February 7, 2008 · Networking, Security, Server · Email This Post

Sponsored Link
Create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports.

Install UFW in Ubuntu

Currently this firewall package is available in Ubuntu 8.04

sudo apt-get install ufw

This will complete the installation

Turn firewall on and off (‘disable' is default ACCEPT)

# ufw enable|disable

Toggle logging

# ufw logging on|off

Set the default policy (ie "mostly open" vs "mostly closed")

# ufw default allow|deny

Accept or drop incoming packets to (can see what services are available with ‘status' (see below)). can be specified via service name in /etc/services, ‘protocol:port', or via package meta-data. ‘allow' adds service entry to /etc/ufw/maps and ‘deny' removes service entry from /etc/ufw/maps. Basic syntax:

# ufw allow|deny [service]

Display status of firewall and ports in the listening state, referencing /var/lib/ufw/maps. Numbers in parenthesis are not displayed to user

# ufw status

UFW Examples

Allow port 53

$ sudo ufw allow 53

Delete Allow port 53

$ sudo ufw delete allow 53

Allow port 80

$ sudo ufw allow 80/tcp

Delete Allow port 80

$ sudo ufw delete allow 80/tcp

Allow port smtp

$ sudo ufw allow smtp

Delete Allow port smtp

$ sudo ufw delete allow smtp

Allow fro Particular IP

$ sudo ufw allow from 192.168.254.254

Delete the above rule

$ sudo ufw delete allow from 192.168.254.254

GUI Tool for UFW

If you want GUI for UFW check this guide

Sponsored Link

Incoming search terms:

Related posts

27 Comments to “UFW (Uncomplicated firewall) For Ubuntu Hardy”

  1. Darren says:

    Any chnace there will be a GUI for UFW in Hardy Heron, I just rely on IPTABLES and FireStarter to control my network traffic.

    Is UFW any better than FireStarter and IPTABLES…??

    [Reply]

  2. Dan says:

    Why would I want to use this when I can use firestarter? It’s powerful and easy.

    [Reply]

  3. Captain Nemo says:

    Darren – There’s a GUFW project, but I doubt it’ll be done by Hardy, or even a default in Intrepid.

    [Reply]

  4. Captain Nemo says:

    Dan – Apparently, UFW is easier. :eyeroll:
    I saw somewhere on the ubuntu forums that firestarter was kinda intermediate, whereas ufw you just turn on and occasionally open or close a port when you feel like it.

    [Reply]

  5. Why use this when you can use Firestarter? Because I hope you don’t run a GUI+Firestarter on your servers. Firestarter is great for a desktop, ufw makes things simpler on a server.

    [Reply]

  6. cviorel says:

    How can we open a port range using Ubuntu’s 8.04 ufw?

    [Reply]

  7. m4r10l4 says:

    very, very simple article :( Please more explain.

    [Reply]

  8. jaime says:

    No aparecen por ninguna parte las ventajas de ufw sobre los demas firewalls. ¿Ufw puede filtrar la salida a internet o bloquearla?

    [Reply]

  9. karl says:

    english

    [Reply]

  10. Yözen says:

    He said: “Nowhere does it say the advantages that ufw has over other firewalls. ufw can filter connections to the internet, or block it?”

    [Reply]

  11. jaime says:

    I said: does not appear anywhere on the advantages of UFW on the other firewalls. UFW can block and filter out the Internet?

    [Reply]

  12. scotru says:

    Very handy for those of us not familiar enough to configure IP tables directly. Thanks! This was just what I needed for securing my server quickly.

    [Reply]

  13. Kyle says:

    I have started using UFW and it works fine and is relatively easy. Is there a way to allow multiple ports from a command such as sudo ufw allow 28000-29100? Instead of putting in all of those ports?

    I initially put in sudo ufw deny all and then started going back and putting in the ports I needed opened. Any help would be great.

    [Reply]

  14. Chuck says:

    Does UFW allow the filtering of the hosts allowed to connect to the open port? I’d like to only allow certain hosts to connect to the port.

    [Reply]

  15. Casey says:

    Does any one have a more complete article on how to use UFW? There are a lot of /etc files that I have not seen explained anywhere. How can you setup basic NATing for my network?

