ufw Command in Linux: Uncomplicated Firewall Reference
If your server is open to the public network, it needs a firewall. On Ubuntu and Debian, the easiest way to set one up is with ufw. This tool sits on top of iptables (or nftables on newer systems) and replaces complex rules with simple, easy-to-read commands.
This guide walks through the ufw command, from enabling the firewall and setting default policies to writing rules for ports, services, and specific addresses.
ufw Syntax
The general form of the command is:
sudo ufw [OPTIONS] COMMAND [ARGS]OPTIONS- Flags such as--dry-runto preview what a rule would do.COMMAND- The action, for exampleenable,allow,deny,delete, orstatus.ARGS- The rule body, such as a port number, a service name, or a full rule specification.
ufw changes firewall rules, so almost every invocation needs sudo.
Checking the Firewall Status
Before you touch the rules, check whether the firewall is running and what is already in place:
sudo ufw statusIf ufw is inactive, you will see:
Status: inactiveThis confirms that ufw is installed but not currently enforcing any firewall rules.
Once active, the same command lists the rules:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)For a numbered view that is easier to reference when deleting rules, use:
sudo ufw status numberedAnd for a more detailed output that shows default policies and logging level:
sudo ufw status verboseEnabling and Disabling the Firewall
The first time you enable ufw, make sure you have already allowed SSH. Enabling the firewall over an SSH session without an allow ssh rule will lock you out of the server.
Allow SSH first:
sudo ufw allow sshThen turn the firewall on:
sudo ufw enableFirewall is active and enabled on system startupAt this point, ufw starts enforcing the rules immediately and will come back automatically after a reboot.
To stop the firewall and clear it from the startup sequence:
sudo ufw disableA disabled ufw keeps the rules you defined. When you re-enable it, the same rules come back.
Default Policies
Default policies decide what happens to traffic that does not match any rule. The usual hardening is to deny incoming traffic and allow outgoing traffic:
sudo ufw default deny incoming
sudo ufw default allow outgoingAfter running these two commands, you only need to open the specific inbound ports your server should expose. Outbound traffic still flows freely, which is what most servers need.
You can also set the default for forwarded traffic, which matters if the host acts as a router or runs containers:
sudo ufw default deny routedAllowing Connections
The allow command is the one you will use most often. It accepts a service name, a port, a protocol, or a full rule.
Allow a Service by Name
ufw reads /etc/services and understands common service names:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow httpsEach command opens the matching port (22, 80, and 443) for both TCP and UDP where applicable.
Allow a Specific Port
To open a port directly, pass the port number:
sudo ufw allow 8080By default, this opens the port for both TCP and UDP. To limit it to one protocol, add /tcp or /udp:
sudo ufw allow 8080/tcp
sudo ufw allow 53/udpAllow a Port Range
Port ranges require an explicit protocol:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udpThe colon separates the start and the end of the range, both inclusive.
Allow Traffic From a Specific Address
To accept connections from a single IP address, use from:
sudo ufw allow from 203.0.113.25To restrict that to a single service, add to any port:
sudo ufw allow from 203.0.113.25 to any port 22Allow Traffic From a Subnet
CIDR notation works the same way for whole networks:
sudo ufw allow from 192.168.1.0/24 to any port 3306This is a common pattern for databases: the port stays closed to the internet and is only reachable from your internal network.
Allow Traffic on a Specific Interface
To tie a rule to a network interface, add on INTERFACE:
sudo ufw allow in on eth1 to any port 3306The in keyword applies the rule to inbound traffic on eth1. Use out for outbound traffic.
Denying Connections
The deny command is the mirror of allow and takes the same arguments:
sudo ufw deny 23
sudo ufw deny from 198.51.100.77When the default incoming policy is already deny, you usually do not need to write explicit deny rules for closed ports. Explicit denies are useful when you want to block a specific address while keeping a port open to everyone else.
To log the denied packets instead of silently dropping them, use reject:
sudo ufw reject 23A reject sends an ICMP message back to the sender, while a deny drops the packet with no response.
Rate Limiting SSH
ufw can throttle repeated connections from the same IP, which is handy for SSH brute-force protection:
sudo ufw limit sshThe limit rule denies a connection if the source address attempts six or more connections in 30 seconds. This is a quick way to slow down password-guessing bots without installing a full intrusion-prevention tool.
Deleting Rules
There are two common ways to remove a rule. The first is to repeat the rule with delete in front:
sudo ufw delete allow 8080/tcpThe second is to delete by rule number:
sudo ufw status numbered To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 8080/tcp ALLOW IN Anywheresudo ufw delete 3ufw asks for confirmation before removing the rule. Keep in mind that after a deletion, the numbering shifts for the remaining rules, so always check the numbered status again before deleting another rule.
