Tutorial

UFW Essentials: Common Firewall Rules and Commands

Updated on October 24, 2024
English
UFW Essentials: Common Firewall Rules and Commands

Introduction

UFW (uncomplicated firewall) is a firewall configuration tool that runs on top of iptables, included by default within Ubuntu distributions. It provides a streamlined interface for configuring common firewall use cases via the command line.

This cheat sheet-style guide provides a quick reference to common UFW use cases and commands, including examples of how to allow and block services by port, network interface, and source IP address.

How To Use This Guide

  • This guide is in cheat sheet format with self-contained command-line snippets.
  • Jump to any section that is relevant to the task you are trying to complete.
  • When you see highlighted text in this guide’s commands, keep in mind that this text should refer to IP addresses from your own network.

Remember that you can check your current UFW ruleset with sudo ufw status or sudo ufw status verbose.

Deploy your frontend applications from GitHub using DigitalOcean App Platform. Let DigitalOcean focus on scaling your app.

Verify UFW Status

To check if ufw is enabled, run:

  1. sudo ufw status
Output
Status: inactive

The output will indicate if your firewall is active or not.

Enable UFW

If you got a Status: inactive message when running ufw status, it means the firewall is not yet enabled on the system. You’ll need to run a command to enable it.

By default, when enabled UFW will block external access to all ports on a server. In practice, that means if you are connected to a server via SSH and enable ufw before allowing access via the SSH port, you’ll be disconnected. Make sure you follow the section on how to enable SSH access of this guide before enabling the firewall if that’s your case.

To enable UFW on your system, run:

  1. sudo ufw enable

You’ll see output like this:

Output
Firewall is active and enabled on system startup

To see what is currently blocked or allowed, you may use the verbose parameter when running ufw status, as follows:

  1. sudo ufw status
Output
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip

Disable UFW

If for some reason you need to disable UFW, you can do so with the following command:

  1. sudo ufw disable

Be aware that this command will fully disable the firewall service on your system.

Block an IP Address

To block all network connections that originate from a specific IP address, run the following command, replacing the highlighted IP address with the IP address that you want to block:

  1. sudo ufw deny from 203.0.113.100
Output
Rule added

In this example, from 203.0.113.100 specifies a source IP address of “203.0.113.100”.

If you run sudo ufw status now, you’ll see the specified IP address listed as denied:

Output
Status: active To Action From -- ------ ---- Anywhere DENY 203.0.113.100

All connections, coming in or going out, are blocked for the specified IP address.

Block a Subnet

If you need to block a full subnet, you may use the subnet address as from parameter on the ufw deny command. This would block all IP addresses in the example subnet 203.0.113.0/24:

  1. sudo ufw deny from 203.0.113.0/24
Output
Rule added

Block Incoming Connections to a Network Interface

To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the highlighted IP address with the IP address you want to block:

  1. sudo ufw deny in on eth0 from 203.0.113.100
Output
Rule added

The in parameter tells ufw to apply the rule only for incoming connections, and the on eth0 parameter specifies that the rule applies only for the eth0 interface. This might be useful if you have a system with several network interfaces (including virtual ones) and you need to block external access to some of these interfaces, but not all.

Allow an IP Address

To allow all network connections that originate from a specific IP address, run the following command, replacing the highlighted IP address with the IP address that you want to allow access:

  1. sudo ufw allow from 203.0.113.101
Output
Rule added

If you run sudo ufw status now, you’ll see output similar to this, showing the word ALLOW next to the IP address you just added.

Output
Status: active To Action From -- ------ ---- ... Anywhere ALLOW 203.0.113.101

You can also allow connections from a whole subnet by providing the corresponding subnet mask for a host, such as 203.0.113.0/24.

Allow Incoming Connections to a Network Interface

To allow incoming connections from a specific IP address to a specific network interface, run the following command, replacing the highlighted IP address with the IP address you want to allow:

  1. sudo ufw allow in on eth0 from 203.0.113.102
Output
Rule added

The in parameter tells ufw to apply the rule only for incoming connections, and the on eth0 parameter specifies that the rule applies only for the eth0 interface.

