How to install and configure UFW (Uncomplicated Firewall)

This article describes how to install UFW (Uncomplicated Firewall) and set up some basic configuration rules.

You must have root-level access to the server to follow the procedures in this article.

About UFW

UFW (Uncomplicated Firewall) is a command-line program that enables you to quickly define firewall access rules for your server. You can grant or deny access to IP addresses and specific services (such as SSH and HTTP), block ping requests, and more.

UFW is available in the Debian and Ubuntu Linux distributions. The following procedures demonstrate how to install UFW and set up some basic firewall rules. For additional information, please see the UFW documentation.

Installing UFW

To install UFW on your server, follow these steps:

  1. Log in to your server using SSH.
  2. At the command prompt, type the following command: 
    apt install ufw

  3. To see the current UFW status, type the following command:

    ufw status
  4. After initial installation, UFW is disabled so you can configure access rules (and not lock yourself out if using an SSH connection). When you are ready to enable the firewall, type the ufw enable command.

Granting access

With just a few commands you can set up rules to grant access to your server.

Granting access to IP addresses

To grant access to a specific IP address, type the following command. Replace 192.168.1.1 with the IP address you want to use:

ufw allow from 192.168.1.1

If you later decide you want to remove this rule, type the following command:

ufw delete allow from 192.168.1.1

You can also use line numbers in the delete command. To obtain a list of rules with their associated line numbers, type the following command:

ufw status numbered

For example, to delete the fourth rule, type the following command:

ufw delete 4
Allowing an entire subnet

To grant access to an entire subnet of IP addresses, type the following command. Replace 192.168.1.0/24 with the IP address and network mask you want to allow:

ufw allow from 192.168.1.0/24
Granting access to services

In addition to granting access to IP addresses, you can permit access to specific services on the server, such as SSH and HTTP. To see a list of available application services, type the following command:

ufw app list

To allow access to one of those services, type the following command. Replace application with the application name (for example, OpenSSH):

ufw allow "application"
Make sure you include the quotation marks around the application name.

For example, the following command enables access for secure (HTTPS) and non-secure (HTTP) connections on Apache:

ufw allow "Apache Full"

Remember that SSH connections on A2 Hosting servers use port 7822 by default. To allow access to port 7822, type the following command:

ufw allow 7822

Denying access

With just a few commands you can set up rules to deny access to your server.

Blocking access by IP address

To deny access from a specific IP address, type the following command. Replace 192.168.1.1 with the IP address you want to block:

ufw deny from 192.168.1.1

If you later decide you want to remove this rule, type the following command:

ufw delete deny from 192.168.1.1
Blocking an entire subnet

To deny access from an entire subnet of IP addresses, type the following command. Replace 192.168.1.0/24 with the IP address and network mask you want to block:

ufw deny from 192.168.1.0/24
Disabling ping (ICMP) responses

To disable sending ping (ICMP) responses from the server, follow these steps:

  1. Open the /etc/ufw/before.rules file in your preferred text editor.
  2. Comment out the ICMP configuration lines by typing a # character at the start of each line as follows: 
    # ok icmp codes for INPUT
#-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
#-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
#-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
#-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
#-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
  3. Save your changes to the /etc/ufw/before.rules file, and then exit the text editor.

  4. Type the following command to load the new configuration:

    ufw reload

    The server now ignores ping requests.

More Information

To view the documentation for UFW, please visit https://help.ubuntu.com/community/UFW.

Article Details

  • Product: All unmanaged hosting accounts
  • Level: Advanced

Other Articles in This Category

Show More

Related Articles

Show More

Did you find this article helpful? Then you'll love our support. Experience the A2 Hosting difference today and get a pre-secured, pre-optimized website. Check out our web hosting plans today.

We use cookies to personalize the website for you and to analyze the use of our website. You consent to this by clicking on "I consent" or by continuing your use of this website. Further information about cookies can be found in our Privacy Policy.