UFW Firewall Configuration and Management Cheatsheet

UFW (Uncomplicated Firewall) is Ubuntu’s default firewall management tool that provides a simplified interface for managing iptables rules. This cheatsheet covers essential UFW commands and configurations for securing Linux systems with practical examples and best practices.

Getting Started with UFW

Enable and Disable UFW

# Enable UFW (starts on boot)
sudo ufw enable
 
# Disable UFW
sudo ufw disable
 
# Check UFW status
sudo ufw status
 
# Detailed status with numbering
sudo ufw status numbered
 
# Verbose status showing rules and profiles
sudo ufw status verbose

UFW Logging

# Enable logging
sudo ufw logging on
 
# Set logging level (low, medium, high, full)
sudo ufw logging medium
 
# Disable logging
sudo ufw logging off

Default Policies

Basic Default Rules

# Deny all incoming connections (recommended)
sudo ufw default deny incoming
 
# Allow all outgoing connections (typical)
sudo ufw default allow outgoing
 
# Allow routed traffic (essential for VMs and containers)
sudo ufw default allow routed
 
# Deny routed traffic (more restrictive)
sudo ufw default deny routed

The allow routed policy is crucial when working with virtual machines, Docker containers, or any network virtualization that requires packet forwarding.

Port Management

Allow and Deny Ports

# Allow specific port
sudo ufw allow <port>
 
# Allow port with protocol specification
sudo ufw allow <port>/tcp
sudo ufw allow <port>/udp
 
# Allow port range
sudo ufw allow <start_port>:<end_port>/tcp
 
# Deny specific port
sudo ufw deny <port>/tcp
 
# Examples
sudo ufw allow 22/tcp        # SSH
sudo ufw allow 80/tcp        # HTTP
sudo ufw allow 443/tcp       # HTTPS
sudo ufw allow 53/udp        # DNS
sudo ufw allow 8080:8090/tcp # Port range

Port Management with IP Restrictions

# Allow specific IP to specific port
sudo ufw allow from <ip_address> proto tcp to any port <port>
 
# Allow IP range to specific port
sudo ufw allow from <ip_range> proto tcp to any port <port>
 
# Allow specific IP to specific interface and port
sudo ufw allow from <ip_address> to <interface_ip> port <port>
 
# Examples
sudo ufw allow from 192.168.1.100 proto tcp to any port 22
sudo ufw allow from 192.168.1.0/24 proto tcp to any port 3306
sudo ufw allow from 10.0.0.0/8 to 192.168.1.10 port 443

Application Profiles

Managing Application Rules

# List available application profiles
sudo ufw app list
 
# Show application profile details
sudo ufw app info <profile_name>
 
# Allow application profile
sudo ufw allow <profile_name>
 
# Deny application profile
sudo ufw deny <profile_name>
 
# Examples
sudo ufw allow OpenSSH
sudo ufw allow 'Apache Full'
sudo ufw allow 'Nginx Full'
sudo ufw app info OpenSSH

Common Application Profiles

• OpenSSH: SSH server access
• Apache: HTTP web server
• Apache Full: HTTP and HTTPS web server
• Apache Secure: HTTPS only web server
• Nginx Full: HTTP and HTTPS web server
• Nginx HTTP: HTTP only web server
• Nginx HTTPS: HTTPS only web server

Advanced Rules and Management

IP Address Rules

# Allow from specific IP
sudo ufw allow from <ip_address>
 
# Deny from specific IP
sudo ufw deny from <ip_address>
 
# Allow from subnet
sudo ufw allow from <subnet>
 
# Examples
sudo ufw allow from 192.168.1.100
sudo ufw deny from 203.0.113.0/24
sudo ufw allow from 10.0.0.0/8

Interface-Specific Rules

# Allow on specific interface
sudo ufw allow in on <interface>
 
# Allow from IP on specific interface
sudo ufw allow in on <interface> from <ip_address>
 
# Examples
sudo ufw allow in on eth0
sudo ufw allow in on wlan0 from 192.168.1.0/24

Service-Based Rules

# Allow by service name
sudo ufw allow <service_name>
 
# Allow service from specific IP
sudo ufw allow from <ip_address> to any port <service_name>
 
# Examples
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow mysql

Rule Management

Viewing Rules

# Show all rules with numbers
sudo ufw status numbered
 
# Show rules with detailed information
sudo ufw status verbose
 
# Show only IPv6 rules
sudo ufw --dry-run enable

Deleting Rules

# Delete by rule number
sudo ufw delete <rule_number>
 
# Delete by recreating the rule with 'delete'
sudo ufw delete allow <port>/tcp
sudo ufw delete allow from <ip_address> proto tcp to any port <port>
 
# Examples
sudo ufw delete 3
sudo ufw delete allow 80/tcp
sudo ufw delete allow from 192.168.1.100 proto tcp to any port 22

