UFW is a simple firewall management tool that allows you to manage iptables/netfilter rules on your system, it is an essential tool for securing your network. If you are installing new apps on your system that will need specific ports open or closed then this tutorial is for you.
In this tutorial you will learn how to open/close a port or multiple ports on your firewall on Linux.
1)Open a port on UFW
To open a port on your firewall type the command below
replace 80 with the port you want open
sudo ufw allow 80You can also open a port by using the service name, to get the full list of the services use the less command as shown below
less /etc/services
The above command will display the full list of the services and the port that x service uses, so when you need to open let's say port 80 you can do so by executing this command
sudo ufw allow httpClose a port on UFW
Whether you want to block connections to a port or close a port that was previously being used by an app that you don't already use, the command below will do that for you.
sudo ufw deny 25You can also close a port by using the service's name, just like you can open a port by using the service's name.
For example, to block port 25 which is the smtp port, you can use the command below
sudo ufw deny smtp2) Open TCP/UDP port on UFW
You can also open a port and specify the type of the port you open
The command below will open two ports in this case 9090 for TCP and UDP connections
sudo ufw allow 9090/tcp
sudo ufw allow 9090/udpClose TCP/UDP port
Note: This command will block the port 53 only for TCP protocol
sudo ufw deny 53/tcpThe syntax should look like this
sudo ufw allow/deny port/protocol3) To Allow connections from a specific IP address
If you want to allow connections to your server/computer from a specific IP, then you can use the command below
sudo ufw allow from 192.168.0.1Since we are not specifying any port or protocol it means the IP that you are setting on the rule above will be able to connect to any port that is open on your server.
Deny Connections from a specific IP address
To deny connections for a specific IP address, for example if you want to deny connections from a known malicious IP address from reaching your server, then simply use the command below
sudo ufw deny from IP-address-here4) Allow connections from IP Subnet
If you want to allow connections from an IP subnet use the command below
sudo ufw allow 192.168.0.1/24Block Connections from IP Subnet
If you need to block access for a full subnet use the command below
sudo ufw deny from 192.168.0.1/24This will block the whole IP addresses on that subnet, use this rule only if you know what you are doing because you can end up blocking a whole country's IP addresses. For example if you have a website you would block users from reaching your website that you didn't mean to.
5)Allow connections from a trusted IP to a specific port
For example: if you want to secure your server when you login via ssh and you want only your IP to be able to connect to your server then you can use the command below. This command means it will allow only the IP you specify to connect to port 22
sudo ufw allow from 192.168.0.1 to any port 22Deny connections from an IP address to a specific port
To block connections from an IP address to the port 22 use the command below
sudo ufw deny from 192.168.0.1 to any port 22Enable UFW after setting firewall rules
Once you have open, closed or made any changes to your firewall rules you need to save those changes by using the command below
sudo ufw enableThis command will enable the firewall on your system, to check if the firewall has successfully started and that it's running correctly you can check by using the status command
sudo ufw statusNote: The default rules on ufw are block all incoming connections and allow all outgoing, this means any Ip trying to reach your server won't be able to do it, only connections made from your server will be allowed. This configuration is useful for home networks but in cases when you are installing ufw on ssh server you need to make sure you allow connections to port 22 because if you enable ufw while you are connected to your ssh server and without opening the port 22 first, it will disconnect you from server.
So, to avoid locking yourself out of your server make sure to allow connections on port 22 by running the command below
sudo ufw allow sshDelete Rules
If you want to delete a rule that you think you won't need it anymore or if you put the wrong rule then don't worry about it because deleting a ufw rule is simple as adding a rule, all you need to do is use the delete parameter when allowing or denying connections.
For example, let's say you added this rule that allows connections to port 80
sudo ufw allow 80To delete this rule, simply run the command below
sudo ufw delete allow 80Same parameter applies to connections that you blocked
sudo ufw delete deny 80The command above will delete the rule that is blocking the connection to port 80
Disable UFW
If you want to disable UFW run the disable command
sudo ufw disableTo reset UFW rules
Use the reset command in cases when you need to reset UFW rules to default.
sudo ufw resetConclusion
By now you should know the most common ufw firewall rules that you'll need using to secure your network. To get the full list of commands of UFW you can run the command ufw man
