UFW
Using OR Disable IPv6
sudo nano /etc/default/ufwThen make sure "IPV6" is set to "yes", like so:
IPV6=yesSave and quit. Then restart your firewall with the following commands:
sudo systemctl restart ufw.service
sudo ufw disable
sudo ufw enableSet Up Defaults
sudo ufw default deny incomingand
sudo ufw default allow outgoingEnable and Disable
Enable UFW
To turn UFW on with the default set of rules:
sudo ufw enableTo check the status of UFW:
The output should be like this:
Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
Disable UFW
To disable ufw use:
Allow and Deny (specific rules)
Allow
example: To allow incoming tcp and udp packet on port 53
example: To allow incoming tcp packets on port 53
example: To allow incoming udp packets on port 53
Deny
example: To deny tcp and udp packets on port 53
example: To deny incoming tcp packets on port 53
example: To deny incoming udp packets on port 53
Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
Use this to delete it:
Services
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:
Allow by Service Name
example: to allow ssh by name
Deny by Service Name
example: to deny ssh by name
Status
Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables.
To check the status of ufw:
if ufw was not enabled the output would be:
Logging
To enable logging use:
To disable logging use:
Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.
Allow Access
This section shows how to allow specific access.
Allow by Specific IP
example:To allow packets from 207.46.232.182:
Allow by Subnet
You may use a net mask :
Allow by specific port and IP address
example: allow IP address 192.168.0.4 access to port 22 for all protocols
Allow by specific port, IP address and protocol
example: allow IP address 192.168.0.4 access to port 22 using TCP
Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
or change the "ACCEPT" to "DROP"
Deny Access
Deny by specific IP
example:To block packets from 207.46.232.182:
Deny by specific port and IP address
example: deny ip address 192.168.0.1 access to port 22 for all protocols
Working with numbered rules
Listing rules with a reference number
You may use status numbered to show the order and id number of rules:
Editing numbered rules
Delete numbered rule
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
Insert numbered rule
Advanced Example
Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp
This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. As rules change you may need to delete old rules to ensure that new rules are put in the proper order.
To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.
If you simply add the deny rule the allow would have been above it and been applied instead of the deny
Last updated
Was this helpful?