UFW, or the Uncomplicated Firewall, is a commonly used firewall in Debian and Ubuntu. UFW is a management layer / frontend for iptables which aims to simplify the management of your firewall. In this tutorial we explain the usage of UFW.
- Connect via SSH / the vps console and use a root user, or sudo when executing the commands in this article.
- UFW handles configuration changes in real-time.
Installing UFW
By default, a Debian 11 installation comes with Iptables but not with UFW. The installation of the Uncomplicated Firewall is straight forward:
apt -y install ufw
UFW will not start automatically after installation. You enable UFW with the commands:
ufw enable
systemctl start ufw
ufw logging on
With logging on, you have UFW create notes in a log (/var/log/messages), which is definitely recommended. This way, you have more information to troubleshoot with if problems occur.
The initial configuration
After the installation, UFW doesn’t have a default configuration. It is recommended to start by blocking all incoming traffic and allow outgoing traffic, and then open specific ports / services. The first part you do with the following commands:
ufw default deny incoming ufw default allow outgoing
Check the status of UFW with:
ufw status verbose
Opening ports
There are three options for opening ports:
- Opening tcp and udp ports:
ufw allow 22
ufw allow 1234:2345
- Opening a tcp port:
ufw allow 22/tcp
ufw allow 1234:2345/tcp
- Opening an udp port:
ufw allow 22/udp
ufw allow 1234:2345/udp
Closing ports
There are also three options for closing ports:
- Closing tcp and udp ports:
ufw deny 22
ufw deny 1234:2345
- Closing a tcp port:
ufw deny 22/tcp
ufw deny 1234:2345/tcp
- Closing a udp port:
ufw deny 22/udp
ufw deny 1234:2345/udp
Allowing or denying IP's
It may be preferable to open or close ports for specific IP addresses. This is for example a useful method for allowing only yourself access to the SSH port.
Access per IP can be regulated based on: IP's, subnets, ports and IP's, or a combination of IP addresses ports and protocols.
In the examples below replace 123.123.123.123 by the actual IP address, 1234 by the desired port and TCP by the desired protocol.
-
Allowing / denying IP addresses
An IP address is given access with the syntax:ufw allow from 123.123.123.123
ufw deny from 123.123.123.123
-
Allowing or denying IP subnets
Subnets are allowed access using:ufw allow from 123.123.123.0/24
ufw deny from 123.123.123.0/24
-
Allowing / denying per port and IP
Tip: instead of a specific IP, you can also use an IP subnet.
Access to a specific port is given using:ufw allow from 123.123.123.123 to any port 22
ufw deny from 123.123.123.123 to any port 22
-
Allowing / denying per IP, port and protocol:
Tip: instead of a specific IP, you can also use an IP subnet.
Access to a specific port and protocol is given using:ufw allow from 123.123.123.123 to any port 22 proto tcp
ufw deny from 123.123.123.123 to any port 22 proto tcp
Allowing services
In addition to opening ports, you can also open specific services with UFW. You add the service in UFW and UFW then opens incoming traffic for one or more ports. There is a side note here:
You allow services in UFW with the following commands, where you replace SSH with the relevant service name:
ufw allow ssh
UFW uses configuration files (see available services) to determine which ports are associated with services. These ports are opened when the service is added. For example, if you change your SSH port and then opened the SSH service in UFW, the new port will not automatically be open unless you open the port manually or adjust the configuration of the service in UFW.
UFW gets all its port information for allowing or denying services from thefile /less/services. You can view the content with:
nano /less/services
In our nano and vi documentation, we explain how to quickly search for specific words (in this case, the names of services).
Denying services
Services are just as easy to close in UFW as they are opened:
ufw deny ssh
All incoming connections are closed by default, so the specific denying of a service is not immediately necessary.
Deleting rules
At the beginning of this article, we have set a deny on all incoming connections as default. Regardless of whether you manually open or close ports or services afterward, these are all considered to be UFW rules. You can delete these rules as follows:
ufw delete deny ssh
ufw delete allow 22/tcp
- The first command is an example for deleting a service rule, the second for deleting a port rule.
- Use deny or allow depending on whether the port/service is open / closed.
- Replace ssh with the name of the service, or with the port number and protocol as in the second example: 22/tcp, or 22 for tcp and udp.
To clarify: since all incoming connections are closed by default, it is sufficient to create allow rules for ports and services and to delete those rules if necessary. The closing of specific ports / services should therefore not be necessary.
Unblocking IPs
Unblocking IPs is very easy in UFW, and you can also use this option as an alternative to removing specific rules (see the 'deleting rules' section). First, check all current lines with the command:
ufw status numbered
You then get an output in which all the rules are neatly numbered. You delete a specific line with the command:
ufw delete 1
Replace 1 with the line number you want to delete.
If you use 'ufw delete 1', rule 2 has now become line 1. It is therefore best to use a new ufw status numbered after each delete to prevent you from accidentally deleting the wrong rule.
This concludes our tutorial on UFW in Debian. Do you want to know more about UFW or discuss it with others? Let us know under 'Comments' at the bottom of this article or take a look at UFW's own documentation.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.