UFW Howto

Uncomplicated Firewall howto, tips, tricks and recipes Posted by Joost Faassen on 2016-04-09

UFW (Uncomplicated Firewall) is a simple front-end for iptables.

recipes

List current firewall rules

ufw status # Default output
ufw status verbose # Also list Logging, Default policies and profiles

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere
22                         ALLOW       192.168.178.9
80 (v6)                    ALLOW       Anywhere (v6)

Enabling / Disabling the firewall

The following commands will enable/disable the firewall AND update the startup scripts that automatically start the firewall on boot.

ufw enable
ufw disable

Allowing access

ufw allow 53 # Allow incoming access to both UDP + TCP on port 53 (DNS)
ufw allow 53/tcp # Allow only incoming tcp traffic
ufw allow 53/udp # Allow only incoming udp traffic
ufw allow from 192.168.178.9 to any port 99/tcp # Allow access to port from given IP
ufw allow 1000:2000/tcp # Allow port-range

Advanced

ufw show raw # Show the raw ip tables
ufw delete deny 80/tcp # Delete a rule by prefixing the same rule with 'delete'
ufw ufw status numbered # List rules with rule-numbers
ufw delete [number] # Delete rule by number
ufw reset # Reset all the rules to default settings

UFW + Docker (beware!)

It's important to know that Docker updates iptables directly. This means that if you run ufw status, you might assume your firewall is blocking all ports. However, when you start a Docker container and expose a port, Docker will update iptables directly to allow access to the exposed port.

You can disable this functionality by editing /etc/default/docker and change the DOCKER_OPTS value:

DOCKER_OPTS="--iptables=false" 

Be sure to restart the Docker daemon using:

service restart docker

Resources