Configure UFW on Ubuntu

Configure UFW on Ubuntu

UFW (aka Uncomplicated Fire Wall) is a software firewall shipped with Ubuntu. It is really simple to configure yet equally powerful in terms of blocking attacks directed to various ports on your server. It usually comes disabled by default. In this article, we will understand how to configure some basic rules to enable/disable access to various ports or services.

The available config options are as follows:

duke@tekduke:~# sudo ufw --help

Usage: ufw COMMAND

 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy
ufw --help

The above is an example of commands and their corresponding action in UFW. first thing first, we set some defaults to make sure that we allow our server to be able to communicate with the other systems to perform updates etc. We will set default policies to allow outgoing connections but to block any incoming connections:

duke@tekduke:~# sudo ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

duke@tekduke:~# sudo ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
Setting Defaults in UFW

As we can see here, we get a warning to update our rules. This is because once UFW is enabled with these settings, it will block ALL connections to the server (including SSH) so we need to enable ssh connections to the server first. For this, there is an application profile available in UFW. Given that you haven't setup ssh to run on a custom port, this alone should be enough to enable ssh access.

duke@tekduke:~# sudo ufw allow OpenSSH
Rule added
Rule added (v6)
Enable OpenSSH in UFW

Apart from this, another application that listens to incoming connections is Your webserver (Nginx in our case).

duke@tekduke:~# sudo ufw allow 'Nginx Full'
Rule added
Rule added (v6)
Enable Nginx Full in UFW

We use Nginx Full because we want to allow nginx to listen to both Port 80 & 443. If you conditionally want to only allow connections over Port 80 or Port 443, You can also use the options: 'Nginx HTTP' or  'Nginx HTTPS' instead of 'Nginx Full'.

Additionally, If You have any special ports that you want to allow connections to e.g. if You want to expose MySQL port 3306, You can do that as follows:

duke@tekduke:~# sudo ufw allow from to any port 3306
Rule added
Rule added (v6)
Allow MySQL from

In the above example, we've limited MySQL incoming connections to one IP address i.e. (which is on our local network) This way, the application server can connect to MySQL but anyone else can not.

There is a lot that can be done with UFW and it is really simple to use too. Now that we have configured all of our rule sets, we can finally enable UFW.

duke@tekduke:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? Y
Firewall is active and enabled on system startup
Enable UFW

As you can see above, upon entering the command, it gives us the warning that SSH connections may be interrupted (due to our default deny incoming policy) but since we have enabled OpenSSH rule, we can safely proceed by responding Y

I hope this quick tutorial about UFW was helpful for you. You can learn more about UFW in a fantastic community article at DigitalOcean Here.