Lesson 101: ufw Command
In this lesson, you’ll learn how to use ufw to manage your Linux firewall, enabling/disabling it, controlling ports and services, and creating rules without needing deep iptables knowledge.
UFW is a frontend for iptablesLinux's built-in packet filtering framework. While iptables is extremely powerful; its syntax is complex and unforgiving.
UFW was created specifically to make common firewall tasks straightforward without sacrificing control.
It is the default firewall tool on Ubuntu and Debian, and is available on most other distributions.
Every rule you create with ufw translates directly into iptables rules applied to the kernel's netfilter framework.
UFW is the right tool for the vast majority of server hardening scenarios — web servers, database servers, VPS instances, and development machines.
For highly complex multi-interface routing and stateful inspection needs, nftables or direct iptables rules are more appropriate.
Installation
UFW comes pre-installed on Ubuntu and Debian. To install it on other distributions:
sudo apt install ufw # Debian/Ubuntu
Or:
sudo dnf install ufw # Fedora/RHEL 9+
Syntax
ufw [OPTIONS] COMMAND
Common Commands Overview
| Command | Description |
|---|---|
ufw status |
Show firewall status and active rules |
ufw enable |
Enable the firewall |
ufw disable |
Disable the firewall |
ufw reset |
Reset all rules to defaults |
ufw allow |
Allow traffic matching a rule |
ufw deny |
Deny traffic matching a rule (silently drop) |
ufw reject |
Reject traffic matching a rule (send error back) |
ufw delete |
Delete an existing rule |
ufw reload |
Reload firewall rules without disabling |
ufw logging |
Enable or configure firewall logging |
ufw app list |
List available application profiles |
Understanding UFW's Default Policy
UFW works on a default policy model, where traffic is either allowed or denied by default, and individual rules create exceptions to that policy:
| Direction | Recommended Default | Meaning |
|---|---|---|
| Incoming | deny |
Block all inbound traffic unless explicitly allowed |
| Outgoing | allow |
Permit all outbound traffic unless explicitly blocked |
| Forwarded | deny |
Block all routed/forwarded traffic by default |
This is the correct posture for most servers: restrictive inbound, permissive outbound. You then selectively open only the ports your services need.
1. Check Firewall Status
sudo ufw status
Status: inactive
Or when active with rules:
sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
For more detail, including rule numbers (needed for deletion):
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
For the most verbose output, including default policies: