Howto: Use, setup, and Take advantage of the New Ubuntu Uncomplicated Firewall UFW
Here is an overview on howto use ufw the Uncomplicated Firewall:
Lets turn UFW on:sudo ufw enable
When you initially turn the firewall on, it is in ACCEPT mode, and will accept everything incoming and outgoing until you make rulesets.
The simple syntax to allow an incoming/outgoing connection on a specified port to any host would be:sudo ufw allow 53
To specify a protocol, append ’/protocol’ to the port. For example lets enable tcp connections on port 53 incoming/outgoing:sudo ufw allow 53/tcp
or for udpsudo ufw allow 53/udp
You can also allow by service name since ufw reads from /etc/services
Lets see what services are in /etc/services:cat /etc/services | less
As an example lets allow ssh which is port 22sudo ufw allow ssh
You can also use a fuller syntax, specifying the source and destination addresses and ports. This syntax is based on OpenBSD’s PF syntax. Which will deny all traffic to tcp port 22 on this hostufw deny proto tcp to any port 22
To deny all traffic from the RFC1918 Class A network (10.0.0.0/8) to tcp port 22 with the address 192.168.0.1 we would use this:ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22
If you want to deny all traffic from the IPv6 2001:db8::/32 to tcp port 80 on this host you would use:ufw deny proto tcp from 2001:db8::/32 to any port 80
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:ufw deny 80/tcp
Use this to delete it:sudo ufw delete deny 80/tcp
Lets deny all access to port 80sudo ufw deny 80
Lets allow all access to port 80sudo ufw allow 80/tcp
Lets block a single host:sudo ufw deny from 207.46.232.182
The above command blocked microsoft lol
Lets block microsoft's class bsudo ufw deny from 207.46.0.0/16
Lets allow all access from RFC1918 networks(LAN/WLAN's) to this host:sudo ufw allow from 10.0.0.0/8
sudo ufw allow from 172.16.0.0/12
sudo ufw allow from 192.168.0.0/16
Lets Deny access to udp port 139 from host 192.168.1.1:sudo ufw deny proto udp from 192.168.1.1 to any port 139
The same thing above with tcp instead:sudo ufw deny proto tcp from 192.168.1.1 to any port 139
Allow access to udp 192.168.1.1 port 22 from 192.168.1.100 port 22:sudo ufw allow proto udp from 192.168.1.100 port 22 to 192.168.1.1 port 22
To check the status of ufw with the ports in the listening state use:sudo ufw status
To disable ufw use:sudo ufw disable
To enable logging use:ufw logging on
To disable logging use:ufw logging off
Fore more complete information please see the Ubuntu Wiki
Or read the man pages via Applications->Accessories->Terminal
Then type:man ufw
Comments (11)

Comments by IntenseDebate
Casey · 881 weeks ago
e-ddie · 880 weeks ago
tante · 881 weeks ago
All jokes aside this is just a sign of Ubuntu taking on the WIndows lingo that calls "packet filters" firewall and feels all warm, fuzzy and secure.
Martijn · 880 weeks ago
Of course it has a risk of bugs, as does any front-end, but manually entering iptables rules has more chance of errors because of their complex syntax. In this case the ease of use outweighs the added risk, by allowing people to run a firewall who might otherwise not do so or who do not want to spend days learning iptables and all its pitfalls.
About packet filters not being firewalls in the true sense of the word, I think that's nitpicking. The people who know the difference have much higher security requirements and will choose depending on their needs and budget. For all others a packet filter is quite sufficient. A real firewall would be too pricey and complex.
mthorley · 880 weeks ago
cat /etc/services | less
It should be
less /etc/services
gaiterin · 877 weeks ago
I made a simple GUI in Python + Glade.
You can download it at:
http://code.google.com/p/gui-ufw/
To install follow the instructions of the file installation.
A greeting.
defcon 52p · 877 weeks ago
defcon 52p · 877 weeks ago
mngrif · 870 weeks ago
composer · 866 weeks ago
johnieWho? · 864 weeks ago