How to Configure a Firewall with UFW on Ubuntu Server.

What is UFW?

UFW (Uncomplicated Firewall) is a user-friendly front-end to iptables, written in Python. Its main goal is to simplify firewall management and provide an accessible interface for users of all experience levels. It's particularly helpful for new admins who may not yet be comfortable with complex iptables syntax. UFW supports both IPv4 and IPv6 and offers a quick way to start securing your Ubuntu server.

Before We Get Started

UFW is usually installed by default on Ubuntu. If it's not present, you can install it with:

$ sudo apt-get install ufw -y

Set Default Policies

By default, UFW is configured to deny all incoming traffic and allow all outgoing traffic. This ensures that unauthorized connections are blocked while your server can still access external services.

To explicitly set these defaults:

$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming

Add Firewall Rules

You can allow traffic using either a port number or a service name.

Allow HTTP (port 80) by port:

$ sudo ufw allow 80

Allow HTTP by service name:

$ sudo ufw allow http

Allow specific protocols:

$ sudo ufw allow 80/tcp 
$ sudo ufw allow 1725/udp

Check rule status:

$ sudo ufw status verbose

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip`` 

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere 
1725/udp                     ALLOW IN    Anywhere 
80/tcp (v6)                ALLOW IN    Anywhere (v6)
1725/udp (v6)                ALLOW IN    Anywhere (v6) 

Delete Firewall Rules

You can delete a rule directly:

$ sudo ufw delete allow ssh
$ sudo ufw delete allow 80/tcp

Or use numbered rules:

$ sudo ufw status numbered
$ sudo ufw delete [number]

Enable and Disable UFW

To enable the firewall:

$ sudo ufw enable

⚠️ Warning: Ensure you allow SSH before enabling UFW to avoid locking yourself out:

$ sudo ufw allow ssh

To disable:

$ sudo ufw disable

Reset All UFW Rules

To reset UFW to its default state:

$ sudo ufw reset

Advanced UFW Rules

Port Ranges:

$ sudo ufw allow 1050:2500/tcp
$ sudo ufw allow 1050:2500/udp

Specific IP Address:

Allow an IP:

$ sudo ufw allow from 192.168.1.250

Deny an IP:

$ sudo ufw deny from 192.168.1.250

Allow a subnet:

$ sudo ufw allow from 192.168.1.0/24

Allow access to a specific port and protocol from an IP:

$ sudo ufw allow from 192.168.1.250 to any port 22 proto tcp

Block SSH from specific IPs:

$ sudo ufw deny from 192.168.1.4 to any port 22
$ sudo ufw deny from 192.168.1.120 to any port 22

Allow HTTP traffic only on interface eth0:

$ sudo ufw allow in on eth0 to any port 80

Block Ping Requests

By default, UFW allows ping (ICMP echo requests).
To block them:

Edit /etc/ufw/before.rules:

sudo nano /etc/ufw/before.rules

Find the section:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Either comment out or change ACCEPT to DROP:

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Save the file and reload UFW:

sudo ufw reload

Test with:

ping -c 3 192.168.x.xxx

You should see 100% packet loss if the block is successful.
Add a specific IP address.

With UFW, securing your Ubuntu server becomes simpler and more manageable—without sacrificing control. It's an ideal solution for admins who want effective protection without the complexity of raw iptables.

We hope this was of great use!
Happy tweaking! 🚀