Write Way to Setup UFW

A practical, step-by-step tutorial for securing any Linux system with a firewall — no prior iptables knowledge required.

1. Introduction

UFW (Uncomplicated Firewall) is a user-friendly front-end for Linux’s built-in iptables firewall. Instead of writing complex iptables rules, UFW lets you manage network traffic with plain, readable commands. It ships by default on Ubuntu and is available for most major distributions.

A firewall controls which network connections are allowed into and out of your machine. Without one, every port on your server is potentially exposed. UFW makes it easy to enforce a simple policy: deny everything by default, allow only what you need.

2. Preconditions

• You need sudo (admin) access, a terminal, and an active internet connection.
• UFW works on Debian, Ubuntu, Fedora, RHEL, CentOS, Arch, and most derivatives.

Important: If you are configuring a remote server, always allow SSH before enabling UFW or you may lock yourself out.

3. Installation

Debian / Ubuntu

1
2
3

# Update package list and install UFW
sudo apt update
sudo apt install ufw -y

Fedora / RHEL / CentOS

1
2
3

# Install UFW via dnf (Fedora 22+) or yum (older CentOS/RHEL)
sudo dnf install ufw -y
# or: sudo yum install ufw -y

Arch Linux

1
2
3
4
5
6

# Install UFW via pacman
sudo pacman -S ufw

# Also enable the service to persist across reboots
sudo systemctl enable ufw
sudo systemctl start ufw

Enable UFW and check status

1
2
3
4
5

# Enable UFW (starts now and on every boot)
sudo ufw enable

# Check current status and active rules
sudo ufw status verbose

4. Basic Configuration

Set default policies — deny all incoming, allow all outgoing

1
2

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH (always do this first!)

1
2
3
4
5

# Standard SSH on port 22
sudo ufw allow ssh

# Non-standard SSH port (e.g. 2222)
sudo ufw allow 2222/tcp

Allow common services

1
2
3
4
5
6
7
8
9

# Web traffic
sudo ufw allow http      # port 80
sudo ufw allow https     # port 443

# DNS (if running a local resolver)
sudo ufw allow 53

# Email (SMTP)
sudo ufw allow 25/tcp

Remove a rule

1
2
3
4
5
6

# By service name
sudo ufw delete allow http

# By rule number (list numbers first)
sudo ufw status numbered
sudo ufw delete 3

Add a rule with a comment

1

sudo ufw allow 8080/tcp comment 'Dev web server'

5. Rule Syntax & Priorities

UFW evaluates rules top-to-bottom and applies the first match. Rules added earlier take priority.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# Allow by protocol
sudo ufw allow 443/tcp
sudo ufw allow 53/udp

# Deny a port
sudo ufw deny 23/tcp   # deny telnet

# IPv6 — in /etc/default/ufw, ensure this line is set:
# IPV6=yes

# App profiles (bundles of ports under a friendly name)
sudo ufw app list
sudo ufw allow 'Nginx Full'

App profiles (like Nginx Full, OpenSSH) are shortcuts defined in /etc/ufw/applications.d/. They bundle related ports under a friendly name.

6. Everyday Tasks

Lock down a server — SSH + HTTPS only

1
2
3
4
5

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow https
sudo ufw enable

Allow a specific IP or range (temporarily or permanently)

1
2
3
4
5
6
7
8

# Single IP
sudo ufw allow from 203.0.113.42

# IP range (CIDR notation)
sudo ufw allow from 203.0.113.0/24

# Remove it when done
sudo ufw delete allow from 203.0.113.42

Limit connections to mitigate brute-force attacks

1
2

# Limits to 6 connections per 30 seconds from one IP
sudo ufw limit ssh

Use limit instead of allow for SSH in most cases — it blocks repeated rapid connection attempts automatically.

7. Logging & Verbosity

1
2
3
4
5
6
7
8

# Enable logging (levels: off, low, medium, high, full)
sudo ufw logging medium

# View UFW log entries
sudo tail -f /var/log/ufw.log

# Or via journald (systemd systems)
sudo journalctl -f | grep UFW

• low — logs blocked packets only.
• medium — also logs allowed packets matching rules.
• high — very verbose; use only for debugging.

8. Safe Testing Before Lockdown

Never apply restrictive rules over your only SSH session without a safety net.

Step 1 — Open a second SSH session first. Leave your original session open. In a second terminal, connect again — this verifies your SSH rule works before you commit to the new policy.

Step 2 — Add your SSH allow rule, then test.

1
2

sudo ufw allow ssh
# Verify from your second terminal that SSH still connects

Step 3 — Enable UFW only after confirming access.

1

sudo ufw enable

On cloud providers (AWS, DigitalOcean, etc.) there is often a web-based console you can use to recover access if you lock yourself out. Check your provider’s docs before experimenting.

9. Troubleshooting & Safe Rollback

Disable UFW (rules stop applying immediately)

1

sudo ufw disable

Reset all rules to defaults

1

sudo ufw reset

This disables UFW and removes all rules. Use as a last resort.

Check current rules quickly

1

sudo ufw status numbered

Warning: If you lock yourself out of a remote server, you’ll need out-of-band access (cloud console, physical access, or recovery mode) to disable UFW. Prevention (the two-session method above) is far easier than recovery.

10. Security Best Practices

Tip: Changing the default SSH port from 22 to something non-standard (e.g. 2222) cuts automated scanning noise dramatically — though it is not a substitute for key-based authentication.

11. Summary & Next Steps

UFW gives you a solid security baseline in just a few commands. You’ve now learned how to install UFW, set a default deny policy, safely allow SSH and web services, rate-limit connections, read logs, and roll back safely if something goes wrong.

From here, consider exploring:

• SSH key-based authentication — disable password login entirely.
• fail2ban — automated IP banning based on log patterns, works well alongside UFW.
• unattended-upgrades — keep your system patched automatically.

Together, these form a strong first layer of server hardening that covers the most common attack vectors.