UFW Uncomplicated Firewall is for simplifying iptables firewall configuration. iptables is a robust yet flexible tool but can be difficult for beginners and intermediate Linux users. If you are not sure which tool to use to configure your network security, UFW is the right choice for you. How to Install and Use UFW?

In this tutorial, we will explain how to install UFW firewall on Ubuntu 14.04 server.

Prerequisites

Before starting the training, you do not need to use the sudo command if you are connected to your Ubuntu server as root .

UFW is a tool installed by default in Ubuntu installation. However, if it has been removed before, it is necessary to perform the installation again, for this you can use the command below.

sudo apt-get install UFW

IPv6 configuration with UFW

Make sure your Ubuntu server is configured to support IPv6. We will use the nano editor to check this:

sudo nano / etc / default / UFW

Find the line “IPv6 =” on the page that comes up and change it to “IPv6 = no” as follows

IPV6 = yes

and save and exit. When UFW is enabled, you can configure IPv4 and IPv6 firewall rules.

UFW Status and Rule Check

You can check the UFW status with this command.

sudo UFW status verbose

If you see such a screen, it is because the UFW firewall is set to passive by default.

Output: 
Status: inactive

If the UFW firewall is active, you will see a detailed status screen listing all the rules. For example, if requests to the SSH 22 port are allowed, you will see a screen like the one below.

This command is used to list the configuration of the UFW firewall.

Output: 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
- ------ ----
22 / tcp ALLOW IN Anywhere

Before enabling UFW, you must make sure that the SSH port is configured to allow incoming connections, otherwise you cannot connect to your server via SSH if the SSH rule is not defined when you enable the firewall. 

Now we can start adjusting the UFW default settings to our will.

Standard Installation

UFW is configured by default to block incoming requests and allow all outgoing requests. Therefore, access to any application on your server will not be possible.

Following this article, you can edit the default settings of your UFW firewall.

sudo ufw default deny incoming 
sudo ufw default allow outgoing

The above commands are the configuration commands used to reject external requests to your server and allow outgoing requests through your server. Such a configuration is a configuration suitable for personal computer use. However, since servers must generally be configured to respond to external requests, we must configure our UFW firewall according to our purpose.

Allowing SSH connections

We know that when our UFW firewall is enabled, its settings are set to reject all incoming requests by default, so you first  need to allow SSH connections to connect and manage your server remotely. To do this, we will configure it to allow connection requests via the SSH port, and create our rule. 

To allow SSH connections to your server, you need to use the following command in UFW configuration.

sudo ufw allow ssh

This command creates a rule in the UFW firewall that allows you to configure it to allow all requests from port 22, which is the SSH port, and writes these configuration rules into the / etc / services file.

As you can see in the example below, you can use the command by specifying the port number instead of the service name, either way it will create the same rule.

sudo ufw allow 22

If you wish, you can allow connection access to the SSH service through a different port. If you have configured your SSH service to use port 2222, you can access your SSH service through port 2222, as in the example below. 

sudo ufw allow 2222

Now we have configured our firewall to allow SSH connections, now we can activate our firewall.

Enabling UFW Firewall

The following command is used to enable the UFW firewall.

sudo ufw enable

We pass the question that comes to the screen by saying “y” . 

Your firewall is now active  SSH 22 port and UFW active . Now we can use the sudo ufw status verbose command to list the status and configuration rules of your UFW firewall.

We will now show a few more examples of configuring the services you need. You can apply them to a service you want to allow all incoming connections.

HTTP port 80

You must allow requests to your HTTP port to configure your server as a non-encrypted web server. 

sudo ufw allow http

You can also use the HTTP port number 80 instead.

sudo ufw allow 80

HTTPS port 443

If you want to configure your server as an encrypted web server, you must allow requests to the HTTPS port.

sudo ufw allow https

Instead, you can use the HTTPS protocol port number 443.

sudo ufw allow 443

FTP-port 21

You can allow requests to your FTP port used for unencrypted file transfers with this command.sudo ufw allow ftp

If you want to use port number 21 instead, use this command.

sudo ufw allow 21 / tcp

Allowing specific port ranges

Some applications use multiple port ranges. You can configure your UFW firewall to allow specific port ranges. You must specify the port ranges and protocol for this.

sudo ufw allow 6000: 6007 / tcp 
sudo ufw allow 6000: 6007 / udp

Allowing Specific IP Addresses

You can use the command below to allow requests from a specific IP address to your server.

sudo ufw allow from 15.15.15.51


We learned how to create rules to configure your UFW firewall. Let’s take a look at how to delete the created rules.

