How do I Setup UFW Firewall on Ubuntu/CentOS

☰ In this chapter, you will learn

What is UFW Firewall?
How to Install UFW Firewall?
How to Enable/Disable UFW Firewall?
How to set up Default rules?
How to allow/deny connection in ufw?
How to delete ufw rules?
How to reset ufw firewall?

The firewall is really important for keeping your VPS safe. It stops any bad or strange connections from reaching your server. It checks connections as they happen and stops them if they seem suspicious or break the rules.

It's important to set up the firewall on your server well. This means only letting trusted ports connect to your server.

In this guide, we'll learn how to set up the UFW firewall on Ubuntu/Centos Linux servers.

UFW - Uncomplicated Firewall

UFW stands for Uncomplicated Firewall. It's included in most Linux distributions, but It's disabled when you first get it. You have to set it up and then enable it.

Configure UFW Firewall

Since this might be your first time setting up a firewall on your server, here are the initial configurations you need to do:

Install the firewall software.
Set default rules for incoming and outgoing traffic.
Allow necessary ports for services you want to use.
Enable the firewall to start protecting your server.

Installing UFW Firewall

UFW firewall comes pre-installed in most Linux distributions. To check its status, follow these steps:

Check UFW Status

If available:

sudo ufw statusStatus: inactive

If Unavailable:

sudo ufw statussudo: ufw: command not found

If you discover that UFW firewall isn't installed on your Linux distribution, you can install it using the following command:

Install UFW Firewall

Ubuntu

sudo apt update
$sudo apt install ufw

CentOS

yum install -y epel-release
$yum install -y ufw

Settingup UFW Firewall

1. Enable and Disable the UFW Firewall

When using the UFW firewall, It's important to know how to turn it on and off according to your needs.

To enable it

sudo ufw enableFirewall is active and enabled on system startup

To disable it

sudo ufw disableFirewall stopped and disabled on system startup

2. Setting Default rules of UFW

This is the primary configuration you should apply to your firewall initially.

Deny all incoming

sudo ufw default deny incoming[sudo] password for prashant:
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

Allow all outgoing

sudo ufw default allow outgoingDefault outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

3. Allow IPv6 support

If your VPS supports IPv6, ensure to enable IPv6 support in the UFW Firewall.

Step 1: Open ufw configuration file.

sudo vi /etc/default/ufw

Step 2: Make sure that IPv6 is set to yes.

Example

sudo vi /etc/default/ufw# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

4. Allow/Deny connections on Firewall.

At times, you'll need to permit specific connections through the firewall, like SSH ports, TCP, UDP, etc. Here's how to allow a custom port through the firewall:

1. Allow SSH Port

sudo ufw allow sshRule updated
Rule updated (v6)

2. Deny ports

If you required to block some specific port, you can do it as follows:

sudo ufw deny 32542Rule added
Rule added (v6)

5. Allow Custom Port

You can allow a custom port using the UFW firewall like this:

sudo ufw allow 41158Rule updated
Rule updated (v6)

6. Allow www

UFW allows you to add WWW connections for a web server like this:

sudo ufw allow wwwRule added
Rule added (v6)

7. Allow FTP

You can allow FTP using UFW firewall like this:

sudo ufw allow ftpRule added
Rule added (v6)

8. Allow Port range

If you need to open a range of ports through the UFW firewall, you can do so like this:

sudo ufw allow 21000:21500/tcpRule added
Rule added (v6)

9. Allow/Deny IP Addresses

ufw also lets you allow and deny specific IP addresses.

Allow

sudo ufw allow from your_server_ip

Deny

sudo ufw deny from your_server_ip

10. Deleting the rules

You can delete specific rules from UFW like this:

Delete rules by names:

sudo ufw statusStatus: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
3553                       ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
20/tcp                     ALLOW       Anywhere
34/udp                     ALLOW       Anywhere
8080                       ALLOW       Anywhere
1487                       ALLOW       Anywhere
22222                      DENY        Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
3553 (v6)                  ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
20/tcp (v6)                ALLOW       Anywhere (v6)
34/udp (v6)                ALLOW       Anywhere (v6)
8080 (v6)                  ALLOW       Anywhere (v6)
1487 (v6)                  ALLOW       Anywhere (v6)
22222 (v6)                 DENY        Anywhere (v6)

sudo ufw delete deny 22222Rule deleted
Rule deleted (v6)

Delete rules by numbers:

To delete a rule by its number, you first need to mark the rules with numbers like this:

sudo ufw status numberedStatus: active

To                         Action      From
--                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 3553                       ALLOW IN    Anywhere
[ 3] 80/tcp                     ALLOW IN    Anywhere
[ 4] 20/tcp                     ALLOW IN    Anywhere
[ 5] 34/udp                     ALLOW IN    Anywhere
[ 6] 8080                       ALLOW IN    Anywhere
[ 7] 1487                       ALLOW IN    Anywhere
[ 8] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 9] 3553 (v6)                  ALLOW IN    Anywhere (v6)
[10] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[11] 20/tcp (v6)                ALLOW IN    Anywhere (v6)
[12] 34/udp (v6)                ALLOW IN    Anywhere (v6)
[13] 8080 (v6)                  ALLOW IN    Anywhere (v6)
[14] 1487 (v6)                  ALLOW IN    Anywhere (v6)

Then delete the rules by number:

sudo ufw delete 5

Reset UFW

You also have the option to reset UFW to its default configuration. If you've set up a custom port for SSH connections, remember to allow that port in the firewall again after resetting it. Otherwise, you might get locked out from your server.

sudo ufw resetResetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y

Some Most useful commands of ufw

#	Command	Description	Example
1	enable	Enables the firewall	`sudo ufw enable`
2	disable	Disables the firewall	`sudo ufw status`
3	default	Sets firewall configuration default for providing arguments.	`sudo ufw default deny incoming`
4	allow	allow the rules	`sudo ufw allow ssh`
5	deny	deny the rules	`sudo ufw deny ssh`
6	reject	rejects the connections and shows user a message about it.	`sudo ufw reject ssh`
7	delete rule\|number	Deletes the rules by its names or numbers	`sudo ufw delete allow 80/tcp`
8	reload	Reload the firewall	`sudo ufw reload`
9	reset	Reset the ufw firewall	`sudo ufw reset`
10	status	Show firewall status	`sudo ufw status`
11	version	Show firewall version	`sudo ufw version`

Summary

In this tutorial, we've covered all the basic UFW configurations for your VPS Server. Make sure to apply each rule carefully and remember to enable the firewall at the end.