If you run sudo ufw status now, you’ll see output similar to this:

Output
Status: active To Action From -- ------ ---- ... Anywhere on eth0 ALLOW 203.0.113.102

Delete UFW Rule

To delete a rule that you previously set up within UFW, use ufw delete followed by the rule (allow or deny) and the target specification. The following example would delete a rule previously set to allow all connections from an IP address of 203.0.113.101:

  1. sudo ufw delete allow from 203.0.113.101
Output
Rule deleted

Another way to specify which rule you want to delete is by providing the rule ID. This information can be obtained with the following command:

  1. sudo ufw status numbered
Output
Status: active To Action From -- ------ ---- [ 1] Anywhere DENY IN 203.0.113.100 [ 2] Anywhere on eth0 ALLOW IN 203.0.113.102

From the output, you can see that there are two active rules. The first rule, with highlighted values, denies all connections coming from the IP address 203.0.113.100. The second rule allows connections on the eth0 interface coming in from the IP address 203.0.113.102.

Because by default UFW already blocks all external access unless explicitly allowed, the first rule is redundant, so you can remove it. To delete a rule by its ID, run:

  1. sudo ufw delete 1

You will be prompted to confirm the operation and to make sure the ID you’re providing refers to the correct rule you want to delete.

Output
Deleting: deny from 203.0.113.100 Proceed with operation (y|n)? y Rule deleted

If you list your rules again with sudo ufw status, you’ll see that the rule was removed.

List Available Application Profiles

Upon installation, applications that rely on network communications will typically set up a UFW profile that you can use to allow connection from external addresses. This is often the same as running ufw allow from, with the advantage of providing a shortcut that abstracts the specific port numbers a service uses and provides a user-friendly nomenclature to referenced services.

To list which profiles are currently available, run the following:

  1. sudo ufw app list

If you installed a service such as a web server or other network-dependent software and a profile was not made available within UFW, first make sure the service is enabled. For remote servers, you’ll typically have OpenSSH readily available:

Output
Available applications: OpenSSH

Enable Application Profile

To enable a UFW application profile, run ufw allow followed by the name of the application profile you want to enable, which you can obtain with a sudo ufw app list command. In the following example, we’re enabling the OpenSSH profile, which will allow all incoming SSH connections on the default SSH port.

  1. sudo ufw allow “OpenSSH”
Output
Rule added Rule added (v6)

Remember to quote profile names that consist of multiple words, such as Nginx HTTPS.

Disable Application Profile

To disable an application profile that you had previously set up within UFW, you’ll need to remove its corresponding rule. For example, consider the following output from sudo ufw status:

  1. sudo ufw status
Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

This output indicates that the Nginx Full application profile is currently enabled, allowing any and all connections to the web server both via HTTP as well as via HTTPS. If you’d want to only allow HTTPS requests from and to your web server, you’d have to first enable the most restrictive rule, which in this case would be Nginx HTTPS, and then disable the currently active Nginx Full rule:

  1. sudo ufw allow "Nginx HTTPS"
  2. sudo ufw delete allow "Nginx Full"

Remember you can list all available application profiles with sudo ufw app list.

Allow SSH

When working with remote servers, you’ll want to make sure that the SSH port is open to connections so that you are able to log in to your server remotely.

The following command will enable the OpenSSH UFW application profile and allow all connections to the default SSH port on the server:

  1. sudo ufw allow OpenSSH
Output
Rule added Rule added (v6)

Although less user-friendly, an alternative syntax is to specify the exact port number of the SSH service, which is typically set to 22 by default:

  1. sudo ufw allow 22
Output
Rule added Rule added (v6)

Allow Incoming SSH from Specific IP Address or Subnet

To allow incoming connections from a specific IP address or subnet, you’ll include a from directive to define the source of the connection. This will require that you also specify the destination address with a to parameter. To lock this rule to SSH only, you’ll limit the proto (protocol) to tcp and then use the port parameter and set it to 22, SSH’s default port.

