UFW (Uncomplicated Firewall) is an easy-to-use firewall tool with lots of options for all types of users.
It’s actually an interface for iptables, the classic low-level (and hard to get comfortable with) tool for setting up rules for your network.
Why should you use a firewall?
A firewall is a way to regulate incoming and outgoing traffic on your network. This is critical for servers, but it also makes the average user’s system more secure, giving you control. If you are one of those people who like to keep things under control at an advanced level even on the desktop, you might consider setting up a firewall.
In short, a firewall is a must for servers. On desktops, it’s up to you if you want to set it up.
Setting up a firewall with UFW
It is important to set up firewalls correctly. Incorrect setup may cause the server to be inaccessible if you are doing it for a remote Linux system, such as the cloud or a VPS server. For example, you block all incoming traffic on the server that you access via SSH. Now you will not be able to access the server via SSH.
In this tutorial, I’ll go over configuring a firewall that suits your needs, giving you an overview of what can be done with this simple tool. This should be suitable for both desktop and Ubuntu server users.
Please note that I will be using the command line method here. There is a GUI interface called Gufw for desktop users, but I won’t cover it in this tutorial. There is a guide dedicated to Gufw if you want to use that.
Install UFW
If you are using Ubuntu, UFW should already be installed. If not, you can install it using the following command:
sudo apt install ufw
For other distributions, please use your package manager to install UFW.
To verify that UFW is installed correctly, enter:
ufw --version
If it is installed, you should see the version details:
[email protected]:~$ ufw --version
ufw 0.36.1
Copyright 2008-2021 Canonical Ltd.
amazing! So you have UFW on your system. Let’s see how to use it now.
Note: You need to use sudo or be root to run (almost) all ufw commands.
Check the status and rules of ufw
UFW works by setting rules for incoming and outgoing traffic. These rules consist of Allow And the denial Specific sources and destinations.
You can check the firewall rules with the following command:
sudo ufw status
This should give you the following output at this point:
Status: inactive
The above command would have shown you the firewall rules if the firewall is enabled. By default, UFW is not enabled and does not affect your network. We will take care of that in the next section.

But here’s the thing, you can see and modify the firewall rules even ufw is not enabled.
sudo ufw show added
And in my case, it showed this result:
[email protected]:~$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
[email protected]:~$
Now, I don’t remember if I added this rule manually or not. It is not a new system.
default policies
By default, UFW rejects all incoming messages and allows all outbound traffic. This behavior makes perfect sense for the average desktop user, since you want to be able to connect to different services (like http/https to access web pages) and you don’t want anyone to connect to your device.
but, If you are using a remote server, you must allow the traffic on the SSH port So you can connect to the system remotely.
You can either allow the traffic on the default SSH port 22:
sudo ufw allow 22
In case you are using SSH on another port, allow it at the service level:
sudo ufw allow ssh
Do note that the firewall is not active yet. This is good. You can modify the rules before enabling ufw so that core services are not affected.
If you will be using a UFW production server, please make sure to allow ports via UFW for running services.
For example, web servers usually use port 80, so use sudo ufw allow 80. You can also do this at the service level “sudo ufw allow apache”.
This burden is on your side and it is your responsibility to ensure that your server is running properly.
for Desktop usersyou can proceed with the default policies.
sudo ufw default deny incoming
sudo ufw default allow outgoing
Enable and disable UFW
For UFW to work, you must enable it:
sudo ufw enable
Doing so will start the firewall and schedule it to start every time you boot. You receive the following message:
Firewall is active and enabled on system startup.
second: If you are connected to a machine via ssh, make sure ssh is allowed before enabling ufw with an input sudo ufw allow ssh.
If you want to turn off UFW, type:
sudo ufw disable
will return:
Firewall stopped and disabled on system startup
Reload the firewall for new rules
If UFW is already enabled and you have modified the firewall rules, you need to reload it before the changes take effect.
You can restart UFW by disabling it and enabling it again:
sudo ufw disable && sudo ufw enable
or Reloading the rules:
sudo ufw reload
Reset to default firewall rules
If at any point you go wrong in any of your rules and want to go back to the default rules (ie, there are no exceptions to allow incoming or outgoing traffic), you can start over with:
sudo ufw reset
Keep in mind that this will delete all firewall configurations.
Configure the firewall with UFW (more detailed view)
Fine! You have learned most of the basic ufw commands. At this point, I’d prefer to go into more detail about configuring the firewall rule.
Allow and deny by protocol and ports
This is how you add new exceptions to your firewall; Allow Enable your device to receive data from the selected service, while Denies does the opposite
By default, these commands will add rules for both IP And the IPv6. If you want to modify this behavior, you will have to modify /etc/default/ufw. they change
IPV6=yes
to me
IPV6=no
However, the basic commands are:
sudo ufw allow <port>/<optional: protocol>
sudo ufw deny <port>/<optional: protocol>
If the rule is added successfully, it will restore:
Rules updated
Rules updated (v6)
For example:
sudo ufw allow 80/tcp
sudo ufw deny 22
sudo ufw deny 443/udp
NB: If you do not include a specific protocol, the rule will apply to both TCP And the udp.
If you enable (or, if it is already running, reload) UFW and check its status, you can see that the new rules have been applied successfully.

You can also allow/deny Port ranges. For this type of rule, you must define a protocol. For example:
sudo ufw allow 90:100/tcp
It will allow all services on ports 90 to 100 using TCP. You can reload and check the status:

Allow and Deny by Services
To make things easier, you can also add rules using the service name:
sudo ufw allow <service name>
sudo ufw deny <service name>
For example, to allow ssh services and block and incoming HTTP services:
sudo ufw allow ssh
sudo ufw deny http
While doing so, UFW will read services from /etc/services. You can check the list yourself:
less /etc/services

Add rules for apps
Some applications provide specific named services for ease of use and may even use different ports. One such example is ssh. You can see a list of these apps on your device with the following:
sudo ufw app list

In my case, the available apps cups (Network Printing System) and OpenSSH.
To add a rule to an app, type:
sudo ufw allow <application>
sudo ufw deny <application>
For example:
sudo ufw allow OpenSSH
When you reload and check the state, you should see that the rule has been added:

conclusion
This was just the tip of Ice mountain Firewall. There is so much to Linux firewalls that a book can be written on them. In fact, there is already an excellent book on Linux Firewalls by Steve Suehring.
If you think setting up a firewall with UFW, you should try using iptables or nftables. Then you will realize how UFW removes the firewall configuration.
I hope you liked this beginner’s guide to UFW. Let me know if you have questions or suggestions.