ufw

Enable ufw

$ ufw enable

$ ufw disable

$ ufw status numbered

$ ufw allow 5432 comment "[Service]"

$ ufw allow proto tcp from 192.168.0.4 to any port 22

$ ufw deny 80

$ ufw deny proto udp from any to any port 8412:8500

$ ufw delete [rule_number]

ufw [options] command
ufw [rule-spec]

Common commands include:
    ufw enable | disable | status [verbose | numbered] | reset
    ufw default [policy] [incoming | outgoing]
    ufw [allow | deny | reject | limit] [in | out | to | from] [rule]
    ufw delete [rule | rule-number]
    ufw insert num [rule]
    ufw logging [on | off | high | medium | low]
    ufw app [list | info | update] [profile]
    ufw show [added | raw | user | built-in | log | running | listening | route]
    ufw version | ufw --help

enable
    Activates the firewall and configures it to start automatically at boot.

disable
    Deactivates the firewall and prevents it from starting on boot.

status [verbose|numbered]
    Displays the current firewall status and active rules. verbose shows more details; numbered lists rules with numbers for easy deletion.

reset
    Resets the firewall to its default state, deleting all custom rules and setting policies to deny incoming and allow outgoing.

default [incoming|outgoing]
    Sets the default policy (e.g., allow, deny, reject) for incoming or outgoing connections.

allow
    Creates a rule to explicitly allow specified incoming or outgoing connections based on port, protocol, or IP address.

deny
    Creates a rule to explicitly deny specified incoming or outgoing connections.

reject
    Creates a rule to deny specified connections and send a rejection packet back to the source.

limit
    Creates a rule to limit new connections to a service, commonly used to protect against brute-force attacks on SSH.

delete
    Removes an existing rule, either by specifying the rule itself or its corresponding number from `ufw status numbered`.

insert
    Inserts a rule at a specific numeric position in the rule list, affecting its precedence.

logging [on|off|high|medium|low]
    Configures the level of firewall logging to syslog, ranging from minimal ('low') to extensive ('high').

app
    Manages application-specific profiles defined in `/etc/ufw/applications.d`. Commands include list, info, and update.

show
    Displays various internal UFW components and configurations, such as `show added` for user-defined rules or `show raw` for underlying iptables rules.

The Uncomplicated Firewall (ufw) is a command-line interface for managing Netfilter, the Linux kernel's packet filtering framework. It was designed to simplify firewall configuration, making it accessible to users who find the complexity of raw iptables commands daunting.

UFW abstracts the intricacies of Netfilter rules, allowing users to easily define policies for incoming and outgoing network traffic. It supports common operations such as allowing or denying connections based on ports, protocols, and IP addresses, as well as managing application-specific rules.

By default, UFW typically denies all incoming connections and allows all outgoing connections, providing a secure baseline. It integrates well with system services and can be configured to start automatically at boot, ensuring continuous protection. While UFW simplifies common tasks, it still leverages the full power of iptables underneath, making it a robust solution for most desktop and server firewall needs.

While ufw simplifies firewall management, it's essential to remember that it's a frontend for iptables. Direct manipulation of iptables rules can bypass or conflict with ufw's configuration.

Complex networking scenarios, such as advanced routing or multi-homed servers, might still require direct iptables configuration or a more powerful firewall solution.

Also, rules are processed in order; a broadly permissive rule placed before a specific restrictive rule can undermine security. Always verify the firewall status after making changes, especially after a `ufw reset`.

UFW supports application profiles, which are predefined sets of rules for common services (e.g., Apache, SSH). These profiles are typically found in `/etc/ufw/applications.d/` and allow for easy enabling or disabling of service-specific ports, like `ufw allow ssh` or `ufw allow 'Apache Full'`.

Rules are processed in a specific order: first, denied rules, then allowed rules. Within these categories, rules are processed from specific to more general. Explicit rules defined by the user always take precedence over default policies, making the order of rule creation important for desired firewall behavior.

UFW was developed by Canonical Ltd., the creators of Ubuntu, with the primary goal of simplifying firewall configuration on Linux systems. It first debuted in Ubuntu 8.04 LTS (Hardy Heron) in 2008.

Prior to UFW, managing firewall rules directly with iptables was often considered complex and error-prone for many users. UFW aimed to provide a more intuitive and user-friendly interface, making basic firewall setup accessible to a wider audience. It has since become a standard component in Ubuntu and is widely available on other Debian-based distributions.

iptables(8), netfilter(7), firewalld(1), syslog(3)