patternbashMajor
ufw: Simple Firewall Management on Ubuntu/Debian
Viewed 0 times
ufwfirewallallowdenyubuntussh lockoutiptables frontend
linuxubuntudebian
Error Messages
Problem
iptables is too complex for straightforward server hardening — managing individual rules is error-prone for common use cases.
Solution
Use ufw (Uncomplicated Firewall) as a frontend to iptables for common allow/deny rules.
# Check status
ufw status verbose
# Enable ufw (will block all incoming by default)
ufw enable
# Allow SSH before enabling — CRITICAL
ufw allow ssh
ufw allow 22/tcp
# Allow common services
ufw allow http
ufw allow https
ufw allow 5432/tcp # PostgreSQL
# Allow from specific IP only
ufw allow from 192.168.1.0/24 to any port 5432
# Deny a port
ufw deny 23/tcp
# Delete a rule
ufw delete allow http
# Numbered rules for precise deletion
ufw status numbered
ufw delete 3
# Reset all rules
ufw resetWhy
ufw translates simple allow/deny commands into correct iptables rules including IPv6 via ip6tables. It handles the stateful connection tracking rule automatically.
Gotchas
- Enabling ufw without allowing SSH first will lock you out of a remote server immediately.
- ufw does not manage Docker's iptables rules — Docker bypasses ufw by writing directly to iptables.
- Rules are evaluated in order — more specific rules should come before broader ones.
- ufw status shows the user-visible rules, not the actual iptables chains — use
iptables -Lto see everything.
Revisions (0)
No revisions yet.