    [Reply]

  16. gadu33 pls help help says:

    I have a toshiba satellite laptop A215-S4757 the wifi card does not work I try many things windows drivers madwi etc and still can not work on tjis laptop the model of the card is atheros 5007 eg
    pls neeeeed help thx and have a great day guys

    [Reply]

  17. gaiterin says:

    Hello.
    I made a simple GUI in Python + Glade.
    You can download it at:
    http://code.google.com/p/gui-ufw/
    To install follow the instructions of the file installation.
    A greeting.

    [Reply]

  18. TrAndy says:

    To all this guys asking for UFW capabilities… install UFW on your system and type in cli.
    You will learn all about what you can do with UFW.

    For your pleasure:

    > man ufw | cat

    UFW:(8) UFW:(8)

    NAME
    ufw – program for managing a netfilter firewall

    DESCRIPTION
    This program is for managing a Linux firewall and aims to provide an
    easy to use interface for the user.

    USAGE
    ufw [--dry-run] enable|disable

    ufw [--dry-run] default allow|deny

    ufw [--dry-run] logging on|off

    ufw [--dry-run] status

    ufw [--dry-run] [delete] allow|deny PORT[/protocol]

    ufw [--dry-run] [delete] allow|deny [proto protocol] [from ADDRESS
    [port PORT]] [to ADDRESS [port PORT]]

    OPTIONS
    –version
    show program’s version number and exit

    -h, –help
    show help message and exit

    –dry-run
    don’t modify anything, just show the changes

    enable reloads firewall and enables firewall on boot

    disable
    unloads firewall and disables firewall on boot

    default allow|deny
    change the default policy for incoming traffic. Note that exist?
    ing rules will have to be migrated manually when changing the
    default policy.

    logging on|off
    toggle logging

    status show status of firewall and ufw managed rules

    allow RULE
    allow RULE. See RULE SYNTAX

    deny RULE
    deny RULE. See RULE SYNTAX

    delete allow|deny RULE
    deletes the corresponding allow/deny RULE

    RULE SYNTAX
    Users can specify rules using either a simple syntax or a full syntax.
    The simple syntax only specifies the port and optionally the protocol
    to be allowed or denied on the host. For example:

    ufw allow 53

    This rule will allow tcp and udp port 53 to any address on this host.
    To specify a protocol, append ’/protocol’ to the port. For example:

    ufw allow 25/tcp

    This will allow tcp port 25 to any address on this host. ufw will also
    check /etc/services for the port and protocol if specifying a service
    by name. Eg:

    ufw allow smtp

    Users can also use a fuller syntax, specifying the source and destina?
    tion addresses and ports. This syntax is based on OpenBSD’s PF syntax.
    For example:

    ufw deny proto tcp to any port 80

    This will deny all traffic to tcp port 80 on this host. Another exam?
    ple:

    ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25

    This will deny all traffic from the RFC1918 Class A network to tcp port
    25 with the address 192.168.0.1.

    ufw deny proto tcp from 2001:db8::/32 to any port 25

    This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 80
    on this host. Note that IPv6 must be enabled in /etc/default/ufw for
    IPv6 firewalling to work.

    To delete a rule, simply prefix the original rule with delete. For
    example, if the original rule was:

    ufw deny 80/tcp

    Use this to delete it:

    ufw delete deny 80/tcp

    EXAMPLES
    Deny all access to port 53:

    ufw deny 53

    Allow all access to tcp port 80:

    ufw allow 80/tcp

    Allow all access from RFC1918 networks to this host:

    ufw allow from 10.0.0.0/8
    ufw allow from 172.16.0.0/12
    ufw allow from 192.168.0.0/16

    Deny access to udp port 514 from host 1.2.3.4:

    ufw deny proto udp from 1.2.3.4 to any port 514

    Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:

    ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469

    REMOTE MANAGEMENT
    When running ufw enable or starting ufw via its initscript, ufw will
    flush its chains. This is required so ufw can maintain a consistent
    state, but it will drop existing connections (eg ssh). ufw does support
    adding rules before enabling the firewall, so administrators can do:

    ufw allow proto tcp from any to any port 22

    before running ’ufw enable’. The rules will still be flushed, but the
    ssh port will be open after enabling the firewall. Please note that
    once the ufw is ’enabled’, ufw will not flush the chains when adding or
    removing rules (but will when modifying a rule or changing the default
    policy).