Deleting a Rule

Knowing how to delete firewall rules is as important as how it should be created. While creating the rule, we could create 2 different ways, and deletion can be done in two different ways. 

Deleting a Rule with Rule Number

If you want to delete rules from your firewall, you must first get a list of rules with the status numbered command. Numbers can be seen next to each rule as seen below.

sudo ufw status numbered
Numbered Output: 
Status: active
To Action From
- ------ ----
[1] 22 ALLOW IN 15.15.15.0/24
[2] 80 ALLOW IN Anywhere

For example , we decided to delete rule [2] , for this you can use the command below.

sudo ufw delete 2

We are deleting the rule by answering “y” to the question Are you sure you want to delete the rule.

Another method of deletion is deletion by protocol name or port number.

sudo ufw delete allow http
sudo ufw delete allow 80

If for some reason you need to turn off the UFW firewall, you can disable UFW with the command below.

sudo ufw disable

When you want to reactivate all your rules created with UFW will be active again. Simply use the sudo UFW enable command.

When you create any rule, the UFW firewall may need to be restarted for the rule to take effect, for this you should use the command below.

sudo ufw reset

Result

Your firewall is now ready, configured to allow SSH and HTTP connections. After that, you have learned how to configure your UFW firewall and make your server more secure. 

Source: https://siterobot.io
MORE DETAILED INFORMATION:

How do I add a comment for the rule?

Use the following syntax
$ sudo ufw rule comment 'my cool comment here'
Open port 53 and write a comment about rule too:
ufw allow 53 comment 'open tcp and udp port 53 for dns'
Another example:
$ sudo ufw allow proto tcp from any to any port 80,443 comment 'my cool web app ports'
OR
$ sudo ufw allow proto tcp from any to 10.8.0.1 port 22 'SSHD port 22 for private lan'

Enable the UFW based firewall

Now you have default policy and ssh port allowed. It is safe to start enable the firewall, enter:
$ sudo ufw enable
Sample outputs:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Once enabled, the firewall runs after reboots too.

Disable the UFW based firewall

If you need to stop the firewall and disable on system startup, enter:
$ sudo ufw disable
Sample outputs:

Firewall stopped and disabled on system startup

How do I check the status of my rules?

Use the status command: Sample outputs:
$ sudo ufw status
$ sudo ufw status verbose

Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip     To Action From – —— —- 192.168.1.10 443 / tcp ALLOW Anywhere 192.168.1.10 22 / tcp ALLOW Anywhere

Adding more rules (open ports and allow IPs)

The syntax is as follows to open tcp port 22 and 443: Open UDP / 1194 (OpenVPN) server: Open port 25 (smtpd / email server):
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp


$ sudo ufw allow 1194/udp

$ sudo ufw allow 25

Allowing port ranges

You can allow port ranges too say, tcp and udp 3000 to 5000: Make sure you allow connections from an IP address called 1.2.3.4, enter: Make sure you allow connections from an IP address called 1.2.3.4 to our port 22, enter : OR (dest 222.222.222.222 port 22)
$ sudo ufw allow 3000:5000/tcp
$ sudo ufw allow 3000:5000/udp


$ sudo ufw allow from 1.2.3.4

$ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp

$ sudo ufw allow from 1.2.3.4 to 222.222.222.222 port 22 proto tcp

How to allow incoming HTTPS traffic (open port 443)

$ sudo ufw allow https comment 'Allow all to access Nginx server'
## allow only from 139.1.1.1 ##
$ sudo ufw allow from 139.1.1.1 to any port 443
## allow only from 203.11.11.2/29 ##
$ sudo ufw allow from 203.11.11.2/29 to any port 443

How to allow incoming HTTP traffic (open port 80)

$ sudo ufw allow http comment 'Allow all to access Apache server'
## allow only from 139.1.1.1 ##
$ sudo ufw allow from 139.1.1.1 to any port 80
## allow only from 203.11.11.2/29 ##
$ sudo ufw allow from 203.11.11.2/29 to any port 80

How to allow incoming MySQL / MariaDB traffic (open port 3306)

Allow access to MySQL / MariaDB port 3306 from selected subnet only (see MySQL / MariaDB remote access tutorial ):
$ sudo ufw allow from 192.168.1.0/24 to any port 3306
Allow access to MySQL / MariaDB port 3306 Apache server only:
$ sudo ufw allow from 202.54.1.1 to any port 3306

How to allow incoming PostgreSQL traffic (open port 5432)

Allow access to PostgreSQL port 5432 from selected subnet only (see PostgreSQL remote access tutorial ):
$ sudo ufw allow from 192.168.1.0/24 to any port 5432
Allow access to PostgreSQL port 5432 Apache server only:
$ sudo ufw allow from 202.54.1.1 to any port 5432

How to allow incoming SMTPD / Postfix / Sendmail (mail server) traffic (open port 25)

$ sudo ufw allow 25
$ sudo ufw allow smtp

How to allow incoming IMAP / IMAPS

$ sudo ufw allow 143
$ sudo ufw allow 993

How to allow incoming POP3 / POP3S

$ sudo ufw allow 110
$ sudo ufw allow 995

Denying access to port or connections (close ports and block IPs)

The syntax is as follows to deny access (ie simply ignoring access to port 443) to port tcp port 443:
$ sudo ufw deny 443/tcp
Make sure you deny all connections from an IP address called 1.2.3.4, enter:
$ sudo ufw deny from 1.2.3.4
Make sure you deny all connections from an IP / subnet called 123.45.67.89/24, enter:
$ sudo ufw deny from 123.45.67.89/24
Make sure you deny access to 1.2.3.4 (say hackers IP) on port 22:
$ sudo ufw deny from 1.2.3.4 to any port 22 proto tcp

Rejecting access to port or connections (reject and let user know they are blocked by firewall)

The deny syntax simply ignores traffic. If you want let the sender know when traffic is being denied, rather than simply ignoring it, use reject syntax: If somebody try to connect to port 23 they will get reject message as follows:
$ sudo ufw reject in smtp
$ sudo ufw reject out smtp
$ sudo sudo ufw reject 1194 comment 'No more vpn traffic'
$ sudo ufw reject 23 comment 'Unencrypted port not allowed'

telnet: Unable to connect to remote host: Connection refused

Deleting the UFW firewall rules

Now you know how to add, deny, and list the firewall rules. It is time to delete unwanted rules. There are two options to deleting rules. The first syntax is:
$ sudo ufw delete {rule-here}
In this example, delete HTTPS (tcp port 443) traffic rule,
$ sudo ufw delete allow 443
If you no longer wished to allow smptd / email (port 25) traffic, execute:
$ sudo ufw delete allow 25
The second option is to list list all of the current rules in a numbered list format:
$ sudo ufw status numbered
Sample outputs:

Status: active   To Action From – —— —- [1] 10.8.0.1 22 / tcp ALLOW IN Anywhere [2] Anywhere DENY IN 123.45.67.0/24 [3] 22 / tcp DENY IN 1.2 .3.4

To delete 2nd rule (“ufw deny from 123.45.67.89/24”), you type the command:
$ sudo ufw delete 2
Sample outputs:

Deleting: 
 deny from 123.45.67.0/24 
Proceed with operation (y | n)? y 
Rule deleted

How do I reset the firewall?

The syntax is as follows to reset ufw rules to their factory default settings and in an inactive mode, run:
$ sudo ufw reset
Sample outputs:

Resetting all rules to installed defaults. This may disrupt existing ssh 
connections. Proceed with operation (y | n)? y 
Backing up 'user6.rules' to' /etc/ufw/user6.rules.20160801_121710 ' 
Backing up' after.rules' to '/etc/ufw/after.rules.20160801_121710' 
Backing up 'before.rules' to' /etc/ufw/before.rules.20160801_121710 ' 
Backing up' after6.rules 'to' /etc/ufw/after6.rules.20160801_121710 ' 
Backing up' user.rules 'to' /etc/ufw/user.rules.20160801_121710 ' 
Backing up' before6.rules' to '/etc/ufw/before6.rules.20160801_121710'

How do I reload the firewall?

