Howto: Use, setup, and Take advantage of the New Ubuntu Uncomplicated Firewall UFW

Here is an overview on howto use ufw the Uncomplicated Firewall:

Lets turn UFW on:
sudo ufw enable
When you initially turn the firewall on, it is in ACCEPT mode, and will accept everything incoming and outgoing until you make rulesets.

The simple syntax to allow an incoming/outgoing connection on a specified port to any host would be:
sudo ufw allow 53
To specify a protocol, append ’/protocol’ to the port. For example lets enable tcp connections on port 53 incoming/outgoing:
sudo ufw allow 53/tcp
or for udp
sudo ufw allow 53/udp
You can also allow by service name since ufw reads from /etc/services
Lets see what services are in /etc/services:
cat /etc/services | less

As an example lets allow ssh which is port 22
sudo ufw allow ssh

You can also use a fuller syntax, specifying the source and destination addresses and ports. This syntax is based on OpenBSD’s PF syntax. Which will deny all traffic to tcp port 22 on this host
ufw deny proto tcp to any port 22

To deny all traffic from the RFC1918 Class A network (10.0.0.0/8) to tcp port 22 with the address 192.168.0.1 we would use this:
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22

If you want to deny all traffic from the IPv6 2001:db8::/32 to tcp port 80 on this host you would use:
ufw deny proto tcp from 2001:db8::/32 to any port 80

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
sudo ufw delete deny 80/tcp

Lets deny all access to port 80
sudo ufw deny 80
Lets allow all access to port 80
sudo ufw allow 80/tcp

Lets block a single host:
sudo ufw deny from 207.46.232.182
The above command blocked microsoft lol
Lets block microsoft's class b
sudo ufw deny from 207.46.0.0/16

Lets allow all access from RFC1918 networks(LAN/WLAN's) to this host:
sudo ufw allow from 10.0.0.0/8
sudo ufw allow from 172.16.0.0/12
sudo ufw allow from 192.168.0.0/16

Lets Deny access to udp port 139 from host 192.168.1.1:
sudo ufw deny proto udp from 192.168.1.1 to any port 139
The same thing above with tcp instead:
sudo ufw deny proto tcp from 192.168.1.1 to any port 139

Allow access to udp 192.168.1.1 port 22 from 192.168.1.100 port 22:

sudo ufw allow proto udp from 192.168.1.100 port 22 to 192.168.1.1 port 22

To check the status of ufw with the ports in the listening state use:
sudo ufw status

To disable ufw use:
sudo ufw disable

To enable logging use:
ufw logging on

To disable logging use:
ufw logging off

Fore more complete information please see the Ubuntu Wiki

Or read the man pages via Applications->Accessories->Terminal
Then type:
man ufw

Comments (11)

Loading... Logging you in...
  • Logged in as
How is this any different than Iptables?
1 reply · active 880 weeks ago
ufw is only an interface to iptables
@Casey: It's a fancy "new" name and yet another package that can go wrong.

All jokes aside this is just a sign of Ubuntu taking on the WIndows lingo that calls "packet filters" firewall and feels all warm, fuzzy and secure.
1 reply · active 880 weeks ago
Why the sour face? I think it's actually a useful tool for my home server.

Of course it has a risk of bugs, as does any front-end, but manually entering iptables rules has more chance of errors because of their complex syntax. In this case the ease of use outweighs the added risk, by allowing people to run a firewall who might otherwise not do so or who do not want to spend days learning iptables and all its pitfalls.

About packet filters not being firewalls in the true sense of the word, I think that's nitpicking. The people who know the difference have much higher security requirements and will choose depending on their needs and budget. For all others a packet filter is quite sufficient. A real firewall would be too pricey and complex.
The cat is unnecessary in the 5th example.

cat /etc/services | less

It should be

less /etc/services
Hello.

I made a simple GUI in Python + Glade.

You can download it at:

http://code.google.com/p/gui-ufw/

To install follow the instructions of the file installation.

A greeting.
3 replies · active 870 weeks ago
awesome, checking it out now
I'll be featuring this any minute on my main page, great work, also check your google code bug list for some ideas I added for this app
A front end for a front end? Why? ufw is nothing more than a front end to iptables.
I use the stand-alone firewall LEAF (http//leaf.sourceforge.net) which is a statefull firewall. I'm looking for an internal firewall that filters on programs, allowing only known programs to pass the firewall (like browsers, mailprogs. etc.). Than malware cannot connect (which is an important reason for a firewall). A packet or statefull firewall is not program conscious.
johnieWho?'s avatar

johnieWho? · 864 weeks ago

He Composer, let me know if you find any ? i also want such a program. ;-)

Post a new comment

Comments by

Clicky Web Analytics