Skip to content

ufwπŸ”—

Back

NOTE: Do not copy paste these commands except you understand each of them.

InstallationπŸ”—

apt -y install ufw
systemctl enable ufw

SetupπŸ”—

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22195
ufw allow from <EDGE_NODE_IP> to any port 8000  # connect edge agents to portainer

ufw default reject incoming
ufw default allow outgoing
ufw default deny routed

ufw show added
ufw show listening

After reviewed. Activate your firewall

ufw --force enable
ufw status verbose

Chain Default ActionπŸ”—

ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]

Safe Mode (Allow all chain)πŸ”—

ufw default allow incoming
ufw default allow outgoing
ufw default allow routed

ufw default reject incoming
ufw default allow outgoing
ufw default deny routed # drop forward chain

Firewall RulesπŸ”—

Rule SyntaxπŸ”—

ufw [rule]
  [delete] [insert NUM] [prepend]
  allow|deny|reject|limit
  [in|out [on INTERFACE]]
  [log|log-all]
  [proto PROTOCOL]
  [from ADDRESS [port PORT | app APPNAME ]]
  [to ADDRESS [port PORT | app APPNAME ]]
  [comment COMMENT]

Abbreviated allow syntax using Port/ProtocolπŸ”—

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp

Abbreviated allow syntax using Service NameπŸ”—

ufw allow ssh
ufw allow http
ufw allow https

Check service name from /etc/services and replace port/protocol with it.

cat /etc/services | head -35 | tail -10

Abbreviated allow syntax using UFW Application ProfileπŸ”—

ufw allow OpenSSH
ufw allow 'Nginx Full'

# check available app profiels
ufw app list

# app profile info
ufw app info <appname>

# app profiles directory : /etc/ufw/applications.d/

Full allow incoming connection syntaxπŸ”—

## using port/protocol
ufw allow in proto tcp to any port 22## using service name
ufw allow in to any port ssh## using application profile
ufw allow in to any app OpenSSH

Allow incoming connection from specific sourceπŸ”—

  • Network Interface: add in on <interface> after ufw
  • Source IP/CIDR: add from <IP/CIDR> after ufw allow
## specific incoming interface
ufw allow in on eth0 proto tcp to any port 22
ufw allow in on eth0 to any port ssh## specific source ip
ufw allow from 192.168.1.0/24 proto tcp to any port 22
ufw allow from 172.16.1.10 proto tcp to any port 80
ufw allow from 172.16.1.10 proto tcp to any port 443## or both
ufw allow in on eth0 from 192.168.1.0/24 to any port 22

Show ReportπŸ”—

Report SyntaxπŸ”—

ufw show raw
ufw show builtins|before-rules|user-rules|after-rules|logging-rules
ufw show listening
ufw show added

Show listening ports along with firewall rulesπŸ”—

ufw show listening

NOTE: if some service doesn’t have any rules then default chain action is executed.

Show added rulesπŸ”—

ufw show added

Control your FirewallπŸ”—

  • ufw enable β€” Activate ufw by adding all ufw iptables rules
  • ufw disable β€” Remove all ufw iptables rules
  • ufw reload β€” Reload config (e.g. /etc/default/ufw /etc/ufw/* )

Status β€” Check UFW StatusπŸ”—

Syntax: ufw status [verbose|numbered]