The following command will allow only SSH connections coming from the IP address 203.0.113.103:

  1. sudo ufw allow from 203.0.113.103 proto tcp to any port 22
Output
Rule added

You can also use a subnet address as from parameter to allow incoming SSH connections from an entire network:

  1. sudo ufw allow from 203.0.113.0/24 proto tcp to any port 22
Output
Rule added

Allow Incoming Rsync from Specific IP Address or Subnet

The Rsync program, which runs on port 873, can be used to transfer files from one computer to another.

To allow incoming rsync connections from a specific IP address or subnet, use the from parameter to specify the source IP address and the port parameter to set the destination port 873. The following command will allow only Rsync connections coming from the IP address 203.0.113.103:

  1. sudo ufw allow from 203.0.113.103 to any port 873
Output
Rule added

To allow the entire 203.0.113.0/24 subnet to be able to rsync to your server, run:

  1. sudo ufw allow from 203.0.113.0/24 to any port 873
Output
Rule added

Allow Nginx HTTP / HTTPS

Upon installation, the Nginx web server sets up a few different UFW profiles within the server. Once you have Nginx installed and enabled as a service, run the following command to identify which profiles are available:

  1. sudo ufw app list | grep Nginx
Output
Nginx Full Nginx HTTP Nginx HTTPS

To enable both HTTP and HTTPS traffic, choose Nginx Full. Otherwise, choose either Nginx HTTP to allow only HTTP or Nginx HTTPS to allow only HTTPS.

The following command will allow both HTTP and HTTPS traffic on the server (ports 80 and 443):

  1. sudo ufw allow "Nginx Full"
Output
Rule added Rule added (v6)

Allow Apache HTTP / HTTPS

Upon installation, the Apache web server sets up a few different UFW profiles within the server. Once you have Apache installed and enabled as a service, run the following command to identify which profiles are available:

  1. sudo ufw app list | grep Apache
Output
Apache Apache Full Apache Secure

To enable both HTTP and HTTPS traffic, choose Apache Full. Otherwise, choose either Apache for HTTP or Apache Secure for HTTPS.

The following command will allow both HTTP and HTTPS traffic on the server (ports 80 and 443):

  1. sudo ufw allow "Apache Full"
Output
Rule added Rule added (v6)

Allow All Incoming HTTP (port 80)

Web servers, such as Apache and Nginx, typically listen for HTTP requests on port 80. If your default policy for incoming traffic is set to drop or deny, you’ll need to create a UFW rule to allow external access on port 80. You can use either the port number or the service name (http) as a parameter to this command.

To allow all incoming HTTP (port 80) connections, run:

  1. sudo ufw allow http
Output
Rule added Rule added (v6)

An alternative syntax is to specify the port number of the HTTP service:

  1. sudo ufw allow 80
Output
Rule added Rule added (v6)

Allow All Incoming HTTPS (port 443)

HTTPS typically runs on port 443. If your default policy for incoming traffic is set to drop or deny, you’ll need to create a UFW rule to allow external access on port 443. You can use either the port number or the service name (https) as a parameter to this command.

To allow all incoming HTTPS (port 443) connections, run:

  1. sudo ufw allow https
Output
Rule added Rule added (v6)

An alternative syntax is to specify the port number of the HTTPS service:

  1. sudo ufw allow 443
Output
Rule added Rule added (v6)

Allow All Incoming HTTP and HTTPS

If you want to allow both HTTP and HTTPS traffic, you can create a single rule that allows both ports. This usage requires that you also define the protocol with the proto parameter, which in this case should be set to tcp.

To allow all incoming HTTP and HTTPS (ports 80 and 443) connections, run:

  1. sudo ufw allow proto tcp from any to any port 80,443
Output
Rule added Rule added (v6)

Allow MySQL Connection from Specific IP Address or Subnet

MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you’ll need to create a UFW rule to allow that access.

To allow incoming MySQL connections from a specific IP address or subnet, use the from parameter to specify the source IP address and the port parameter to set the destination port 3306.

The following command will allow the IP address 203.0.113.103 to connect to the server’s MySQL port:

  1. sudo ufw allow from 203.0.113.103 to any port 3306
Output
Rule added

To allow the entire 203.0.113.0/24 subnet to be able to connect to your MySQL server, run:

  1. sudo ufw allow from 203.0.113.0/24 to any port 3306
Output
Rule added

Allow PostgreSQL Connection from Specific IP Address or Subnet

PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.

