be integrated into software such as ModSecurity and Fail2Ban, to name a few. Still, for the majority, this tutorial is a great start.
Table of Contents
Before you begin, run a quick update to ensure your system packages are up-to-date to avoid conflicts.
sudo apt update && sudo apt upgrade -y
Enable, Install or Remove UFW
By default, UFW should be installed, but if this has been removed, re-install UFW.
sudo apt install ufw -y
Once installed, enable ufw.
sudo systemctl enable ufw --now
Next, verify the status of UFW to make sure it is active and without errors.
systemctl status ufw
The next step in setting up a UFW firewall will be to enable the firewall itself.
sudo ufw enable
Firewall is active and enabled on system startup
By default, all incoming traffic is blocked automatically, and all outbound is allowed once the firewall is live. This instantly will protect your system by stopping anyone from connecting remotely to your system.
In the future, if you need to disable UFW for a temporary period, use the following command.
sudo ufw disable
To remove UFW altogether from your system (Not Recommended).
sudo apt remove ufw --purge
Do not remove UFW unless you have a solid option or know how to use IPTables, especially when running a server environment connected to the public. This will be disastrous.
Check UFW Status
Once UFW is enabled, view the status of firewall rules and what is active use the following.
sudo ufw status verbose
The above example used the verbose flag, and an alternative option is to list the rules in number sequence, which is far more manageable later on when deleting rules.
sudo ufw status numbered
You now have , [ 2] number labels on your UFW rules for identification as the above output has it.
Set/Configure UFW Default Policies
The default policy of the UFW firewall is to deny all incoming connections and only allow outbound connections to the system. Typically the most secure default way with no one can reach your server unless you allow IP address/ranges, programs, ports, or combinations of all. Your system, by default, can access the outside, which you should not adjust unless you have specific security requirements.
The default UFW firewall policies can be found in the location /etc/default/ufw.
To adjust the rules by typing the following command:
Deny all incoming connections:
sudo ufw default deny incoming
Allow all outgoing connections:
sudo ufw default allow outgoing
This is already set as the default rules when enabled, but you can use the same principle to change them around to suit your purpose.
For example, all incoming communication is blocked by default, but you want all outgoing blocked and allow only approved connections outbound, then use the following command.
Block all outgoing connections:
sudo ufw default deny outgoing
This is an extreme measure; blocking incoming connections is usually enough for the average server and desktop, but specific environments can benefit from the extra security precaution. The downside is you need to main all outgoing connections, which can be time-consuming, continually setting new rules.
View UFW Application Profiles
To show all application profiles, you can do so by typing the following.
sudo ufw app list
The above is just an example, and everyone will have different lists as no one will have the same applications installed.
A handy feature of applications profiles is finding out more about the service listed in the UFW application list.
To do this, type the following command to find more information about an existing profile.
sudo ufw app info 'Nginx Full'
As above, the printout of the application’s general description and the port it uses. This is a handy feature when you investigate open ports and are unsure what applications they relate to and what they do.
Allow/Enable IPv6 on UFW
If your system is configured with IPv6, you need to ensure UFW is configured with IPv6 and IPv4 support. By default, this should be automatically enabled; however, you should check and, if need be, modify it. You can do this in the following.
Open default UFW firewall file.
sudo nano /etc/default/ufw
Adjust the following line to yes if not set.
CTRL+O to save the new changes to the file, then press CTRL+X to exit the file.
Now restart the UFW firewall service to make the changes active.
sudo systemctl restart ufw
Allow/Enable UFW SSH Connections
By default, UFW does not allow SSH connections. If you had already enabled the firewall remotely, you would have noticed yourself locked out.
To fix this, you need to set the following SSH configuration before enabling UFW firewall, especially if connected to a remote server.
First, enable SSH application profile.
sudo ufw allow ssh
If you have set up a custom listening port for SSH connections other than the default port 22, for example, port 3541, you will open the port on the UFW firewall by typing the following.
sudo ufw allow 3541/tcp
If you want to block all SSH connections or change the port and block the old ones.
To block all SSH connections (Make sure local access is possible), use the following command.
sudo ufw deny ssh/tcp
If changing the custom SSH port, open a new port and close the existing; tutorial example is port 3541.
sudo ufw deny 3541/tcp
Allow/Enable UFW Ports
With UFW, you can open specific ports in the firewall to allow connections specified for a particular application. You can set customized rules for the application. An excellent example of this rule is setting up a web server that listens on port 80 (HTTP) and 443 (HTTPS) by default.
Allow HTTP Port 80
Allow by application profile:
sudo ufw allow 'Nginx HTTP'
Allow by service name:
sudo ufw allow http
Allow by port number:
sudo ufw allow 80/tcp
Allow HTTPS Port 443
Allow by application profile:
sudo ufw allow 'Nginx HTTPS'
Allow by service name:
sudo ufw allow https
Allow by port number:
sudo ufw allow 443/tcp
Note that you can enable all of the rules by default by using the following command.
sudo ufw allow 'Nginx Full'
UFW Allow Port Ranges
UFW can allow access to port ranges. When opening a port range, you must identify the port protocol.
