What is UFW
UFW, or Uncomplicated Firewall is a simple firewall. You probably know what it’s for, so we can skip over that.
If your VPS host (if you’re using a VPS) has a hardware firewall, you’ll need to remember to allow ports though BOTH UFW and their firewall. You don’t always need a second firewall, but if you insist, this is a simple crash course.
The last line,
sudo ufw status, should return ‘Status: inactive’. You DO NOT want to enable this without allowing port 22 (or your SSH port) first! Keep that in mind.
By default: all inbound ports are blocked. You need to allow them yourself.
Usually, the first port you’ll allow through is 22 - the SSH port.
You can also enable ports using application presets. To see a list of available applications, use:
Then we can allow applications using their names, for example:
If application names have a space, enter the text inside quotation marks.
(Note: forward either port 22 or the application. You don’t need to use both - and probably shouldn’t)
- 20-21 FTP
- 22 SSH
- 23 Telnet
- 25 SMTP // 110 POP3 // 143 IMAP (All for mail)
- 53 DNS
- 80 HTTP // 443 HTTPS
- 123 NTP (Network Time Protocol)
- 179 BGP (Border Gateway Protocol)
- 500 ISAKMP (Internet Security Association and Key Management Protocol)
- 3389 DRP
TCP and/or UDP?
ufw allow <port> will allow BOTH TCP and UDP connections.
To specify a specific type, enter a port as such:
ufw allow 21/tcp.
To specify multiple ports, enter a port as such:
ufw allow 21,25/tcp.
For a range of ports:
ufw allow 21:25/tcp.
I have specified TCP, as a protocol is required.
AFTER allowing SSH through (assuming you’re using SSH to run commands), run:
After confirming, you may need to reconnect to your SSH server.
To list rules, run:
Removing a rule
If you used a name, you could run
ufw delete allow OpenSSH`, for example. Otherwise, show a numbered list of rules:
Then delete rules using their number (Shown in brackets before the rule):
To delete the second rule.
Alternatively, you can also remove rules using their port numbers or ranges. Add
delete just before
allow. For example:
To reset everything: Disable UFW, then run the reset command.
More advanced rules
For a simple program, it gets a whole lot more powerful.
Allow from specific IPs or IP Ranges only
Let’s break it down:
sudo ufw allow- Simple enough
from 192.168.1.50- Only allow connections from 192.168.1.50
proto tcp- This rule applies only to TCP
to any- To any destination address. This could be a docker container IP, for example. Otherwise, use
anyto speak to anything on your system listening to that port.
port 22- This rule applies only to port 22.
Swap out the IP address for a range. For example,
192.168.1.0/``24 for everything on the local network.
Every outbound connection is allowed unless expressly denied.
Deny a port by swapping
deny, and add an
out just before the port.
This would deny outgoing SMTP traffic, for example.