Ufw is an interface to manipulate iptables and configure a host-based firewall. Ufw syntax is illustrated with examples in this section.

Install

sudo apt-get install ufw

By default, ufw is disabled after installation. You have to add rules to enable it. To check ufw status:

sudo ufw status

Syntax illustration with examples

sudo ufw enable

sudo ufw disable

sudo ufw allow from 192.168.1.0/24
sudo ufw allow to 192.168.1.0/24

sudo ufw delete allow from 192.168.1.0/24
sudo ufw delete allow to 192.168.1.0/24

sudo ufw allow 22

sudo ufw delete allow 22

sudo ufw allow from 192.168.1.0/24 to any port 22

sudo ufw delete allow from 192.168.1.0/24 to any port 22

sudo ufw allow from 192.168.1.23 

sudo ufw delete allow from 192.168.1.23 

sudo ufw deny from 192.168.1.23 to any port 22

sudo ufw delete deny from 192.168.1.23 to any port 22

sudo ufw allow from any to 10.10.20.3 port 22

sudo ufw delete allow from any to 10.10.20.3 port 22

sudo ufw allow proto tcp from 192.168.1.23

sudo ufw delete allow proto tcp from 192.168.1.23

sudo ufw deny from any port 12345

sudo ufw delete deny from any port 12345

sudo ufw allow proto tcp to any port 27370:27470

sudo ufw delete allow proto tcp to any port 27370:27470

Notes:

• By default, everything is denied for incomings and allowed for outgoing when the firewall is enabled. So you have to add allow rules for ports such as ssh 22 in order to keep logged in when you issue "ufw enable" command on a remote system.
• A general syntax is "ufw allow|deny from source_ip source_port to destination_ip destination_port" where source_ip and destination_ip can be "any", ip subnet, or ip.
• Multiple port numbers can be put together as long as it is separated by "," and protocol tcp or udp is specified.
   

The rules are order sensitive

UFW skips later rules when it sees the first match. For example, the rule on the top overrides the order that follows it.

$ sudo ufw status

Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22                         DENY        192.168.1.0/24

Will allow you to log in through ssh from subnet 192.168.1.0 while

$ sudo ufw status

Status: active
To                         Action      From
--                         ------      ----
22                         DENY        192.168.1.0/24
22                         ALLOW       Anywhere

Will NOT allow you to login.

To insert a rule to a specific position, add "insert position" like this

sudo ufw insert 1 allow 22

will put the allow 22 rule on the top.

Also you can manupulate numbered UFW rules:

sudo ufw status numbered

 All rules are reported with a number. You can delete a rule with the number:

sudo ufw delete 1

 Be careful when doing this in a script, once a rule is deleted, other rules are renubmered.

A ufw firewall example

Here is an example to establish a firewall that opens port 22 and 80 to all hosts, opens port 7241 to local network and opens VNC port 5900 and 5901 to a specific IP:

sudo ufw allow 22,80
sudo ufw allow from 192.168.1.0/24 to any port 7241
sudo ufw allow proto tcp from 192.168.1.23 to any port 5900,5901

Export and import ufw rules, view ufw rules when ufw is inactive

Gufw is the graphic user interface of ufw, it was said to be able to export the ufw rules for backup or use by another computer. However I didn't see this function from the gufw on Ubuntu 9.10.

The location of the ufw user rules is stored in file /lib/ufw/user.rules and /lib/ufw/user6.rules for IPv6 between line "### RULES ###: and "### END RULES ###":

### RULES ###

### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -j ACCEPT

### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -j ACCEPT

### END RULES ###

You can manipulate this file to export and import rules. Also this file lets you know the rules while ufw is inactive.