To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source with the from parameter, and set the port to 5432:

  1. sudo ufw allow from 203.0.113.103 to any port 5432
Output
Rule added

To allow the entire 203.0.113.0/24 subnet to be able to connect to your PostgreSQL server, run:

  1. sudo ufw allow from 203.0.113.0/24 to any port 5432
Output
Rule added

Block Outgoing SMTP Mail

Mail servers, such as Sendmail and Postfix, typically use port 25 for SMTP traffic. If your server shouldn’t be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP connections, run:

  1. sudo ufw deny out 25
Output
Rule added Rule added (v6)

This configures your firewall to drop all outgoing traffic on port 25. If you need to reject outgoing connections on a different port number, you can repeat this command and replace 25 with the port number you want to block.

Conclusion

UFW is a powerful tool that can greatly improve the security of your servers when properly configured. This reference guide covers some common UFW rules that are often used to configure a firewall on Ubuntu.

Most of the commands in this guide can be adapted to fit different use cases and scenarios, by changing parameters such as the source IP address and/or destination port. For more detailed information about each command parameter and available modifiers, you can use the man utility to check UFW’s manual:

  1. man ufw

The official UFW page on Ubuntu’s documentation is another resource you can use as reference for more advanced use cases and examples.

Easily secure your infrastructure and define what services are visible on your servers using DigitalOcean Cloud Firewalls. Our Cloud Firewalls are free and perfect for staging and production deployments.

Learn more here

About the authors

Default avatar

Developer Advocate

Dev/Ops passionate about open source, PHP, and Linux.


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments
Leave a comment...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

sudo ufw deny in on eth0 from 15.15.15.51

Cool! But how to do it in CentOS?

I found this

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="15.15.0.0/17" port port=22 protocol="tcp" drop'
alexdo
Site Moderator
Site Moderator badge
October 30, 2024

This should work just fine!

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

You can use firewalld :

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="15.15.15.51" reject'

or iptables:

sudo iptables -A INPUT -s 15.15.15.51 -j DROP

Regards

Should the following command block web traffic as well? Meaning, prevent anyone accessing from this IP address from accessing any websites on the server?

sudo ufw deny from 15.15.15.51
Mitchell Anicas
DigitalOcean Employee
DigitalOcean Employee badge
January 29, 2016

Yes. That blocks all the network communication from that IP address. Web traffic is usually served on port 80 (HTTP) or 443 (HTTPS), if you want just block those ports specifically…

Do I need to restart ufw after putting a rule in place? It doesn’t seem like the rules I am adding are working. I just blocked my own IP address to test and I can still get on the site.

Mitchell Anicas
DigitalOcean Employee
DigitalOcean Employee badge
February 1, 2016

No, you just have to make sure they’re in the correct order.

These are my rules. Maybe 8, 9 and 10 are overriding 4, 5, 6 and 7?

[ 1] 22                         ALLOW IN    Anywhere
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] Anywhere                   DENY IN     185.130.5.209
[ 5] Anywhere                   DENY IN     185.109.161.89
[ 6] Anywhere                   DENY IN     89.46.100.200
[ 7] Anywhere                   DENY IN     76.124.222.11
[ 8] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 9] 80 (v6)                    ALLOW IN    Anywhere (v6)
[10] 443 (v6)                   ALLOW IN    Anywhere (v6)
Mitchell Anicas
DigitalOcean Employee
DigitalOcean Employee badge
February 1, 2016

The first rule that matches a given packet will be applied to it. So you need to move the first 3 rules to after the deny rules.

How do I do that? When I added the deny rules, they just appeared right there automatically.

Mitchell Anicas
DigitalOcean Employee
DigitalOcean Employee badge
February 1, 2016

Show rules with numbers:

  1. sudo ufw status numbered

You can use this command to delete a rule:

  1. sudo ufw delete rule_number

And this command to insert a rule in a particular place (1 for top of list):

  1. sudo ufw insert 1 your_rule

“If your server shouldn’t be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP mail, which uses port 25, run this command:”

    sudo ufw deny 25

This actully will block incoming SMTP traffic, not outgoing! Please fix this. The correct command is

 sudo ufw deny out 25
alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Heya,

Yes, that is correct. When it comes to port 25 it will be closed for any account and generally SMTP should be disabled by default as well.

