UFW (Uncomplicated Firewall) simplifies Linux firewall management by providing an easy-to-use interface for iptables. This guide covers UFW installation and configuration on Debian-based distributions, from basic setup to practical firewall configurations for desktops and web servers.
Table of Contents
In this tutorial you will learn:
- How to install UFW on Debian-based distributions
- How to configure default firewall policies
- How to allow and deny traffic by service, port, and IP
- How to use UFW application profiles
- How to set up firewall rules for desktops and servers
Software Requirements
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Debian 13 or higher, Ubuntu 26.04 or higher, Kali Linux |
| Software | UFW (Uncomplicated Firewall) |
| Other | Root privileges required |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
sudo apt install ufw, then configure default policies and enable the firewall.
| Step | Command/Action |
|---|---|
| 1. Install UFW | sudo apt install ufw |
| 2. Set default policies | sudo ufw default deny incomingsudo ufw default allow outgoing |
| 3. Allow SSH access | sudo ufw allow ssh |
| 4. Enable firewall | sudo ufw enable |
Install UFW
UFW is available in the default repositories of Debian-based distributions. Install it using the apt package manager:
$ sudo apt install ufw
After installation, UFW is inactive by default. This allows you to configure your rules before enabling the firewall, preventing accidental lockouts from remote systems.
Set Your Defaults
Like with iptables, it’s best to start by setting your default behavior. On desktops, you typically want to deny incoming traffic while allowing outgoing connections.
$ sudo ufw default deny incoming
The syntax for allowing traffic is similar:
$ sudo ufw default allow outgoing
These defaults ensure that unsolicited incoming connections are blocked while your system can still reach the internet and external services.
Basic Use
Now you’re ready to start setting up rules and managing your firewall. UFW commands are designed to be readable and intuitive.
Starting and Stopping
While you can use systemd to control UFW, it has its own controls that are easier. Start by enabling UFW:
$ sudo ufw enable
WARNING
If you’re connected via SSH, ensure you allow SSH traffic before enabling UFW, or you may lose access to your system.
To stop and disable UFW during startup:
$ sudo ufw disable
Check if UFW is running and view active rules:
$ sudo ufw status
For more detailed output including rule numbers:
$ sudo ufw status numbered
Commands
Allow inbound HTTP traffic using the service name:
$ sudo ufw allow http
Allow SSH connections:
$ sudo ufw allow ssh
You can achieve the same result using port numbers. This command allows inbound HTTPS traffic on port 443:
$ sudo ufw allow 443
Allow traffic from a specific IP address or network range. This example permits all traffic from the local network:
$ sudo ufw allow from 192.168.1.0/24
For a range of ports, specify the protocol (TCP or UDP):
$ sudo ufw allow 56881:56889/tcp
Use deny instead of allow to block traffic:
$ sudo ufw deny from 192.168.1.110
To specifically target outbound connections, include out:
$ sudo ufw allow out ssh
To delete a rule, use the rule number from ufw status numbered:
$ sudo ufw delete 3
UFW Application Profiles
UFW includes application profiles that define firewall rules for common services. These profiles simplify configuration by bundling port and protocol settings under recognizable application names.
List available application profiles:
$ sudo ufw app list
View details about a specific application profile:
$ sudo ufw app info OpenSSH
This displays the ports and protocols the application uses. To allow an application through the firewall:
$ sudo ufw allow OpenSSH
Common application profiles include OpenSSH, Apache, Apache Full, Nginx Full, and others depending on installed software. Application profiles are stored in /etc/ufw/applications.d/ and you can create custom profiles for your own applications.
Setting Up A Desktop
Begin by setting the defaults:
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Allow HTTP and HTTPS traffic for web browsing:
$ sudo ufw allow http $ sudo ufw allow https
Enable SSH access:
$ sudo ufw allow ssh
Allow NTP for system time synchronization:
$ sudo ufw allow ntp
Unless you’re using a static IP, allow DHCP on ports 67 and 68:
$ sudo ufw allow 67:68/udp
Allow DNS traffic for domain name resolution:
$ sudo ufw allow 53
For torrent clients like Deluge:
$ sudo ufw allow 56881:56889/tcp
Steam requires multiple ports:
$ sudo ufw allow 27000:27036/udp $ sudo ufw allow 27036:27037/tcp $ sudo ufw allow 4380/udp
Setting Up A Web Server
Web servers require a more restrictive configuration to minimize the attack surface while ensuring legitimate traffic flows unimpeded.
For servers, deny all traffic by default. Disable the firewall before making these changes to avoid losing SSH access:
$ sudo ufw default deny incoming $ sudo ufw default deny outgoing $ sudo ufw default deny forward
Enable both inbound and outbound web traffic:
$ sudo ufw allow http $ sudo ufw allow out http $ sudo ufw allow https $ sudo ufw allow out https
Allow SSH for remote administration:
$ sudo ufw allow ssh $ sudo ufw allow out ssh
Enable NTP for time synchronization:
$ sudo ufw allow ntp $ sudo ufw allow out ntp
Allow DNS for package updates and domain resolution:
$ sudo ufw allow 53 $ sudo ufw allow out 53
Conclusion
UFW provides a straightforward approach to firewall management on Linux systems. Despite its simplicity, UFW is production-ready because it operates as a frontend to iptables, delivering the same robust security. The examples in this guide cover common desktop and server configurations, but you should customize the rules based on your specific requirements and network configuration. For comprehensive documentation, refer to the official UFW manpage.
Frequently Asked Questions
- How do I check if UFW is blocking a specific connection? Use
sudo ufw status verboseto see all active rules and their policies. You can also check the UFW logs at/var/log/ufw.logfor blocked connection attempts. Enable logging withsudo ufw logging onif it’s not already active. - Can I reset UFW to its default state? Yes, run
sudo ufw resetto remove all rules and disable the firewall. This returns UFW to its initial post-installation state, which is useful if you’ve made configuration errors and want to start fresh. - What’s the difference between ufw allow and ufw limit? The
allowcommand permits all matching traffic, whilelimitadds rate limiting to prevent brute-force attacks. For example,sudo ufw limit sshallows SSH connections but blocks an IP address that attempts more than 6 connections within 30 seconds. - Does UFW persist after reboot? Yes, once enabled with
sudo ufw enable, UFW automatically starts at boot and loads your saved rules. The rules are stored in/etc/ufw/and persist across reboots without additional configuration.
