UFW (Uncomplicated firewall) For Ubuntu Hardy
Install UFW in Ubuntu
Currently this firewall package is available in Ubuntu 8.04
sudo apt-get install ufw
This will complete the installation
Turn firewall on and off (‘disable' is default ACCEPT)
# ufw enable|disable
# ufw logging on|off
Set the default policy (ie "mostly open" vs "mostly closed")
# ufw default allow|deny
Accept or drop incoming packets to (can see what services are available with ‘status' (see below)). can be specified via service name in /etc/services, ‘protocol:port', or via package meta-data. ‘allow' adds service entry to /etc/ufw/maps and ‘deny' removes service entry from /etc/ufw/maps. Basic syntax:
# ufw allow|deny [service]
Display status of firewall and ports in the listening state, referencing /var/lib/ufw/maps. Numbers in parenthesis are not displayed to user
# ufw status
Allow port 53
$ sudo ufw allow 53
Delete Allow port 53
$ sudo ufw delete allow 53
Allow port 80
$ sudo ufw allow 80/tcp
Delete Allow port 80
$ sudo ufw delete allow 80/tcp
Allow port smtp
$ sudo ufw allow smtp
Delete Allow port smtp
$ sudo ufw delete allow smtp
Allow fro Particular IP
$ sudo ufw allow from 192.168.254.254
Delete the above rule
$ sudo ufw delete allow from 192.168.254.254
GUI Tool for UFW
If you want GUI for UFW check this guide
Any chnace there will be a GUI for UFW in Hardy Heron, I just rely on IPTABLES and FireStarter to control my network traffic.
Is UFW any better than FireStarter and IPTABLES…??
Why would I want to use this when I can use firestarter? It’s powerful and easy.
Darren – There’s a GUFW project, but I doubt it’ll be done by Hardy, or even a default in Intrepid.
Dan – Apparently, UFW is easier. :eyeroll:
I saw somewhere on the ubuntu forums that firestarter was kinda intermediate, whereas ufw you just turn on and occasionally open or close a port when you feel like it.
Why use this when you can use Firestarter? Because I hope you don’t run a GUI+Firestarter on your servers. Firestarter is great for a desktop, ufw makes things simpler on a server.
How can we open a port range using Ubuntu’s 8.04 ufw?
very, very simple article 🙁 Please more explain.
No aparecen por ninguna parte las ventajas de ufw sobre los demas firewalls. ¿Ufw puede filtrar la salida a internet o bloquearla?
He said: “Nowhere does it say the advantages that ufw has over other firewalls. ufw can filter connections to the internet, or block it?”
I said: does not appear anywhere on the advantages of UFW on the other firewalls. UFW can block and filter out the Internet?
Very handy for those of us not familiar enough to configure IP tables directly. Thanks! This was just what I needed for securing my server quickly.
I have started using UFW and it works fine and is relatively easy. Is there a way to allow multiple ports from a command such as sudo ufw allow 28000-29100? Instead of putting in all of those ports?
I initially put in sudo ufw deny all and then started going back and putting in the ports I needed opened. Any help would be great.
Does UFW allow the filtering of the hosts allowed to connect to the open port? I’d like to only allow certain hosts to connect to the port.
Does any one have a more complete article on how to use UFW? There are a lot of /etc files that I have not seen explained anywhere. How can you setup basic NATing for my network?
I have a toshiba satellite laptop A215-S4757 the wifi card does not work I try many things windows drivers madwi etc and still can not work on tjis laptop the model of the card is atheros 5007 eg
pls neeeeed help thx and have a great day guys
I made a simple GUI in Python + Glade.
You can download it at:
To install follow the instructions of the file installation.
To all this guys asking for UFW capabilities… install UFW on your system and type in cli.
You will learn all about what you can do with UFW.
For your pleasure:
> man ufw | cat
ufw – program for managing a netfilter firewall
This program is for managing a Linux firewall and aims to provide an
easy to use interface for the user.
ufw [–dry-run] enable|disable
ufw [–dry-run] default allow|deny
ufw [–dry-run] logging on|off
ufw [–dry-run] status
ufw [–dry-run] [delete] allow|deny PORT[/protocol]
ufw [–dry-run] [delete] allow|deny [proto protocol] [from ADDRESS
[port PORT]] [to ADDRESS [port PORT]]
show program’s version number and exit
show help message and exit
don’t modify anything, just show the changes
enable reloads firewall and enables firewall on boot
unloads firewall and disables firewall on boot
change the default policy for incoming traffic. Note that exist?
ing rules will have to be migrated manually when changing the
status show status of firewall and ufw managed rules
allow RULE. See RULE SYNTAX
deny RULE. See RULE SYNTAX
delete allow|deny RULE
deletes the corresponding allow/deny RULE
Users can specify rules using either a simple syntax or a full syntax.
The simple syntax only specifies the port and optionally the protocol
to be allowed or denied on the host. For example:
ufw allow 53
This rule will allow tcp and udp port 53 to any address on this host.