    NOTES
    Rule ordering is important and the first match wins. Therefore when
    adding rules, add the more specific rules first with more general rules
    later.

    ufw is not intended to provide complete firewall functionality via its
    command interface, but instead provides an easy way to add or remove
    simple rules. It is currently mainly used for host-based firewalls.

    Currently, ufw is a front-end for iptables-restore, with its rules
    saved in /etc/ufw/before.rules, /etc/ufw/after.rules and
    /var/lib/ufw/user.rules. Administrators can customize before.rules and
    after.rules as desired using the standard iptables-restore syntax.
    Rules are evaluated as follows: before.rules first, user.rules next,
    and after.rules last. IPv6 rules are evaluated in the same way, with
    the rules files named before6.rules, user6.rules and after6.rules.
    Please note that ufw status only shows rules added with ufw and not the
    rules found in the /etc/ufw rules files.

    ufw will read in /etc/ufw/sysctl.conf on boot when enabled. To change
    this behavior, modify /etc/default/ufw.

    SEE ALSO
    iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8),
    sysctl(8), sysctl.conf(5)

    AUTHOR
    ufw is (C) 2008, Canonical Ltd.

    This manual page was originally written by Jamie Strandboge

    January 2008 UFW:(8)

    [Reply]

  19. dol_TW says:

    “TrAndy”… that’s a great, simple-but-critical ‘command’ list HowTo you posted for public consumptions in here! Kudos, well deserve.

    [Reply]

  20. Lee says:

    How would you create rules for dynamic IPs such as those from a DSL connection?

    I’ve been using rc.firewall scripts since rh73 and with every adsl-start, the rc.firewall script is run and the new ppp0 IP is resolved so that the firewall rules are updated by the script.

    I’m trying to replace my trusty rh73 server with the 8.04 server and would like to try using ufw, but if necessary I’m more than willing to revert back to using iptables scripts.

    [Reply]

  21. Pavel says:

    Why not just use iptables and INPUT rules statements? or write a perl/shell script if you dont like specify all options everytime?
    ufw remind me ipfwadm which was in kernel 1.0.x :-D

    [Reply]

  22. Paris Heng says:

    How my going to block a port of example of 500? What is the syntax? sudo ufw deny 500 ?

    [Reply]

  23. js says:

    I am unable to delete rules. What to do?

    See:

    root@mail:/etc/ufw# ufw status
    Status: loaded

    To Action From
    — —— —-
    22/tcp ALLOW 192.168.0.2
    80/tcp DENY 192.168.1.100

    root@mail:/etc/ufw# ufw delete allow 22/tcp
    Could not delete non-existent rule
    root@mail:/etc/ufw#

    [Reply]

    tsk Reply:

    Use following steps:
    > sudo ufw status numbered
    > sudo ufw delete
    > sudo ufw delete 2

    I hope this helps.

    [Reply]

  24. anonymous says:

    How about this bright spark:

    Delete the app Apache from the UFW.

    # ufw status numbered
    Status: active

    To Action From
    — —— —-
    [ 1] 22 DENY Anywhere
    [ 2] Apache DENY Anywhere

    I have tried for three hours, including apt-get remove ufw and moving /etc/ufw to /etc/ufw.off and reinstalling ufw. UFW still screws it over because it refuses to recreate the config files in /etc/ufw, so your only choice is to move /etc/ufw.off back to /etc/ufw. In other words, one cannot reset UFW back to a sane state in order to recover from a misconfiguration that cannot be deleted. As a result I have had to remove UFW and use iptables. At least with this I stand a chance of actually making a change.

    [Reply]

  25. CraigM says:

    If you want the hostnames resolved in the output of “ufw status” then do this (I hope the slashes etc. are saved in my post):

    sudo ufw status | perl -pe ‘s/(\d+\.\d+\.\d+\.\d+)$/`echo “$1\t” | tr -d “\n”; resolveip -s $1 2>\/dev\/null | tr -d “\n”`/e’

    [Reply]

  26. Sergey says:

    Is any way this package ufw can work with multiple interfaces or alias to interfaces like:

    eth0 eth1

    or

    eth0:1 eth0:2

    So separate rules should be on each ip address presented on server. Is it possible ?

    [Reply]

Leave a Reply