Regards

I’m wondering if you can tell me what the following UFW log entries mean? (I replaced my server IP with xxx.xxx.xxx.xxx):

Feb  3 14:40:48 www kernel: [149871.434419] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:4b:83:f5:01:84:b5:9c:f9:18:30:08:00 SRC=205.204.2.28 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=33554 PROTO=TCP SPT=1702 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 
Feb  3 14:41:08 www kernel: [149891.197907] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:4b:83:f5:01:84:b5:9c:f9:18:30:08:00 SRC=149.101.37.2 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=23953 PROTO=TCP SPT=44916 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 
Feb  3 14:41:28 www kernel: [149911.255322] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:4b:83:f5:01:84:b5:9c:f9:18:30:08:00 SRC=198.103.184.76 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=20968 PROTO=TCP SPT=29630 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

I have my UFW rules setup as follows:

To                         Action      From
--                         ------      ----
Anywhere                   DENY        89.248.171.5
22                         ALLOW       Anywhere
443                        ALLOW       Anywhere
80                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
Mitchell Anicas
DigitalOcean Employee
DigitalOcean Employee badge
February 3, 2016

I’ve read that those kinds of log entries have to do with handling connection termination between the server and the client. Should be safe to ignore.

Thanks Mitchell Anicas for the article. It’s helpful very much; I have a question, Can I make rules to deny or allow MAC addresses ?

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Yes, you can create rules to allow or deny specific MAC addresses, but UFW (Uncomplicated Firewall) does not support filtering by MAC address directly. However, you can achieve this by using iptables, which is a more advanced tool that UFW is built upon.

Here’s how you can allow or deny a specific MAC address using iptables:

  1. Allow a Specific MAC Address: To allow traffic from a specific MAC address (for example, 00:11:22:33:44:55), you can use the following command:
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
  1. Deny a Specific MAC Address: To deny traffic from a specific MAC address, use:
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP
  1. Save the Rules: After setting the rules, make sure to save your iptables configuration so that it persists after a reboot. The method for saving rules can vary by distribution. On many systems, you can use:
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Or on systems with netfilter-persistent:

sudo netfilter-persistent save

Regards

after i enable ufw , i cannot get sudo apt-get update to work ,it keep say could not resolve mirror digitalocean

here is my ufw status. imcoming denny all outgoing allow all

To Action From


3690 ALLOW Anywhere 9418/tcp ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere

80 ALLOW OUT Anywhere 443 ALLOW OUT Anywhere 53 ALLOW OUT Anywhere

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Heya,

DNS queries typically use port 53, and while it looks like you have allowed some outgoing traffic, you might need to explicitly allow DNS traffic.

  1. Allow DNS Queries: You need to allow outgoing connections on port 53 (both TCP and UDP) to enable DNS resolution. Run the following commands:
sudo ufw allow out 53 
sudo ufw allow out 53/udp
  1. Check UFW Rules: After adding the rules, check your UFW status to ensure the rules are applied:
sudo ufw status

You should see entries like the following:

53 ALLOW OUT Anywhere 
53/udp ALLOW OUT Anywhere
  1. Try Updating Again: Now, try running sudo apt-get update again to see if the issue is resolved:
sudo apt-get update

Ensure that your default policy allows outgoing connections:

sudo ufw default allow outgoing

If you continue to face issues, consider resetting UFW to its default settings, but be careful as this will remove all existing rules:

sudo ufw reset

After resetting, re-add any necessary rules (like allowing SSH).

DNS Settings: If the issue persists, check your DNS settings in /etc/resolv.conf to ensure that they point to a valid DNS server (like Google’s 8.8.8.8 or 1.1.1.1 from Cloudflare):

sudo nano /etc/resolv.conf

You can add the following lines if they are not present:

nameserver 8.8.8.8 
nameserver 8.8.4.4

After making changes, save the file and try running sudo apt-get update again.

