Quick Reference
Updated on 10 Apr 2022
Enable and Disable
Enable UFW
To check if UFW is enabled.
sudo ufw enable
Disable UFW
To disable UFW.
sudo ufw disable
Status
Status (numbered)
To list the UFW rules in a numbered list. (You can use the numbers later to delete a rule)
sudo ufw status numbered
Allow and Deny
Block an IP Address
sudo ufw deny from 10.0.2.11
In this example, from 10.0.2.11
specifies the IP address that will be blocked from accessing the server.
If you run sudo ufw status
, you’ll see the specified IP address listed as denied:
Block a subnet
Blocking a subnet is similar to blocking an individual IP address
sudo ufw deny from 10.0.2.0/24
Allow SSH
I can allow SSH either from the port number or the application name.
sudo ufw allow 22
OR
sudo ufw allow ssh
If I run the status command, I can see the new rule added
sudo ufw status
Allow SSH from IP address
In this scenario we use the from
and to
options.
from
-> The IP address that we are coming fromto
-> normally set to any.
ufw allow from 10.0.2.5 to any port 22
If we run the status
command, we’ll see that access to the server via port 22 is restricted to 10.0.2.5
IP address.
Allow SSH with TCP protocol from IP address
Here we use the proto
keyword (short for protocol), and we are specifying tcp
to be allowed.
ufw allow from 10.0.2.5 to any proto tcp port 22
If we run the status
command, we’ll see that our access is further restricted or port 22 to only the tcp
protocol.
Network Applications
Some applications rely on network communications. These applications / services will need to allow for an external connection thru the firewall. To see a list of applcations that are registered with UFW, run the following command.
sudo ufw app list
Notice that Apache is listed 3 times
Apache
-> this is for port 80Apache Full
-> this is for port 80 & 443.Apache Secure
-> this is for port 443
If we wanted to allow access to https, we could do one of 3 ways.
sudo ufw allow 443
OR (this also forces the protocol to tcp)
sudo ufw allow https
OR (using the application name)
sudo ufw allow "Apache Secure"