To specify a protocol, append ’/protocol’ to the port. For example:
ufw allow 25/tcp
This will allow tcp port 25 to any address on this host. ufw will also
check /etc/services for the port and protocol if specifying a service
by name. Eg:
ufw allow smtp
Users can also use a fuller syntax, specifying the source and destina?
tion addresses and ports. This syntax is based on OpenBSD’s PF syntax.
ufw deny proto tcp to any port 80
This will deny all traffic to tcp port 80 on this host. Another exam?
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
This will deny all traffic from the RFC1918 Class A network to tcp port
25 with the address 192.168.0.1.
ufw deny proto tcp from 2001:db8::/32 to any port 25
This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 80
on this host. Note that IPv6 must be enabled in /etc/default/ufw for
IPv6 firewalling to work.
To delete a rule, simply prefix the original rule with delete. For
example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
ufw delete deny 80/tcp
Deny all access to port 53:
ufw deny 53
Allow all access to tcp port 80:
ufw allow 80/tcp
Allow all access from RFC1918 networks to this host:
ufw allow from 10.0.0.0/8
ufw allow from 172.16.0.0/12
ufw allow from 192.168.0.0/16
Deny access to udp port 514 from host 18.104.22.168:
ufw deny proto udp from 22.214.171.124 to any port 514
Allow access to udp 126.96.36.199 port 5469 from 188.8.131.52 port 5469:
ufw allow proto udp from 184.108.40.206 port 5469 to 220.127.116.11 port 5469
When running ufw enable or starting ufw via its initscript, ufw will
flush its chains. This is required so ufw can maintain a consistent
state, but it will drop existing connections (eg ssh). ufw does support
adding rules before enabling the firewall, so administrators can do:
ufw allow proto tcp from any to any port 22
before running ’ufw enable’. The rules will still be flushed, but the
ssh port will be open after enabling the firewall. Please note that
once the ufw is ’enabled’, ufw will not flush the chains when adding or
removing rules (but will when modifying a rule or changing the default
Rule ordering is important and the first match wins. Therefore when
adding rules, add the more specific rules first with more general rules
ufw is not intended to provide complete firewall functionality via its
command interface, but instead provides an easy way to add or remove
simple rules. It is currently mainly used for host-based firewalls.
Currently, ufw is a front-end for iptables-restore, with its rules
saved in /etc/ufw/before.rules, /etc/ufw/after.rules and
/var/lib/ufw/user.rules. Administrators can customize before.rules and
after.rules as desired using the standard iptables-restore syntax.
Rules are evaluated as follows: before.rules first, user.rules next,
and after.rules last. IPv6 rules are evaluated in the same way, with
the rules files named before6.rules, user6.rules and after6.rules.
Please note that ufw status only shows rules added with ufw and not the
rules found in the /etc/ufw rules files.
ufw will read in /etc/ufw/sysctl.conf on boot when enabled. To change
this behavior, modify /etc/default/ufw.
iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8),
ufw is (C) 2008, Canonical Ltd.
This manual page was originally written by Jamie Strandboge
January 2008 UFW:(8)
“TrAndy”… that’s a great, simple-but-critical ‘command’ list HowTo you posted for public consumptions in here! Kudos, well deserve.
How would you create rules for dynamic IPs such as those from a DSL connection?
I’ve been using rc.firewall scripts since rh73 and with every adsl-start, the rc.firewall script is run and the new ppp0 IP is resolved so that the firewall rules are updated by the script.
I’m trying to replace my trusty rh73 server with the 8.04 server and would like to try using ufw, but if necessary I’m more than willing to revert back to using iptables scripts.
Why not just use iptables and INPUT rules statements? or write a perl/shell script if you dont like specify all options everytime?
ufw remind me ipfwadm which was in kernel 1.0.x 😀
How my going to block a port of example of 500? What is the syntax? sudo ufw deny 500 ?
I am unable to delete rules. What to do?
[email protected]:/etc/ufw# ufw status
To Action From
— —— —-
22/tcp ALLOW 192.168.0.2
80/tcp DENY 192.168.1.100
[email protected]:/etc/ufw# ufw delete allow 22/tcp
Could not delete non-existent rule
How about this bright spark:
Delete the app Apache from the UFW.
# ufw status numbered
To Action From
— —— —-
[ 1] 22 DENY Anywhere
[ 2] Apache DENY Anywhere
I have tried for three hours, including apt-get remove ufw and moving /etc/ufw to /etc/ufw.off and reinstalling ufw. UFW still screws it over because it refuses to recreate the config files in /etc/ufw, so your only choice is to move /etc/ufw.off back to /etc/ufw. In other words, one cannot reset UFW back to a sane state in order to recover from a misconfiguration that cannot be deleted. As a result I have had to remove UFW and use iptables. At least with this I stand a chance of actually making a change.
If you want the hostnames resolved in the output of “ufw status” then do this (I hope the slashes etc. are saved in my post):
sudo ufw status | perl -pe ‘s/(\d+\.\d+\.\d+\.\d+)$/`echo “$1\t” | tr -d “\n”; resolveip -s $1 2>\/dev\/null | tr -d “\n”`/e’
Is any way this package ufw can work with multiple interfaces or alias to interfaces like:
So separate rules should be on each ip address presented on server. Is it possible ?
Use following steps:
> sudo ufw status numbered
> sudo ufw delete
> sudo ufw delete 2
I hope this helps.