Home
Company News
Linux Tutorials
Product News
Windows Tutorials
Safeguarding Your Linux Server with UFW: A Complete Guide

UFW (Uncomplicated Firewall) is a Linux utility for managing firewall rules.
It provides a simplified interface for managing iptables, allowing users to easily configure and manage network security settings without learning the complex syntax of iptables commands.

UFW is included with many Linux distributions by default, including Ubuntu, Debian, and some other Debian-based distributions. However, it can also be installed on other Linux systems if it is not already included.

If you prefer directly manipulating your firewall's rules, check our essential iptables guide here.

Using IPv6 with UFW

Your AlphaVPS service comes with included IPv6 connectivity.
IPv6 support for UFW is enabled by default. This ensures that your firewall rules are added for IPv6 as well.

Starting UFW

UFW can be started by running the following command:

sudo ufw enable

This ensures that your firewall is active and enabled to start on boot.
If you want to stop it, simply run:

sudo ufw disable

Before activating your firewall, we advise setting up your firewall rules first.
Otherwise, directly setting firewall rules via a remote connection while ufw is active may lead to accidental lock-outs.
For example, if you set your default policy directly to deny without an added exception, this will severe your ssh connection. If this happens, you will need to log in via the console in your clients' area panel and disable the rule.

The UFW configuration file can be found in the /etc/default/ directory.
Type nano /etc/default/ufw to open the configuration file.

You can check the status of UFW and the currently-active rules by running:

sudo ufw status

or

sudo ufw status verbose

Default Policies

The default policies of your firewall are rules that handle the traffic that does not explicitly match your other rules. Initially, UFW denies all incoming connections and allows all outgoing connections.

Your default  policies can be set with the following example commands:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allowing SSH Connections


If you have set your default Input policy to DENY, all incoming connections, including SSH or HTTP, will be rejected.  If you want to access your AlphaVPS service remotely, you will need to allow incoming SSH connections.

This can be done by running the following command:

sudo ufw allow ssh

This will enable SSH connection on your default SSH port.
Of course, instead of ssh you can directly specify the port, which does absolutely the same.

sudo ufw allow 22

If you have modified your SSH configuration and changed your port to a different one, you will have to specify it as in the command below.

sudo ufw allow 2225

Now that incoming ssh connections are enabled, you can safely enable UFW.

sudo ufw enable

You can also allow ssh connection to be established only from specific IPs.
An example command is:

sudo ufw allow from "ip-address-here" to any port 22

Allowing Other Connections

Specific IP address

If you want to allow connections from a specific IP address, you can run the following command:

sudo ufw allow from "ip-address-here"

You are also able to specify which port can the IP address access:

sudo ufw allow from "ip-address-here" to any port "port-number-here"

Specific subnet

If you want to allow connection from  a whole subnet, you can specify it by running the following command:

sudo ufw allow from "ip-address-subnet-here"/"prefix-length"
#example sudo ufw allow from 1.1.1.1/24

You are also able to specify which port can the subnet access:

sudo ufw allow from "ip-address-subnet-here"/"prefix-length" to any port "port-number-here"

Allowing HTTP/HTTPS Connections

  • from everywhere
ufw allow 80,443
  • from a specific IP address
sudo ufw allow from "ip-address-here" to any port 80,443
  • from a specific subnet
sudo ufw allow from "ip-address-subnet-here"/"prefix-length" to any port 80,443

Rejecting Connections

By default, UFW is configured to deny all incoming connections.
If for some reason, you have changed this default policy to accept them and want to add connections that need to be rejected, you can specify rules, which reject connections from specific IP addresses, subnets, or ports. This is done similarly to the "allow" rules specified above.
Instead of "allow", you must type "deny".

From a specific IP address

sudo ufw deny from "ip-address-here"
  • specific port
sudo ufw deny from "ip-address-here" to any port "port-number-here"

From a specific subnet

sudo ufw deny from "ip-address-subnet-here"/"prefix-length"
  • specific port
sudo ufw deny from "ip-address-subnet-here"/"prefix-length" to any port "port-number-here"

Deleting Rules

Of course, UFW's firewall rules can be deleted.
Firewall rules can be deleted by either their number or by directly referring to the rule.

If you want to see your firewall rules with their respective number, you can run the following command:

sudo ufw status numbered

Each rule has its number wrapped in brackets.
You can delete the rule by running:

sudo ufw delete 'rule-number-here'

Alternatively, you can also delete the rule by passing a direct reference to it:

sudo ufw delete allow http
sudo ufw delete allow 80

If you want to reset all of your firewall rules, you can use the following command:

sudo ufw reset

This will reset your firewall to its initial state.
All changed default policies will be reverted and all custom rules will be deleted.

Application profiles

Application profiles in UFW are predefined sets of firewall rules that can be applied to specific applications.

UFW comes with several application profiles pre-installed. We can list them by running:

sudo ufw app list

You will receive a similar output:

Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

The "Apache" profile allows incoming traffic on ports 80 (HTTP) and 443 (HTTPS), while blocking all other traffic.

The "OpenSSH" profile allows incoming traffic on port 22 (SSH) while blocking all other traffic

You can enable a profile by simply running the following:

sufo ufw allow "profile-name"
#example sudo ufw allow Apache

You are also able to create your own custom profiles by defining a set of firewall rules for a specific application and saving them as a profile file in the /etc/ufw/applications.d directory.

This is done by creating a file in the /etc/ufw/applications.d directory.
Enabling the custom profile is done by referring to the filename with the command above. Make sure that you name your file conveniently.

cd /etc/ufw/applications.d
sudo mkdir MyApp

Before defining the rules in your file, it would be a good idea to check what ports is your application using. You can refer to the application documentation for this.

An example profile file is:

[ProfileName]
title=Custom Application Profile
description=Allow incoming traffic for our application
ports=80/tcp,443/tcp
protocols=tcp,udp

The title field provides a descriptive name for the profile, which will be displayed when viewing the UFW rules.

The description field provides information about the profile and its purpose.

The ports field lists the ports that the application uses.

The protocols field specifies which protocols the application uses.

Specific IPs or Subnets

To enable connections from or to specific IP addresses, you can add the following lines to your profile file.

from="ip-address-here"
to="ip-address-here"

In the same way, you can also add whole subnets:

from="ip-address-subnet-here"/"prefix-length"
to="ip-address-subnet-here"/"prefix-length"

Vladislav Peev

5 min read