blog posts

How To Install And Configure A UFW Firewall On Linux

Firewall on Linux

The IPTables firewall is one of the most popular firewalls in Linux distributions, but due to the bit of complexity in writing traffic rules, you usually have to write down certain details and parameters when creating rules.

Therefore, the IPTables firewall cannot accept that Rule. Due to this problem and the complexity of IPTables, a user-friendly and simpler firewall based on IPTables is presented under the name of UFW firewall, which stands for Uncomplicated Firewall.

As the name implies, a UFW firewall means an uncomplicated firewall. With UFW, with a user-friendly environment, we can perform our rules and processes via IPTables.

Install UFW firewall

To install this firewall, you can install it on all Linux distributions with the ufw package name. (In this article, we will only install it on Debian, but the process is the same on all distributions)

With the following command, we can install this firewall in our system.

sudo apt install ufw -y

Check the UFW status

After installing it, to ensure the successful installation, we enter the following command:

sudo ufw status verbose


Status: inactive

In the output above we see that the firewall is inactive (Inactive) and this is such that UFW is disabled by default.

Default rules in UFW firewall

By default, UFW, like all firewalls, has rules that it uses when it is first activated. These default rules are such that they completely reject incoming and outgoing connections and accept outgoing connections.

This means that if someone wants to access the system or server, they can not do so unless you manually open a specific port.

In addition, if you have a particular service on your system or server, that service can easily access the outside.

The UFW configuration firewall is located in the following path

etc / default / ufw /

You can also change these default rules with the following syntax:

sudo ufw Default <Policy> <Chain>

The concept of Application Profile in UFW

When we install software with the apt command, an Application Profile is created in the following path:


These Application Profiles actually contain information about the service of that software and its UFW settings. With the following command we have the ability to list all Application Profiles:

sudo ufw app list

The output of the above command depends on the packages installed on your system and may differ from our output:

Available applications:
  Dovecot IMAP
  Dovecot POP3
  Dovecot Secure IMAP
  Dovecot Secure POP3
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  Postfix SMTPS
  Postfix Submission

To be able to get a more complete output of the desired service and software, we can use the following command

sudo ufw app info 'Nginx Full'


Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server


80,443 / tcp

As you can see above, we easily got more complete information from Nginx Full, which opens two ports, HTTP (80) and HTTPS (443).

Write a Rule in UFW to open access

Before leaving your server, you should remember that if you enable UFW by default, you will no longer be able to access the server from outside. This problem makes your remote accesses, including SSH, inaccessible.

Initially, you need to set a Rule to access SSH from the outside in. The rule we want to allow access to SSH in the input direction is as follows:

sudo ufw allow ssh


Rules updated
(Rules updated (v6

Due to the above rule, only the default SSH port opens, and if SSH is enabled on another port and you want to open it based on the port, you can do the following:

sudo ufw allow 4422 / tcp

In addition, for other services, you can do the above, and for example, if you want to open HTTP, you can do the following:

sudo ufw allow http

Output the above command

Rules updated
(Rules updated (v6

Create access based on Application Profile

We can also grant access based on the Application Profile; Like the following Rule:

sudo ufw allow 'Nginx HTTP'

Create access for a specific Port Range

If we want to open the input access for a specific set of ports, we can do the following:

sudo ufw allow 7100: 7200 / udp

sudo ufw allow 7100: 7200 / tcp

In the two rules above, we said to allow access of Port 7100 to Port 7200 on the UDP and TCP platform for input.

Provide access to a specific IP address

To try to control access and for example, only certain traffic can enter the server, we can do the following:

sudo ufw allow from

We said in the above command to open access for the address

Open a specific port for a specific IP address

To impose restrictions and not every address can access SSH or any other service, we can do the following:

sudo ufw allow from

Create access for a Subnet

If we want to open special access for a set of IPs in a subnet, we can do the following:

sudo ufw allow from to any port 3306

In the above rule, our desired subnet is, and from this subnet, any IP address can access the MySQL server port.

Gain access through a special network card

If we want to open special access based on one of the system network cards, we can use allow in:

sudo ufw allow in on eth2 to any port 3306

Close UFW access

If we wanted to cut a connection via UFW, we could use Deny instead of Allow.

For example, suppose we have a web server running on port 80 on our server and we want to block a specific IP address, for example,; In such circumstances, our rule is as follows:

sudo ufw deny from

Also, if we want to block this access only to HTTP (80) and HTTPS (443) web ports, we do the following:

sudo ufw deny from to any port 443

sudo ufw deny from to any port 80
If you want to do the opposite of the above rules and allow access, just change the deny to allow.

Clear Rules in UFW

To delete these Rules, you must first obtain its Rule Number. You can see the Rule Number of all Rules by the following command:

sudo ufw status numbered


status: active

To Action From

- ------ ----

[1] 22 / tcp ALLOW IN Anywhere

[2] 80 / tcp ALLOW IN Anywhere

[3] 8080 / tcp ALLOW IN Anywhere

For example, if you want to delete the third Rule, you can do the following based on its Rule Number, which is 3:

sudo ufw delete 3

You can also do this through the port. For example, you have written a Rule that provides access to port 8888 and you want to delete it, your command for this is as follows:

sudo ufw delete allow 8888

Enable UFW firewall

Now after going through the process of opening access and closing them from the outside to the inside of the SSH and HTTP ports, we need to enable UFW, which can be done with the following command:

sudo ufw enable

Output the above command

Command may disrupt existing ssh connections. Proceed with the operation (y | n)? y
The firewall is active and enabled on system startup

At the top, you will be asked to enter y and Enter.

Disable the UFW firewall on Linux

If you want to disable UFW, you can use the following command:

sudo ufw disable

You can also re-enter this command to reEnable it:

sudo ufw enable

be successful and victorious