Rule Insertion

# Insert rule at specific position
sudo ufw insert <position> <rule>
 
# Examples
sudo ufw insert 1 allow from 192.168.1.100
sudo ufw insert 2 deny from 203.0.113.0/24

Security Best Practices

Recommended Initial Setup

# 1. Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
 
# 2. Allow SSH before enabling (avoid lockout)
sudo ufw allow OpenSSH
 
# 3. Enable UFW
sudo ufw enable
 
# 4. Verify configuration
sudo ufw status verbose

Common Security Configurations

# Web server setup
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable
 
# Database server (restricted access)
sudo ufw allow OpenSSH
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw enable
 
# Development server
sudo ufw allow OpenSSH
sudo ufw allow 8000:8999/tcp
sudo ufw enable

For web servers, consider combining UFW firewall rules with nginx reverse proxy configurations for comprehensive security. When setting up HTTPS services, use OpenSSL certificate management to create and manage SSL/TLS certificates.

Troubleshooting and Maintenance

Common Issues

# Reset UFW to defaults
sudo ufw --force reset
 
# Reload UFW rules
sudo ufw reload
 
# Check UFW logs
sudo tail -f /var/log/ufw.log
 
# Test rule without applying
sudo ufw --dry-run enable

Backup and Restore

# Backup UFW rules
sudo cp /etc/ufw/user.rules /etc/ufw/user.rules.backup
sudo cp /etc/ufw/user6.rules /etc/ufw/user6.rules.backup
 
# List current rules for documentation
sudo ufw status numbered > ufw_rules_backup.txt

Advanced Configuration

Web Server Security Integration

UFW works seamlessly with web servers like nginx to provide layered security. Here’s a complete security setup:

# Basic web server firewall setup
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw enable
 
# Restrict database access to web server subnet
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw allow from 192.168.1.0/24 to any port 5432  # PostgreSQL

Combine these firewall rules with proper nginx reverse proxy and SSL configurations and SSL certificate management for comprehensive web application security.

Rate Limiting

# Rate limit connections (prevents brute force)
sudo ufw limit ssh
sudo ufw limit OpenSSH
 
# Custom rate limiting
sudo ufw limit from <ip_address> proto tcp to any port 22

IPv6 Support

# Enable IPv6 (edit /etc/default/ufw)
IPV6=yes
 
# IPv6 specific rules
sudo ufw allow from ::1
sudo ufw allow from fe80::/64

References and Resources

• UFW Community Documentation
• UFW Manual Pages
• iptables to UFW Migration Guide
• UFW Allow From Specific IP on Specific Port - Arif - Medium

Questions Answered in This Document

Q: How do I set up UFW with secure default policies? A: Set sudo ufw default deny incoming and sudo ufw default allow outgoing, then allow essential services like SSH before enabling UFW with sudo ufw enable.

Q: How can I allow a specific IP address to access a particular port? A: Use sudo ufw allow from <ip_address> proto tcp to any port <port> to grant access to a specific IP and port combination.

Q: What’s the difference between application profiles and port rules? A: Application profiles are predefined rule sets for common services (like OpenSSH, Apache) that may include multiple ports and protocols, while port rules target specific ports and protocols.

Q: How do I enable UFW logging to monitor firewall activity? A: Enable logging with sudo ufw logging on and set the verbosity level with sudo ufw logging medium. View logs with sudo tail -f /var/log/ufw.log.

Q: Why is ‘allow routed’ important for virtualization? A: The sudo ufw default allow routed rule permits packet forwarding, which is essential for virtual machines, Docker containers, and network virtualization to function properly.

Q: How do I safely remove UFW rules without breaking connectivity? A: Use sudo ufw status numbered to identify rules, then sudo ufw delete <rule_number> or recreate the rule with sudo ufw delete allow <original_rule>.

Q: What are the most common UFW commands for web server security? A: Allow SSH (sudo ufw allow OpenSSH), web traffic (sudo ufw allow 'Nginx Full'), set restrictive defaults (sudo ufw default deny incoming), and enable the firewall (sudo ufw enable).

Q: How can I implement rate limiting to prevent brute force attacks? A: Use sudo ufw limit ssh or sudo ufw limit OpenSSH to automatically block repeated connection attempts from the same IP address.

Q: How do I backup and restore UFW configurations? A: Backup rule files with sudo cp /etc/ufw/user.rules /etc/ufw/user.rules.backup and document current rules with sudo ufw status numbered > ufw_rules_backup.txt.

Q: How do I integrate UFW with web server security best practices? A: Combine UFW firewall rules (ports 80, 443, SSH) with proper nginx reverse proxy configurations and SSL certificate management. Use UFW for network-level protection while implementing application-level security in your web server configuration.

Q: What should I do if I’m locked out due to UFW misconfiguration? A: Access the system through alternative means (console, KVM, etc.) and either disable UFW with sudo ufw disable or reset it completely with sudo ufw --force reset.