Quick Reference

Updated on 10 Apr 2022

Enable and Disable

Enable UFW

To check if UFW is enabled.

sudo ufw enable

Disable UFW

To disable UFW.

sudo ufw disable

Status

Status (numbered)

To list the UFW rules in a numbered list. (You can use the numbers later to delete a rule)

sudo ufw status numbered

Allow and Deny

Block an IP Address

sudo ufw deny from 10.0.2.11

In this example, from 10.0.2.11 specifies the IP address that will be blocked from accessing the server.

If you run sudo ufw status, you’ll see the specified IP address listed as denied:

Block a subnet

Blocking a subnet is similar to blocking an individual IP address

sudo ufw deny from 10.0.2.0/24

Allow SSH

I can allow SSH either from the port number or the application name.

sudo ufw allow 22

OR

sudo ufw allow ssh

If I run the status command, I can see the new rule added

sudo ufw status

Allow SSH from IP address

In this scenario we use the from and to options.

  • from -> The IP address that we are coming from
  • to -> normally set to any.
ufw allow from 10.0.2.5 to any port 22

If we run the status command, we’ll see that access to the server via port 22 is restricted to 10.0.2.5 IP address.

Allow SSH with TCP protocol from IP address

Here we use the proto keyword (short for protocol), and we are specifying tcp to be allowed.

ufw allow from 10.0.2.5 to any proto tcp port 22

If we run the status command, we’ll see that our access is further restricted or port 22 to only the tcp protocol.

Network Applications

Some applications rely on network communications. These applications / services will need to allow for an external connection thru the firewall. To see a list of applcations that are registered with UFW, run the following command.

sudo ufw app list

Notice that Apache is listed 3 times

  • Apache -> this is for port 80
  • Apache Full -> this is for port 80 & 443.
  • Apache Secure -> this is for port 443

If we wanted to allow access to https, we could do one of 3 ways.

sudo ufw allow 443

OR (this also forces the protocol to tcp)

sudo ufw allow https

OR (using the application name)

sudo ufw allow "Apache Secure"