Installing and using UFW on Ubuntu 16.04 LTS

On an Ubuntu server the default firewall management command is iptables. While iptables provides powerful functionality it’s syntax is often seen as complex. For most users a friendlier syntax can make managing your firewall much easier.

The uncomplicated firewall (UFW) is an alternative program to iptables for managing firewall rules. Most typical Ubuntu installations will include UFW by default. In cases where UFW isn’t included it’s just a quick command away!

Installing UFW on Ubuntu

Pre-Flight Check

• These directions are intended to be done on any Ubuntu 16.04 LTS release.
• You will need to be logged in to SSH as the root user.

Keeping with best practice we’ll quickly run package updates before we install UFW. Once that’s done and out of the way we can run the install.

apt update
apt upgrade

1. Install UFW
   apt install ufw
2. Check the install
   ufw --version

   ufw 0.35
   Copyright 2008-2015 Canonical Ltd.
   

And that is it, not much to the install and setup here. Nothing to enable or restart with systemd since UFW is a wrapper for iptables and netfilters.

Now to fully enable UFW simply run:

ufw enable

If you are migrating from an iptables based setup you will need to recreate the rules in UFW. For the best results you should setup the basic rules first and then enable UFW. This will help prevent locking yourself out if you’re working over SSH.

Examples using UFW

If you’re unfamiliar with firewall management then UFW and this quick list will make things a breeze! It really is pretty simple to use since programs can provide support for UFW in the form of app profiles. Using these profiles you can easily allow/deny access for the specific application.

• List all the profiles provided by installed packages:
  ufw app list

  Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

• Allow access to Apache on both port 80 and 443:
  ufw allow "Apache Full"

  Rule added
  Rule added (v6)

• Allow access to SSH:
  ufw allow "OpenSSH"

  Rule added
  Rule added (v6)

• See the full status of UFW:
  ufw status verbose

  Status: active
  Logging: on (low)
  Default: deny (incoming), allow (outgoing), disabled (routed)
  New profiles: skip
  
  To                         Action      From
  --                         ------      ----
  22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
  22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

Because of the cool App profiles feature in UFW most services can easily be opened up in your firewall. In our example the server is still pretty fresh and barebones so we don’t have that manage app profiles. As you install more applications, if they support UFW, then you’ll see those profiles listed when you run the app list command from above.