Cantech Knowledge Base

Your Go-To Hosting Resource

  1. Linux
  2. How to Set Up Firewall Policies using Uncomplicated Firewall (UFW)?

How to Set Up Firewall Policies using Uncomplicated Firewall (UFW)?

Uncomplicated Firewall (UFW) is a user-friendly tool designed to simplify the process of managing firewall rules on Linux systems. It serves as a front-end to the more complex iptables, offering an easier way for users to configure and apply firewall settings without deep networking knowledge. UFW is especially popular on Debian-based distributions such as Ubuntu, where it’s either pre-installed or readily available through the package manager.

By using UFW, system administrators can control incoming and outgoing traffic to enhance the security of their servers. UFW allows you to create firewall policies that restrict unauthorized access while permitting legitimate connections to services like SSH, HTTP, or FTP. Its syntax is straightforward, which makes it ideal for beginners as well as experienced users who want to set up basic to moderately complex firewall rules quickly.

In this tutorial, you will learn how to install, enable, and configure UFW on an Ubuntu server. The guide will walk you through setting default firewall policies, allowing or denying specific ports, adding directional rules, and managing service-based access. By the end, you’ll have a fully functional firewall setup that strengthens your server’s security posture.Prerequisites

Before starting, ensure the following:

You have a deployed Ubuntu server.

Access the server via SSH using a non-root user with sudo privileges.

Your server is fully updated.

Step 1: Check if UFW is Installed

To begin, check the current status of UFW:

ufw status

If the output returns Status: inactive, UFW is installed but not yet active. If the command is not recognized, you’ll need to install it.

Step 2: Install and Enable UFW

Install UFW using the default APT package manager:

apt install ufw

Enable UFW to start on system boot:

systemctl enable ufw

Allow the default SSH port to maintain your remote session:

ufw allow 22/tcp

Activate the firewall:

ufw enable

Check if UFW is running:

systemctl status ufw

Expected Output:

ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled)
     Active: active (exited)

Step 3: Set Default UFW Policies

Set the default policies to allow outgoing traffic and deny all incoming connections:

ufw default allow outgoing

ufw default deny incoming

Deny network forwarding if your server isn’t functioning as a router:

ufw default deny forward

Step 4: Create Basic UFW Rules

Allow Essential Ports

Enable HTTP (port 80) to allow web traffic:

ufw allow 80

Allow SSH with the TCP protocol:

ufw allow 22/tcp

Allow DNS over UDP:

ufw allow 53/udp

Reload the firewall to apply the new rules:

ufw reload

Check the active rules:

ufw status

Step 5: Deny Access to Specific Ports

Block access to internal services like MySQL (port 3306):

ufw deny 3306

Reload UFW to enforce the rule:

ufw reload

Step 6: Allow System Services Through UFW

Enable traffic for common services using predefined application profiles. For example:
Allow full access to the Nginx web server:

ufw allow nginx-full

Allow FTP service:

ufw allow ftp

Reload and check UFW:

ufw reload

ufw status

Step 7: Set Up Directional Firewall Rules

UFW also allows rules based on IP addresses and network interfaces.

Allow SSH access only from a specific IP:

ufw allow from 192.0.2.100 to any port 22

Allow HTTP access only through a specific interface (e.g., enp8s0):

ufw allow in on enp8s0 proto tcp to any port 80

Allow outgoing HTTPS traffic on a public interface:

ufw allow out on enp1s0 proto tcp to any port 443

Deny SSH access from a specific IP (e.g., 192.0.2.200):

ufw deny from 192.0.2.200 to any port 22

Step 8: Delete UFW Rules

To delete rules, first list them with numbered entries:

ufw status numbered

Sample output:

[1] 22 ALLOW IN Anywhere
[2] 21/tcp ALLOW IN Anywhere
[3] 80/tcp ALLOW IN on enp8s0

Remove a rule using its number:

ufw delete 3

Repeat for any additional rules:

ufw delete 2

Step 9: Add Comments to UFW Rules

Adding comments helps manage and identify firewall rules easily:
Comment for a public SSH access rule:

ufw allow from 192.0.2.100 to any port 22 comment "My secure public IP SSH Connection"

Comment for a MySQL port rule:

ufw allow 3306/tcp comment "MySQL database server port for external access"

Reload and check the rules with comments:

ufw reload

ufw status

Expected Output:

22                         ALLOW       192.0.2.100       # My secure public IP SSH Connection

3306/tcp                   ALLOW       Anywhere          # MySQL database server port for external access

Conclusion

You’ve successfully configured UFW on your Ubuntu server to filter incoming and outgoing traffic, apply direction-based rules, and manage service-specific access. UFW is a powerful yet straightforward tool to help you secure your cloud infrastructure. For even tighter security, consider pairing UFW with provider-level firewalls such as the Vultr Firewall.

For advanced configurations, you can UFW rules manually in /etc/ufw/ to define custom behavior before or after system events.

May 5, 2025