How to Setup Firewall on Ubuntu
Most Ubuntu installs don’t start with a strict firewall — and if you’re online, that’s a problem.
This guide covers how to use UFW (Uncomplicated Firewall) to lock down your system properly, with clear examples and best practices. We’ll go from basic rules to advanced setups like home network zones and service-specific security.
1. What Is UFW and Why Use It?
UFW stands for Uncomplicated Firewall. It’s a front-end for iptables that makes managing firewall rules easy for humans. It’s available on all Ubuntu versions by default.
To check if it’s installed:
sudo ufw statusIf you get an error, install it:
sudo apt install ufw2. Set the Default Policy (Deny Incoming)
Always start with a sane default:
sudo ufw default deny incoming
sudo ufw default allow outgoing
This blocks all incoming connections unless you explicitly allow them. Outgoing traffic stays open (most users need that for package updates, browsing, etc.).
3. Secure SSH Access
Locking down SSH is essential. First, allow it:
sudo ufw allow sshThis opens port 22 (default). If you use a custom port, do:
sudo ufw allow 2222/tcpLimit brute force attacks
Add rate limiting:
sudo ufw limit sshThis throttles connections if someone tries to brute force their way in.
Allow only from your IP (optional)
If you connect from a static IP, restrict access:
sudo ufw allow from 203.0.113.5 to any port 22Replace the IP with yours.
4. Allow FTP (with Passive Ports)
FTP uses port 21, but passive mode also needs a range (e.g. 30000-31000):
sudo ufw allow 21/tcp
sudo ufw allow 30000:31000/tcp
Make sure your FTP server (vsftpd, proftpd, etc.) is configured to match the same passive port range.
For SFTP (which uses SSH):
sudo ufw allow sshThat’s usually all you need if you’re using SFTP instead of legacy FTP.
5. Activate the Firewall (Safely)
Double-check your rules first:
sudo ufw status numberedThen enable:
sudo ufw enableYou’ll get a warning if you’re SSH’d in — make sure SSH is allowed before running this, or you’ll lock yourself out.
To disable (if something goes wrong):
sudo ufw disable6. View, Remove, and Reset Rules
To list active rules:
sudo ufw status verboseTo delete a rule:
sudo ufw status numbered
sudo ufw delete [rule_number]
Reset the entire firewall:
sudo ufw reset
This disables UFW and deletes all rules — use with caution.
7. Advanced: Zones for Private Networks
Want to allow access from your home network but block everyone else?
Assume your home IP range is 192.168.1.0/24. You can allow all traffic from it:
sudo ufw allow from 192.168.1.0/24Or limit access to specific services:
sudo ufw allow from 192.168.1.0/24 to any port 22
This is great for laptops that connect to trusted home networks and sketchy public ones.
8. Common Fixes for Frustrating UFW Errors
Blocked DNS?
Make sure these are allowed for most desktop use:
sudo ufw allow out 53
sudo ufw allow out 123
(That’s DNS and NTP for time sync.)
Web server not reachable?
sudo ufw allow 80
sudo ufw allow 443
Don’t forget both HTTP and HTTPS.
Ping not working?
By default, UFW blocks ping (ICMP). Allow it:
sudo ufw allow proto icmpUseful for uptime checks and basic diagnostics.
9. Logging and Debugging
UFW logs to syslog. To see recent entries:
sudo journalctl -g UFWOr filter with grep:
grep UFW /var/log/syslogEnable logging:
sudo ufw logging onSet level (low, medium, high, full):
sudo ufw logging medium10. Final Check: Audit Everything
To see a clean summary:
sudo ufw app listTo check rules:
sudo ufw statusAnd verify startup:
sudo systemctl status ufwYou can also make UFW start on boot:
sudo systemctl enable ufwFirewalls aren’t optional anymore. Even on local networks, you need to define what’s allowed and what’s not.
Last updated: 2025-04-09 21:35 UTC