Reading Time: 2 minutes
On an Ubuntu server the default firewall management command is iptables. While iptables provides powerful functionality it’s syntax is often seen as complex. For most users a friendlier syntax can make managing your firewall much easier.
The uncomplicated firewall (UFW) is an alternative program to iptables for managing firewall rules. Most typical Ubuntu installations will include UFW by default. In cases where UFW isn’t included it’s just a quick command away!
Installing UFW on Ubuntu
- These directions are intended to be done on any Ubuntu 16.04 LTS release.
- You will need to be logged in to SSH as the root user.
Keeping with best practice we’ll quickly run package updates before we install UFW. Once that’s done and out of the way we can run the install.
- Install UFW
apt install ufw
- Check the install
Copyright 2008-2015 Canonical Ltd.
And that is it, not much to the install and setup here. Nothing to enable or restart with systemd since UFW is a wrapper for iptables and netfilters.
Now to fully enable UFW simply run:
If you are migrating from an iptables based setup you will need to recreate the rules in UFW. For the best results you should setup the basic rules first and then enable UFW. This will help prevent locking yourself out if you’re working over SSH.
Examples using UFW
If you’re unfamiliar with firewall management then UFW and this quick list will make things a breeze! It really is pretty simple to use since programs can provide support for UFW in the form of app profiles. Using these profiles you can easily allow/deny access for the specific application.
- List all the profiles provided by installed packages:
ufw app list
- Allow access to Apache on both port 80 and 443:
ufw allow "Apache Full"
Rule added (v6)
- Allow access to SSH:
ufw allow "OpenSSH"
Rule added (v6)
- See the full status of UFW:
ufw status verbose
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
Because of the cool App profiles feature in UFW most services can easily be opened up in your firewall. In our example the server is still pretty fresh and barebones so we don’t have that manage app profiles. As you install more applications, if they support UFW, then you’ll see those profiles listed when you run the app list command from above.