ufw

Uncomplicated Firewall management interface

TLDR

Enable ufw

$ sudo ufw enable

Disable ufw

$ sudo ufw disable

Show rules with numbers

$ sudo ufw status numbered

Allow incoming traffic on a port

$ sudo ufw allow 5432 comment "Service"

Allow TCP traffic from specific IP

$ sudo ufw allow proto tcp from 192.168.0.4 to any port 22

Deny traffic on a port

$ sudo ufw deny 80

Deny UDP traffic on port range

$ sudo ufw deny proto udp from any to any port 8412:8500

Set default incoming policy to deny

$ sudo ufw default deny incoming

Allow a known application profile

$ sudo ufw allow OpenSSH

Delete a rule by number

$ sudo ufw delete [rule_number]

Allow routed traffic between interfaces

$ sudo ufw route allow in on [eth0] out on [eth1]

SYNOPSIS

ufw [--dry-run] command [rule]

ufw (Uncomplicated Firewall) is a frontend for iptables/nftables designed to make firewall configuration easier. It provides a user-friendly interface for managing netfilter firewall rules while supporting both simple and complex rule specifications.

PARAMETERS

enable

Enable the firewall and load rules on boot

disable

Disable the firewall and unload rules

reload

Reload the firewall configuration

reset

Reset to installation defaults

status

Show firewall status and rules

status verbose

Show detailed status with logging and default policies

status numbered

Show rules with line numbers for deletion

--dry-run

Show changes without applying them

--force

Execute without confirmation prompts

CONFIGURATION

/etc/ufw/ufw.conf

Main configuration file controlling enable/disable state, logging level, and IPv6 support.

/etc/ufw/before.rules

Custom iptables rules applied before ufw-managed rules.

/etc/ufw/after.rules

Custom iptables rules applied after ufw-managed rules.

/etc/default/ufw

Default policy settings and input/output/forward policy configuration.

RULE COMMANDS

allow

Permit matching traffic

deny

Block matching traffic silently

reject

Block matching traffic and notify sender

limit

Rate-limit connections (blocks after 6+ attempts in 30 seconds)

delete

Remove a rule by specification or number

insert NUM

Add rule at specified position

prepend

Add rule before all others of same IP type

route allow|deny|reject|limit

Add rule for routed/forwarded traffic

DEFAULT POLICY

default allow|deny|reject incoming

Set default policy for incoming traffic

default allow|deny|reject outgoing

Set default policy for outgoing traffic

default allow|deny|reject routed

Set default policy for forwarded traffic

APPLICATION PROFILES

app list

List available application profiles

app info PROFILE

Show information about an application profile

app default allow|deny|reject|skip

Set default application policy

REPORTS

show raw

Show raw iptables rules

show added

Show rules as they were added on the command line

show listening

Show listening ports and associated rules

show builtins

Show default built-in rules

RULE SYNTAX

Simple: ufw allow 22/tcpWith comment: ufw allow 80 comment 'HTTP'Port range: ufw allow 6000:6007/tcpMultiple ports: ufw allow 80,443/tcpFrom address: ufw allow from 192.168.1.0/24Full syntax: ufw allow proto tcp from any to any port 80

LOGGING

logging off

Disable logging

logging on

Enable logging (low level)

logging low|medium|high|full

Set logging verbosity level

CAVEATS

Default policies are deny incoming, allow outgoing, deny forwarding. Enabling ufw may disrupt existing connections if rules are not configured first. Use --dry-run to preview changes before applying.

HISTORY

ufw was developed by Canonical for Ubuntu to simplify iptables firewall management. It was first released in Ubuntu 8.04 (2008) and has become a popular firewall tool across many Linux distributions.

ufw