UFW (Uncomplicated Firewall) is a user-friendly frontend for managing iptables/nftables firewall rules in Linux systems like Ubuntu and Debian.
Below is a structured reference to the most common UFW commands. Most configuration changes require
sudo privileges.1. General Management & Status
These commands let you control the firewall state and check current active rulesets.
- Check status:
- Check detailed status (shows logging levels and default policies):
- Enable the firewall (starts on system boot):
- Disable the firewall:
- Reload the firewall (applies modifications to configuration files):
- Reset the firewall (deletes all rules and restores defaults):
2. Default Policies
Setting global policies determines how UFW treats traffic that doesn't match any specific rule. The standard recommended baseline is to block incoming and allow outgoing:
- Block all incoming traffic by default:
- Allow all outgoing traffic by default:
3. Managing Port & Protocol Rules
You can open or close ports using service names (defined in
/etc/services) or explicit port numbers. - Allow a service by name (e.g., SSH):
- Allow a specific port (both TCP and UDP):
- Allow a specific port and protocol (recommended):
- Allow a specific port range (protocol required):
- Deny traffic on a port:
- Rate limit connections (useful for preventing brute force on SSH; caps at 6 connections per 30 seconds from a single IP):
4. IP-Based Filtering
To handle connections originating from specific network locations, use these commands:
- Allow all traffic from a specific IP address:
- Block all traffic from a specific IP address:
- Allow an IP address to access a specific port:
- Allow an entire subnet (CIDR notation) to access a specific port:
5. Deleting Rules
There are two primary methods to remove rules you no longer need:
- Delete by original specification: Duplicate the exact rule you added but prepend the word
delete. - Delete by line number (Easiest for clean-up): First, list rules with assigned numbers:Then, delete using the corresponding index:
6. Application Profiles
Many packages (like Nginx, Apache, or OpenSSH) install profiles inside UFW to simplify rule management.
- List available application profiles:
- View details about a specific profile:
- Allow an application profile:
7. Logging Options
- Turn logging on/off:
- Change log level granularity (
low,medium,high,full):
Important Safety Warning: If you are configuring a remote server over SSH, always execute
sudo ufw allow ssh or sudo ufw allow 22/tcp before running sudo ufw enable. Failing to do so will immediately lock you out of your server.
No comments:
Post a Comment