LinuxCommandLibrary

ufw-framework

Manage complex firewall rule sets using UFW

SYNOPSIS

ufw [options] command [arguments]

Common commands:
ufw enable
ufw disable
ufw status [verbose|numbered]
ufw default [allow|deny|reject] [incoming|outgoing]
ufw [allow|deny|reject|limit] [in|out] [on interface] [to destination] [from source] [port port/protocol] [comment 'rule comment']

PARAMETERS

enable
    Activates and starts the firewall, setting it to run on boot.

disable
    Deactivates and stops the firewall, removing it from starting on boot.

status [verbose|numbered]
    Displays the current firewall status and the list of active rules. Use 'verbose' for more details or 'numbered' to show rule numbers for deletion.

default [direction]
    Sets the default policy for incoming or outgoing connections. Policies can be 'allow', 'deny', or 'reject'. Default direction is 'incoming'.

[allow|deny|reject|limit]
    Adds a new firewall rule. Specifies whether to 'allow', 'deny', 'reject' (deny with ICMP message), or 'limit' (rate-limit) connections. Rules can specify ports, protocols, IP addresses, and interfaces.

delete
    Deletes an existing rule. Can be done by specifying the full rule or by its number (obtained via 'ufw status numbered').

reset
    Resets the firewall to its default, disabled state, removing all custom rules.

logging [on|off|level]
    Enables, disables, or sets the logging level for firewall events (e.g., 'low', 'medium', 'high', 'full').

version
    Displays the current version of the ufw utility.

--dry-run
    Simulates a command execution without making actual changes to the firewall rules. Useful for testing.

--force
    Forces an action that would normally require user confirmation, such as 'ufw reset'.

DESCRIPTION

The ufw (Uncomplicated Firewall) command is a user-friendly front-end for the Linux kernel's netfilter firewall. It serves as a high-level framework that significantly simplifies the process of configuring and managing firewall rules, abstracting away the complexities of direct iptables commands. Developed by Canonical for Ubuntu, ufw aims to make firewall administration accessible to both beginners and experienced users.

Instead of manually constructing intricate iptables rules, users can use ufw to define firewall policies with simple, intuitive commands. It supports common operations such as enabling or disabling the firewall, setting default policies (e.g., deny incoming, allow outgoing), and adding rules to allow or deny traffic based on ports, protocols, IP addresses, or even application profiles. ufw also provides status checks and logging capabilities.

While ufw provides a robust and easy-to-use interface, it ultimately translates its commands into iptables rules. This makes it a powerful tool for securing a Linux system without needing deep knowledge of netfilter internals, making it the de-facto standard firewall management tool on Ubuntu and many Debian-based distributions.

CAVEATS

While ufw greatly simplifies firewall management, it's essential to understand its limitations. Since it acts as a front-end to iptables, direct iptables commands can bypass or conflict with ufw's rules. Mixing ufw with manual iptables configurations can lead to unexpected behavior. For highly complex or very specific firewall requirements, direct iptables or netfilter configuration might still be necessary. Always ensure your default policies are secure, typically denying incoming connections by default.

APPLICATION PROFILES

ufw supports application integration by allowing profiles to be defined for common services (e.g., Apache, OpenSSH). These profiles define the necessary port/protocol rules for an application, simplifying rule creation. You can list available profiles using 'ufw app list' and enable them with 'ufw allow '.

RULE PRECEDENCE

The order of rules in ufw matters. Rules are processed from top to bottom, with the first matching rule taking precedence. More specific rules should generally be placed before more general rules. ufw attempts to manage this order automatically, but understanding rule precedence is crucial for effective firewall configuration.

HISTORY

ufw was developed by Canonical, the company behind Ubuntu, with the primary goal of making firewall configuration more straightforward for Ubuntu users. It first appeared in Ubuntu 8.04 LTS (Hardy Heron) in 2008 and has since become the default firewall management utility on Ubuntu and many other Debian-derived distributions. Its development focused on providing a simplified, high-level interface to the complex netfilter framework, addressing the need for an easy-to-use firewall solution for desktop and server environments.

SEE ALSO

iptables(8), netfilter(7), firewalld(1)

Copied to clipboard