1. Home
  2. Knowledge Base
  3. Support
  4. How to Use UFW Firewall on Linux

How to Use UFW Firewall on Linux

What is UFW Firewall
ufw stands for Uncomplicated Firewall. It’s a simple and user-friendly command-line tool used to manage firewall rules on Linux systems, especially Ubuntu and Debian-based distributions. This guide details the procedures for installing, configuring, and effectively managing UFW in a production or enterprise setting.
ufw is installed by default on most Ubuntu versions, especially on server editions. However, it is not enabled by default — you need to manually enable

Prerequisites

  • A Linux server (Ubuntu/Debian-based)
  • Root or sudo access
  • SSH access already configured (if managing remotely)

Step 1

You need to check first if ufw is installed in your ubuntu or debian based linux distribution with below command

which ufw

If it is not installed, first, install the ufw. You can install with help by following command

sudo apt install ufw -y

Step 2

Check the status of UFW 

sudo ufw status

Step 3

Default Firewall Policies
Note: It is recommended to define default policies before enabling UFW:

Blocks all incoming traffic :
sudo ufw default deny incoming

Allows all outgoing traffic :
sudo ufw default allow outgoing

This configuration blocks all incoming connections and allows all outgoing traffic.

Step 4

Allow Essential Services like SSH or specify a port (e.g., custom SSH port):
Note: If your SSH service uses a custom port (example: 2222), allow it before enabling UFW

To allow ssh:  
ufw allow ssh 

To allow custom pot for ssh: 
ufw allow 2222/tcp

Allow HTTP and HTTPS:

sudo ufw allow 80/tcp 
sudo ufw allow 443/tcp

Allow Specific Ports or Applications in UFW 

Allow MySQL Port:
ufw allow 3306/tcp 

Allow traffic from specific IP:
ufw allow from 192.168.xx.xx

Step 5

Enable UFW After setting the rules:

Before running sudo ufw enable, confirm that SSH access is already allowed.

Check your current rules:

sudo ufw status

Make sure you can see a rule allowing:

  • OpenSSH
  • 22/tcp
  • or your custom SSH port (for example, 2222/tcp)

Important: If SSH is not allowed before enabling UFW, you may lock yourself out of your server.

To activate the UFW firewall and start enforcing all the rules you have configured :

ufw enable

Display detailed information about the current UFW (Uncomplicated Firewall) configuration :

ufw status verbose

Enable UFW Logging

To enable logging for troubleshooting and monitoring:

sudo ufw logging on

Verify IPv6 Support

If your server has IPv6 enabled, make sure UFW is configured to manage IPv6 traffic.

Check the UFW configuration file:

sudo grep IPV6 /etc/default/ufw

If IPv6 is disabled in UFW, services may still remain reachable over IPv6 even if IPv4 access is restricted.

CloudPe Firewall vs UFW – Use Both for Better Security

CloudPe Security Groups work at the network level, while UFW works inside the server at the operating system level.

  • CloudPe Security Groups control whether traffic can reach the VM.
  • UFW controls whether traffic is allowed or denied inside the VM.

How they work together

  • If a port is blocked in CloudPe Security Groups, traffic will not reach the VM, even if UFW allows it.
  • If a port is allowed in CloudPe Security Groups, UFW can still block it inside the VM.

Best practice

Use both for layered security:

  • CloudPe Security Groups as the first layer
  • UFW as the second layer inside the server

List Rules with Numbers

To view UFW rules with line numbers for easier management, use:

sudo ufw status numbered

This is useful when you need to remove a specific rule.

Remove a Specific Rule

First, list the rules with numbers:

sudo ufw status numbered

Then remove the rule using its number:

sudo ufw delete <rule_number>

Example:

sudo ufw delete 3


Was this article helpful?
Yes No

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support

Login

This is a staging environment