Regards

I have instaled wowza in my server and in step I was demanding to open the port 1935, i execute the commande “sudo ufw enable” and as a result I had no access to my ssh! How can I get back to my SSH. I need ur help please

Appreciate not relevant for @Joswellve11a9f3 anymore, just for future reference: if you have blocked yourself from accessing the server with UFW (which it warns you about this possibility when you enable it), you can access console from the DigitalOcean’s account, which emulates direct terminal access and thus is not affected by firewalls. You can disable from there and login using SSH again to investigate what you have done wrong.

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Yes, the DigitalOcean account will grant you access to the droplet from where you can troubleshoot and re-gain access to your machine.

https://docs.digitalocean.com/products/droplets/how-to/recovery/recovery-console/

Another option will be to boot into recovery ISO.

Regards

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Heya,

You can use the DigitalOcean recovery console to enable ssh and inspect if port 22 or any ssh-related port is open.

Once you have console access, check your current UFW rules:

sudo ufw status

f SSH is not allowed, run the following command to allow SSH:

sudo ufw allow ssh

Or explicitly allow port 22:

sudo ufw allow 22

If necessary, reload UFW to apply the changes:

sudo ufw reload

Once you’ve adjusted the rules, you can exit the console and try reconnecting via SSH.

https://docs.digitalocean.com/products/droplets/how-to/recovery/recovery-console/

Regards

What do I need to configure with wordpress installed?

I have followed the initial server setup for ubuntu 16.04, installed LEMP, set-up virtual hosts and installed wordpress all from digital ocean tutorials.

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Heya,

You can check our WordPress tutorial and also in the prerequisites part check the initial server setup tutorial as well

https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-22-04

Regards

can you also add on how to save those rules , that is to make them persistent because I cant find it nowhere.

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

To make your UFW rules persistent across reboots, you don’t need to do anything special—UFW automatically saves the rules when you modify them. However, to ensure everything is set correctly, you can follow these steps:

  1. Enable UFW: If you haven’t already, enable UFW with:
sudo ufw enable
  1. Check Status: After adding your rules, you can check the status to ensure they are saved:
sudo ufw status verbose
  1. Restart UFW: If you want to apply changes immediately and ensure they are active:
sudo ufw reload
  1. Check Rules: After reloading, verify your rules again with:
sudo ufw status

These steps confirm that your UFW rules are saved and will remain active after a reboot. If you ever need to reset or delete rules, you can use sudo ufw delete <rule> for specific entries or sudo ufw reset to clear all rules (but use this with caution).

This process ensures that your firewall settings remain intact and your server stays secure after restarts.

Regards

A useful tip:

Usually a UFW profile such as OpenSSH is created when you install the openssh-server package. Using the already provided profile, you can restrict access to a specific subnet such as your home network’s subnet. The command is: sudo ufw allow from 192.168.0.0/24 to any app OpenSSH. Obviously you change the subnet accordingly.

This is what it looks like in practice using only profiles:

To                         Action      From
--                         ------      ----
137,138/udp (Samba)        ALLOW IN    Anywhere
139,445/tcp (Samba)        ALLOW IN    Anywhere
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
3389/tcp (MySQL)           ALLOW IN    Anywhere
3389/udp (MySQL)           ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    192.168.0.0/24
137,138/udp (Samba (v6))   ALLOW IN    Anywhere (v6)
139,445/tcp (Samba (v6))   ALLOW IN    Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
3389/tcp (MySQL (v6))      ALLOW IN    Anywhere (v6)
3389/udp (MySQL (v6))      ALLOW IN    Anywhere (v6)
alexdo
Site Moderator
Site Moderator badge
October 30, 2024

Utilizing UFW profiles like OpenSSH to restrict access to a specific subnet is a smart way to enhance security. It allows you to control who can access your server while keeping your local network secure.

Your example effectively illustrates how to implement this approach, showing a clear overview of allowed traffic. By allowing only your home network’s subnet, you can significantly reduce the risk of unauthorized access.

Thanks for sharing this practical advice!It will certainly help others tighten their security configurations!

Regards

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.