ufw - Manage firewall with UFW

Author:Aleksey Ovcharenko, Jarno Keskikangas, Ahti Kitsik

Synopsis

New in version 1.6.

Manage firewall with UFW.

Options

parameter required default choices comments
delete no
  • yes
  • no
Delete rule.
direction no
  • in
  • out
  • incoming
  • outgoing
Select direction for a rule or default policy command.
from_ip no any
    Source IP address.
    from_port no
      Source port.
      insert no
        Insert the corresponding rule as rule number NUM
        interface no
          Specify interface for rule.
          log no
          • yes
          • no
          Log new connections matched to this rule
          logging no
          • on
          • off
          • low
          • medium
          • high
          • full
          Toggles logging. Logged packets use the LOG_KERN syslog facility.
          name no
            Use profile located in /etc/ufw/applications.d
            policy no
            • allow
            • deny
            • reject
            Change the default policy for incoming or outgoing traffic.
            proto no
            • any
            • tcp
            • udp
            • ipv6
            • esp
            • ah
            TCP/IP protocol.
            rule no
            • allow
            • deny
            • reject
            • limit
            Add firewall rule
            state no
            • enabled
            • disabled
            • reloaded
            • reset
            enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults.
            to_ip no any
              Destination IP address.
              to_port no
                Destination port.

                Note

                Requires ufw package

                Examples


                # Allow everything and enable UFW
                ufw: state=enabled policy=allow
                
                # Set logging
                ufw: logging=on
                
                # Sometimes it is desirable to let the sender know when traffic is
                # being denied, rather than simply ignoring it. In these cases, use
                # reject instead of deny. In addition, log rejected connections:
                ufw: rule=reject port=auth log=yes
                
                # ufw supports connection rate limiting, which is useful for protecting
                # against brute-force login attacks. ufw will deny connections if an IP
                # address has attempted to initiate 6 or more connections in the last
                # 30 seconds. See  http://www.debian-administration.org/articles/187
                # for details. Typical usage is:
                ufw: rule=limit port=ssh proto=tcp
                
                # Allow OpenSSH
                ufw: rule=allow name=OpenSSH
                
                # Delete OpenSSH rule
                ufw: rule=allow name=OpenSSH delete=yes
                
                # Deny all access to port 53:
                ufw: rule=deny port=53
                
                # Allow all access to tcp port 80:
                ufw: rule=allow port=80 proto=tcp
                
                # Allow all access from RFC1918 networks to this host:
                ufw: rule=allow src={{ item }}
                with_items:
                - 10.0.0.0/8
                - 172.16.0.0/12
                - 192.168.0.0/16
                
                # Deny access to udp port 514 from host 1.2.3.4:
                ufw: rule=deny proto=udp src=1.2.3.4 port=514
                
                # Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
                ufw: rule=allow interface=eth0 direction=in proto=udp src=1.2.3.5 from_port=5469 dest=1.2.3.4 to_port=5469
                
                # Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host.
                # Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
                ufw: rule=deny proto=tcp src=2001:db8::/32 port=25

                Note

                See man ufw for more examples.

                Table Of Contents

                Previous topic

                sysctl - Manage entries in sysctl.conf.

                Next topic

                user - Manage user accounts