The syntax is as follows to reload firewall:
$ sudo ufw reload
When you edit UFW ‘configuration file, you need to run reload command. For example, you can edit /etc/ufw/before.rules, enter:
$ sudo nano /etc/ufw/before.rules
OR
$ sudo vi /etc/ufw/before.rules
To allow all traffic fro eth0 to eth0 (add after line that read as “# End required lines”), enter:

# allow all on eth0 
-A ufw-before-input -i eth0 -j ACCEPT 
-A ufw-before-output -o eth0 -j ACCEPT

Save and close the file. Reload the firwall:
$ sudo ufw reload

How do I see the firewall logs?

By default all UFW entries are logged into /var/log/ufw.log file: Sample outputs:
$ sudo more /var/log/ufw.log
$ sudo tail -f /var/log/ufw.log

Aug 1 12:09:48 server2 kernel: [15727.245115] [UFW BLOCK] IN = br1 OUT = MAC = 00: 25: 90: 4f: b0: 6f: 44: d3: ca: 5f: 89: 40: 08: 00 SRC = 62.210.181.123 DST = 75.xxx.yyy.zzz LEN = 40 TOS = 0x00 PREC = 0x00 TTL = 245 ID = 20343 DF PROTO = TCP SPT = 2328 DPT = 80 WINDOW = 512 RES = 0x00 SYN URGP = 0 
Aug 1 12:09:58 server2 kernel: [15737.485726] [UFW BLOCK] IN = br1 OUT = MAC = 00: 25: 90: 4f: b0: 6f: 44: d3: ca: 5f: 89: 40: 08: 00 SRC = 187.134.225.91 DST = 75.xxx.yyy.zzz LEN = 46 TOS = 0x00 PREC = 0x00 TTL = 54 ID = 0 DF PROTO = UDP SPT = 54704 DPT = 53413 LEN = 26 
Aug 1 12:09:58 server2 kernel: [15737.486102] [UFW BLOCK] IN = br1 OUT = MAC = 00: 25: 90: 4f: b0: 6f: 44: d3: ca: 5f: 89: 40: 08: 00 SRC = 187.134.225.91 DST = 75.xxx.yyy.zzz LEN = 151 TOS = 0x00 PREC = 0x00 TTL = 54 ID = 0 DF PROTO = UDP SPT = 54704 DPT = 53413 LEN = 131


You can search log file with grep command:
$ sudo grep something /var/log/ufw.log
$ sudo grep '187.134.225.91' /var/log/ufw.log

How do I see ufw reports?

The added report displays the list of rules as they were added on the command-line:
$ sudo ufw show added
Sample outputs:

Added user rules (see 'ufw status' for running firewall): 
ufw allow 22 
ufw reject 23

The raw report shows the complete firewall, while the others show a subset of what is in the raw report: The listening report will display the ports on the live system in the listening state for tcp and the open state for udp, along with the address of the interface and the executable listening on the port. An ‘*’ is used in place of the address of the interface when the executable is bound to all interfaces on that port. Following this information is a list of rules which may affect connections on this port. The rules are listed in the order they are evaluated by the kernel, and the first match wins. Please note that the default policy is not listed and tcp6 and udp6 are shown only if IPV6 is enabled:
$ sudo ufw show raw
$ sudo ufw show raw | more


$ sudo ufw show listening
$ sudo ufw show listening | more

tcp: 22 10.86.115.66 (sshd) [1] allow 22   22 10.8.0.1 (sshd) [1] allow 22   443 75.xxx.yyy.zzz (openvpn) udp: 123 10.8.0.1 (ntpd) 123 75.xxx .yyy.zzz (ntpd) 123 10.86.115.66 (ntpd) 123 * (ntpd) udp6: 123 * (ntpd)

Other possible reports are:
$ sudo ufw show builtins
$ sudo ufw show before-rules
$ sudo ufw show user-rules
$ sudo ufw show after-rules
$ sudo ufw show logging-rules

I have no problem with people who succeed using their abilities, I just think success is not the top goal. Freedom, sharing knowledge – expansion beyond success, personality. Personal success is not wrong, but the effect is limited, if you have achieved what you need, it is still a shame to starve for it, and of course the opposite for truth, beauty and justice. / Richard Stallman