## page was renamed from UbuntuFirewall ||<>|| == Introduction == The Linux kernel in Ubuntu provides a packet filtering system called `netfilter`, and the traditional interface for manipulating `netfilter` are the `iptables` suite of commands. `iptables` provide a complete firewall solution that is both highly configurable and highly flexible. Becoming proficient in `iptables` takes time, and getting started with `netfilter` firewalling using only `iptables` can be a daunting task. As a result, many frontends for `iptables` have been created over the years, each trying to achieve a different result and targeting a different audience. The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly well-suited for host-based firewalls. `ufw` provides a framework for managing `netfilter`, as well as a command-line interface for manipulating the firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated `iptables` commands to help an administrator who knows what he or she is doing. `ufw` is an upstream for other distributions and graphical frontends. == UFW in Ubuntu == Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu installations after 8.04 LTS. === Available Versions in supported versions of Ubuntu === * '''Ubuntu 14.04 LTS''': 0.34~rc-0ubuntu2 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1 * '''Ubuntu 20.04''': 0.36-6 * '''Ubuntu 22.04''': 0.36.1-4, * '''Ubuntu 23.04''': 0.36.1-4.1 * '''Ubuntu 23.10''': 0.36.2-1 * '''Ubuntu Core''': 0.36pre === Features === `ufw` has the following features: || '''Feature''' || '''0.31.1-1''' || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' || || default incoming policy (allow/deny) || yes || yes || yes || yes || || allow/deny incoming rules || yes || yes || yes || yes || || IPv6 (by default) || yes || yes || yes || yes || || status || yes || yes || yes || yes || || logging (on/off) || yes || yes || yes || yes || || extensible framework || yes || yes || yes || yes || || python 2.5 support || yes || no || no || no || || application integration || yes || yes || yes || yes* || || IPv4 rate limiting via 'limit' command || yes || yes || yes || yes || || internationalization || yes || yes || yes || yes || || multiport incoming rules || yes || yes || yes || yes || || debconf/preseeding || yes || yes || yes || yes || || default incoming policy (reject) || yes || yes || yes || yes || || reject incoming rules || yes || yes || yes || yes || || rule insertion || yes || yes || yes || yes || || log levels || yes || yes || yes || yes || || per rule logging || yes || yes || yes || yes || || outgoing filtering (on par with incoming) || yes || yes || yes || yes || || filtering by interface || yes || yes || yes || yes || || bash completion || yes || yes || yes || yes || || upstart support || yes || yes || yes || yes || || improved reporting || yes || yes || yes || yes || || reset command || yes || yes || yes || yes || || rsyslog support || yes || yes || yes || yes || || delete by rule number || yes || yes || yes || yes || || python 2.6 support || yes || yes || yes || yes || || 'show listening' report || yes || yes || yes || yes || || python 2.7 support || yes || yes || yes || yes || || increased protocol support (ah, esp) || yes || yes || yes || yes || || IPv6 rate limiting via 'limit' command || -- || yes || yes || yes || || python 3.2 support || -- || yes || yes || no || || python 3.3 support || -- || yes || yes || yes || || 'show added' report || -- || yes || yes || yes || || python 3.4 support || -- || yes || yes || yes || || before/after extensibility hooks || -- || yes || yes || yes || || routed packet filtering (FORWARD) || -- || yes || yes || yes || || systemd support || -- || -- || yes || yes || || increased protocol support (igmp, gre) || -- || -- || yes || yes || || python 3.5 support || -- || -- || yes || yes || || Snappy for Ubuntu Core support || -- || -- || -- || yes || || per rule comments || -- || -- || -- || yes || * support for application integration is limited on Ubuntu Core at this time == Basic Usage == Getting started with `ufw` is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:{{{ $ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere }}} This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking. On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{ $ sudo ufw.cmd enable }}} === Advanced Functionality === As mentioned, the `ufw` application is capable of doing anything that `iptables` can do. This is achieved by using several sets of rules files, which are nothing more than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional `iptables` commands not offered via the `ufw` command is a matter of editing various text files^1^: * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command * '''/etc/ufw/sysctl.conf''': kernel network tunables * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand) * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later) * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later) After modifying any of the above files, activate the new settings with:{{{ $ sudo ufw disable $ sudo ufw enable }}} ^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details. == More Information == * Ubuntu 16.04 LTS (Xenial Xerus) * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 18.04 LTS (Bionic Beaver) * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 20.04 (Focal Fossa) * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 21.04 (Hirsute Hippo) * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 21.10 (Impish Indri) * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 22.04 (Jammy Jellyfish) * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu Core * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core. * [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]] * '''Specification''': UbuntuFirewallSpec * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]] * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]].