For a deeper walkthrough, see how to list and delete UFW firewall rules .
Application Profiles
Services that come with their own ufw profile can be referenced by name. List them with:
sudo ufw app listAvailable applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSHTo open the ports that a profile covers, pass its name to allow:
sudo ufw allow 'Nginx Full'Quote profile names that contain spaces. To see what ports a profile includes, use:
sudo ufw app info 'Nginx Full'Dry Run
Before you commit to a change, you can preview the iptables rules ufw would add with --dry-run:
sudo ufw --dry-run allow 8080/tcpNo rule is created. The output shows the exact lines ufw would write, which is useful when you are writing rules over SSH and want to double-check them first.
Logging
ufw can log packets that match rules, which helps when troubleshooting. The log level can be adjusted:
sudo ufw logging on
sudo ufw logging mediumValid levels are off, low, medium, high, and full. ufw logs through the kernel log facility, so the exact destination depends on your system logging setup. On many Ubuntu systems with rsyslog, you will see entries in /var/log/ufw.log, and you can often inspect them with journalctl as well.
Reset the Firewall
To clear every rule and set ufw back to its fresh state, run:
sudo ufw resetufw reset disables the firewall and removes every rule, including the one that allows SSH. If you are connected over SSH, add an allow rule for SSH and re-enable the firewall right after the reset, or you will lose access the moment you turn it back on.IPv6 Support
On most modern systems, ufw can manage IPv6 rules as well as IPv4 rules. Check the setting in /etc/default/ufw:
IPV6=yesWhen IPV6=yes, generic rules such as sudo ufw allow 22/tcp are created for both IPv4 and IPv6. Rules that include an explicit address stay specific to that address family. In the status output, the IPv6 rules appear with (v6) next to them.
Quick Reference
For a printable quick reference, see the ufw cheatsheet .
| Task | Command |
|---|---|
| Show status | sudo ufw status verbose |
| Show numbered rules | sudo ufw status numbered |
| Enable firewall | sudo ufw enable |
| Disable firewall | sudo ufw disable |
| Default deny incoming | sudo ufw default deny incoming |
| Default allow outgoing | sudo ufw default allow outgoing |
| Allow SSH | sudo ufw allow ssh |
| Allow port | sudo ufw allow 8080/tcp |
| Allow port range | sudo ufw allow 6000:6007/tcp |
| Allow from IP | sudo ufw allow from 203.0.113.25 |
| Allow from subnet | sudo ufw allow from 192.168.1.0/24 |
| Rate-limit SSH | sudo ufw limit ssh |
| Delete rule by number | sudo ufw delete 3 |
| List app profiles | sudo ufw app list |
| Reset all rules | sudo ufw reset |
Troubleshooting
ufw: command not found
Install the ufw package with sudo apt install ufw on Ubuntu or Debian. On Fedora, RHEL, and derivatives, firewalld is the default and ufw is rarely used.
Locked out after enabling the firewall over SSH
The default deny policy blocked your SSH session. You will need console access to the server. Once in, run sudo ufw allow ssh and sudo ufw reload to restore access. The usual safeguard is to allow SSH before the first enable.
Rule added but traffic still blocked
Confirm the rule is in the right direction (inbound vs outbound) and on the right interface. Check with sudo ufw status verbose. If Docker is running, it writes its own iptables rules that can bypass ufw.
Changes do not take effect
After manual edits to /etc/ufw/ files, reload the firewall with sudo ufw reload. Commands issued through ufw apply immediately and do not need a reload.
FAQ
Is ufw the same as iptables?
No. ufw is a front end that generates iptables (or nftables) rules for you. The kernel still enforces the rules through its packet filter, but you do not need to edit the raw tables yourself.
Does ufw start automatically after reboot?
Yes, once you run sudo ufw enable, the service is registered with systemd and starts on boot. You can confirm with systemctl status ufw.
How do I allow a port for a single IP address?
Use the from and to any port form: sudo ufw allow from 203.0.113.25 to any port 22. This keeps the port closed to the rest of the internet and only opens it for that one address.
What is the difference between deny and reject?deny drops the packet without any reply. reject sends an ICMP message back to the sender telling them the connection was refused. Reject is slightly friendlier to well-behaved clients but makes the server more visible to scans.
How do I undo everything and start over?
Run sudo ufw reset. It disables the firewall and removes every rule. Remember to re-add the SSH rule before re-enabling, especially on a remote server.
Conclusion
ufw keeps firewall management readable: allow what you need, deny what you do not, and lean on the default policies to cover the rest. If you want step-by-step instructions for setting it up on a new server, see how to set up a firewall with UFW on Ubuntu 24.04
.
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page