What is UFW

UFW, or Uncomplicated Firewall is a simple firewall. You probably know what it’s for, so we can skip over that.

If your VPS host (if you’re using a VPS) has a hardware firewall, you’ll need to remember to allow ports though BOTH UFW and their firewall. You don’t always need a second firewall, but if you insist, this is a simple crash course.

Install UFW

1 2 3

sudo apt update sudo apt install ufw sudo ufw status

The last line, sudo ufw status, should return ‘Status: inactive’. You DO NOT want to enable this without allowing port 22 (or your SSH port) first! Keep that in mind.

Allow ports

By default: all inbound ports are blocked. You need to allow them yourself.

Usually, the first port you’ll allow through is 22 - the SSH port.

1	sudo ufw allow 22

You can also enable ports using application presets. To see a list of available applications, use:

1	sudo ufw app list

Then we can allow applications using their names, for example:

1	sudo ufw allow OpenSSH

If application names have a space, enter the text inside quotation marks.

(Note: forward either port 22 or the application. You don’t need to use both - and probably shouldn’t)

Common ports

• 20-21 FTP
• 22 SSH
• 23 Telnet
• 25 SMTP // 110 POP3 // 143 IMAP (All for mail)
• 53 DNS
• 80 HTTP // 443 HTTPS
• 123 NTP (Network Time Protocol)
• 179 BGP (Border Gateway Protocol)
• 500 ISAKMP (Internet Security Association and Key Management Protocol)
• 3389 DRP

TCP and/or UDP?

Simply running ufw allow <port> will allow BOTH TCP and UDP connections.

To specify a specific type, enter a port as such: ufw allow 21/tcp.

Multiple ports

To specify multiple ports, enter a port as such: ufw allow 21,25/tcp.

For a range of ports: ufw allow 21:25/tcp.

I have specified TCP, as a protocol is required.

Enable firewall

AFTER allowing SSH through (assuming you’re using SSH to run commands), run:

1	sudo ufw enable

After confirming, you may need to reconnect to your SSH server.

List rules

To list rules, run:

1	sudo ufw status

Removing a rule

If you used a name, you could run ufw delete allow OpenSSH`, for example. Otherwise, show a numbered list of rules:

1	sudo ufw status numbered

Then delete rules using their number (Shown in brackets before the rule):

1	sudo ufw delete 2

To delete the second rule.

Alternatively, you can also remove rules using their port numbers or ranges. Add delete just before allow. For example:

1	sudo ufw delete allow 25-30/tcp

Reset UFW

To reset everything: Disable UFW, then run the reset command.

1 2	sudo ufw disable sudo ufw reset

More advanced rules

For a simple program, it gets a whole lot more powerful.

Allow from specific IPs or IP Ranges only

1	sudo ufw allow from 192.168.1.50 proto tcp to any port 22

Let’s break it down:

• sudo ufw allow - Simple enough
• from 192.168.1.50 - Only allow connections from 192.168.1.50
• proto tcp - This rule applies only to TCP
• to any - To any destination address. This could be a docker container IP, for example. Otherwise, use any to speak to anything on your system listening to that port.
• port 22 - This rule applies only to port 22.

Ranges

Swap out the IP address for a range. For example, 192.168.1.0/``24 for everything on the local network.

Outgoing traffic

Every outbound connection is allowed unless expressly denied.

Deny a port by swapping allow for deny, and add an out just before the port.

1	sudo ufw deny out 25

This would deny outgoing SMTP traffic, for example.