ufw Firewall Usage on Ubuntu

There’s an important piece of software sitting on your computer that you are probably completely unaware that it’s even there. Or you simply take it for granted. One of the two.

I am referring to your Linux system’s firewall. If you’re running Ubuntu, then the systems firewall configuration tool, ufw is what we use.

In this simple tutorial, I’m gonna show you with just a few easy steps, just how simple it is to make your Ubuntu Linux system that little bit more secure.

If you’re using Ubuntu, then ufw (Uncomplicated Firewall) is already installed by default, yet it remains disabled by default. To check the current status of ufw, do this:

% sudo ufw status
status: inactive

If it’s disabled, just perform this simple command to enable your firewall:

% sudo ufw enable
Firewall is active and enabled on system startup

And now repeat the status command and you should now see this:

status: active

Now, I’m sure you’re all aware that firewalls handle network traffic via ports. By default, once enabled, ufw sets a default set of rules which should be enough to handle most home user’s needs. But for the more advanced users, you might want to know how to allow traffic access to a specific port. This is essential if you’re running a torrent client, FTP server, Telnet/SSH server or Apache.

To allow/open a specific port number in ufw, do this:

% sudo ufw allow 21

This will open port 21 in ufw and allow traffic through this port. Port 21 is used for FTP traffic and must be open if you’re running a FTP server through the default port.

Say that you want access to your system via Telnet or SSH. That can easily be done by using the same command, but changing the port number.

For SSH, use port 22:

% sudo ufw allow 22

Or for Telnet, use port 23:

% sudo ufw allow 23

That’s all you have to do to allow traffic through a set port.

But what if you want to ensure a specific port number is blocked? That’s just as easy as opening up the port:

% sudo ufw deny 21

Or you can also block access to Telnet and SSH ports for extra security for your system if you don’t use those ports:

% sudo ufw deny 22
% sudo ufw deny 23

It’s exactly the same command(s), you are simply replacing the allow argument with a deny argument for ufw to understand what you are telling it to do.

What if you make a mistake and enter the wrong port number or allow/deny rule? Thankfully, ufw makes things very easy to delete a specific rule. Although, it’s a little more fiddly. But only slightly!

To list your current rules, we simply perform the command at the very beginning of this tutorial:

% sudo ufw status
Status: active
To                         Action      From
--                           ------           ----
21                         DENY       Anywhere
22                         DENY       Anywhere
23                         DENY       Anywhere 
21                         DENY       Anywhere (v6) 
22                         DENY       Anywhere (v6) 
23                         DENY       Anywhere (v6)

Looking above, as an example if we wanted to allow traffic through port 21 instead of denying it, we just delete the current rule by doing the following:

% sudo ufw delete deny 21

And now when we repeat the status command, we see the rule has now been removed:

% sudo ufw status
Status: active 
To                         Action      From
--                           ------           ----
22                         DENY       Anywhere
23                         DENY       Anywhere
22                         DENY       Anywhere (v6)
23                         DENY       Anywhere (v6)

And now we can add allow the traffic through port 21 as we originally intended:

% sudo ufw allow 21

And now to check to see our changes:

% sudo ufw status
Status: active 
To                         Action      From
--                           ------           ----
22                         DENY       Anywhere
23                         DENY       Anywhere
21                         ALLOW    Anywhere
22                         DENY       Anywhere (v6)
23                         DENY       Anywhere (v6)
21                         ALLOW    Anywhere (v6)

Now that we’ve covered the basics of using ufw to protect your Ubuntu Linux system, it’s also important to know how to disable ufw for troubleshooting at some point.

To disable the firewall, do this:

% sudo ufw disable
Firewall stopped and disabled on system startup

But remember to re-enable the firewall once you have finished troubleshooting the network as leaving it open/disabled is very insecure.

Ubuntu maintain a very good documentation page which covers ufw in more depth. I’ve just covered the basics here which should actually be enough for most beginner-advanced users. It’s always good to know what you can do with ufw. Read the full documentation here https://help.ubuntu.com/community/UFW

And don’t forget, you can always check the man pages:

% man ufw