UFW Rule Generator
Generate UFW firewall rules for Ubuntu and Debian systems.
About UFW (Uncomplicated Firewall)
UFW is a user-friendly frontend for iptables, designed to make firewall configuration simple. It's the default firewall configuration tool for Ubuntu and is available on other Debian-based distributions.
Basic Concepts
Permits traffic on the specified port/protocol. Use for services you want accessible.
ufw allow 22/tcp
Blocks traffic silently. The connection attempt will timeout.
ufw deny 23/tcp
Rate limits connections (max 6 attempts per 30 seconds). Useful for SSH.
ufw limit 22/tcp
Common UFW Rules
| Service | Command | Description |
|---|---|---|
| SSH | ufw limit 22/tcp |
Allow SSH with rate limiting |
| HTTP | ufw allow 80/tcp |
Allow web traffic |
| HTTPS | ufw allow 443/tcp |
Allow secure web traffic |
| MySQL | ufw allow 3306/tcp |
Allow MySQL connections |
| PostgreSQL | ufw allow 5432/tcp |
Allow PostgreSQL connections |
| DNS | ufw allow 53 |
Allow DNS (TCP & UDP) |
Advanced Examples
Allow from Specific IP
Only allow SSH connections from a trusted IP address:
ufw allow from 192.168.1.100 to any port 22
Useful for restricting administrative access
Allow Subnet
Allow connections from an entire subnet:
ufw allow from 192.168.1.0/24 to any port 3306
Great for internal database access
Port Range
Allow a range of ports:
ufw allow 6000:6010/tcp
Useful for applications that use multiple ports
Application Profiles
Use predefined application profiles:
ufw allow 'Nginx Full'ufw allow 'OpenSSH'
List available profiles:
ufw app list
Security Best Practices
- Default deny policy: Start with
ufw default deny incoming - Rate limit SSH: Use
ufw limit 22/tcpto prevent brute force - Be specific: Restrict by source IP when possible
- Minimize open ports: Only allow what's necessary
- Use application profiles: Easier to manage and more reliable
- Document rules: Comment your firewall configurations
- Regular audits: Periodically review and clean up rules
Initial Firewall Setup
Here's a recommended initial setup for a web server:
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH with rate limiting
sudo ufw limit 22/tcp
# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status verboseTroubleshooting
Locked out of SSH?
If you have console access:
sudo ufw allow 22/tcp && sudo ufw reload
Can't enable UFW?
Check if conflicting with another firewall or iptables rules.
Quick Commands
Enable UFW:
sudo ufw enable
Disable UFW:
sudo ufw disable
Check status:
sudo ufw status verbose
List numbered rules:
sudo ufw status numbered
Delete rule by number:
sudo ufw delete 3
Reset all rules:
sudo ufw reset
Reload rules:
sudo ufw reload
Default Policies
Deny incoming:
sudo ufw default deny incoming
Allow outgoing:
sudo ufw default allow outgoing
Deny forwarding:
sudo ufw default deny forward
Common Ports
- 22 - SSH
- 80 - HTTP
- 443 - HTTPS
- 21 - FTP
- 25 - SMTP
- 53 - DNS
- 3306 - MySQL
- 5432 - PostgreSQL
- 6379 - Redis
- 27017 - MongoDB