Allow port range with TCP & UDP:
sudo ufw allow 6500:6800/tcp sudo ufw allow 6500:6800/udp
Alternatively, you can allow multiple ports in one hit, but the range may be more accessible.
sudo ufw allow 6500, 6501, 6505, 6509/tcp sudo ufw allow 6500, 6501, 6505, 6509/udp
Allow/Enable Remote Connections on UFW
UFW Allow Specific IP Address
For example, to allow for specified IP addresses, you are on an internal network and require the systems to communicate together, use the following command.
sudo ufw allow from 192.168.55.131
UFW Allow Specific IP Address on Specific Port
To enable an IP to connect to your system on a defined port (example port “3900”), type the following.
sudo ufw allow from 192.168.55.131 to any port 3900
Allow Subnet Connections to a Specified Port
If you require a whole range of connections from an IP range subnet to a particular port, you can enable this by creating the following rule.
sudo ufw allow from 192.168.1.0/24 to any port 3900
This will allow all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.
Allow Specific Network Interface
For example, allow connections to a particular network interface, “eth2” to a specified port 3900. You can achieve this by creating the following rule.
sudo ufw allow in on eth2 to any port 3900
Deny/Block Remote Connections on UFW
As per the default setup policy of UFW, when installed, all incoming connections are set to “deny.” This rejects all incoming traffic unless you create a rule to allow the connections to come through.
However, you have noticed a particular IP address that keeps attacking you in your logs. Block it with the following.
sudo ufw deny from 220.127.116.11
A hacker uses multiple IP addresses from the same subnet to hack you. Create the following to block.
sudo ufw deny from 18.104.22.168/24
You can create specific rules to deny access to particular ports. Type the following example.
sudo ufw deny from 22.214.171.124/24 to any port 80 sudo ufw deny from 126.96.36.199/24 to any port 443
Delete/Remove UFW Rules
To delete a UFW rule using the rule number, you must list the rule numbers by typing the following.
sudo ufw status numbered
The example will delete the third rule for IP Address 188.8.131.52, highlighted above.
Type the following in your terminal.
sudo ufw delete 3
Type Y, then press the ENTER KEY to proceed with the removal of the rule number. In this case, it was rule number three in the tutorial example above.
Access and View UFW Logs
UFW logging is set to low by default, which is fine for most desktop systems. And however, servers may require a higher level of logging.
To set UFW logging to low(Default):
sudo ufw logging low
To set UFW logging to medium monitoring:
sudo ufw logging medium
To set UFW logging to high:
sudo ufw logging high
The last option is to disable logging altogether, be sure you are happy with this and will not require log checking.
sudo ufw logging off
To view UFW logs, they are kept in the default location of /var/log/ufw.log.
An easy, quick way to view live logs is to use the tail command.
sudo ufw tail -f /var/log/ufw.log
Alternatively, you can print out many recent lines with the -n <number flags>.
sudo ufw tail /var/log/ufw.log -n 30
This will print out the last 30 lines of the log. You can further fine-tune with GREP and other sorting commands.
Test UFW Rules
Highly critical systems, a good option when playing around with the firewall settings, can add the –dry-run flag. This allows seeing an example of the changes that would have happened but not processing it.
sudo ufw --dry-run enable
To disable the –dry-run flag, use the following command.
sudo ufw --dry-run disable
Reset UFW Rules
To reset your firewall back to its original state with all incoming blocked and outgoing set to allow, type the following to reset.
sudo ufw reset
Confirm reset, enter the following:
sudo ufw status
The output should be:
With the UFW firewall reset, you will now need to re-enable the firewall and start the entire process of adding rules. The reset command should be used sparingly if possible.
Find/Search All Open Ports (Security Check)
Most systems do not realize that they can have ports open. In the age of every IP address on the Internet is scanned daily, it is crucial to watch what is happening behind the scenes.
The best option is to install Nmap, then, using this famous application, list the opened ports.
sudo apt install nmap -y
Next, find the internal IP address of the system.
Now use the following Nmap command with the server’s IP address.
As above, all ports are closed except for port 80, which is what is allowed in UFW rules, so this is satisfactory.
However, if you find ports open before you close or block them, investigate first what they are if you are unsure as this may break services or, worse case, lock you out of a server.
From this point, you can create custom UFW rules that you have learned in the tutorial to close or restrict the open ports.
Comments and Conclusion
The tutorial has successfully shown you how to set up and configure UFW for desktop or server on Ubuntu 22.04 LTS.
UFW is highly recommended as it’s a simple firewall system compared to other options that may confuse non-power users. Given the rise of cybercrime and hacking, it’s a sure quick way to safeguard your system.
The one area UFW will start lacking is major rule sets and IP blacklists, where you may have hundreds of thousands if not millions of IP being blocked. Other alternatives may be needed, but this won’t affect most users as those servers typically have a good option ready.