UFW: Uncomplicated Firewall

This is a wiki page. Be bold and improve it!

If you have any questions about the content on this page, don't hesitate to open a new ticket and we'll do our best to assist you.

The Uncomplicated Firewall (ufw) is a frontend for iptables.

Links

Uncomplicated Firewall:
http://en.wikipedia.org/wiki/Uncomplicated_Firewall
https://launchpad.net/ufw
Documentation:
https://wiki.ubuntu.com/UncomplicatedFirewall
https://help.ubuntu.com/community/UFW

Setting up your first firewall

This section is written as a tutorial to help you go through the process of enabling your first firewall over a remote connection (SSH).

The first thing you want to avoid, is being locked out of your remote system after you enable the firewall. This tutorial will make sure that you won't be.

Note that all the commands below should be run as root.

First, check the firewall status:

# ufw status
Status: inactive

Check if there are any active iptables rules. The following output shows that none is active:

# iptables -L -n -v
Chain INPUT (policy ACCEPT 2793K packets, 569M bytes)
pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 1768K packets, 5488M bytes)
pkts bytes target     prot opt in     out     source               destination   

Now, before we enable ufw, we are going to add a cron job that will automatically disable ufw every minute (should it be active). Edit /etc/crontab and add the following entry:
*/1 *  * * * root ufw disable
Ensure that cron is running normally (the above job should generate mail for root).
Then you are ready to enable the firewall:

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
# ufw status
Status: active

and after a minute:
# ufw status
Status: inactive

Now, you can test you brand new firewall, making the cron job run every 5, 10, 20 minutes if necessary to give you time to test. If you lock yourself out, cron will soon disable the firewall and you'll be able to log back in again.

Now check again active iptables rules, and you'll see all the rules that ufw enables by default:

iptables -L -n -v
// long output snipped.

</code>
<code>

</code>
<code>

Issues related to this page:

ProjectSummaryStatusPriorityCategoryLast updatedAssigned to
Linux serverufw status and iptablesactivenormalsupport request12 years 29 weeks