UFW (Uncomplicated Firewall)

UFW (Uncomplicated Firewall) is a command-line firewall management tool for Ubuntu and Debian that simplifies iptables rule configuration for allowing, denying, and rate-limiting network traffic.

What UFW Does and When to Use It

UFW provides a simplified interface for managing Linux netfilter firewall rules. Instead of writing complex iptables commands, administrators use UFW commands like ufw allow 22 and ufw deny 3306 to control inbound and outbound traffic by port, protocol, and IP address.

UFW is the default firewall tool on Ubuntu. Use it to secure new server deployments by allowing only SSH (port 22), HTTP (port 80), and HTTPS (port 443) while blocking all other inbound traffic. UFW integrates with application profiles — ufw allow 'Nginx Full' opens both HTTP and HTTPS with a single command.

UFW is a frontend for iptables/nftables — it does not replace them. For complex routing rules, NAT configuration, or per-packet inspection, use iptables or nftables directly. See UFW vs iptables vs nftablesfor a comparison.

How to Install and Enable UFW

=== "Ubuntu / Debian"

UFW is preinstalled on Ubuntu. Enable it with:

```bash
sudo ufw allow ssh
sudo ufw enable
```

**Always allow SSH before enabling UFW.** Enabling UFW without an SSH rule locks you out of a remote server. See [How to recover from UFW SSH lockout](./how-to/recover-ssh-lockout/).

Common Tasks with UFW

How to Check UFW Status and Rules

sudo ufw status verbose

How to Allow a Port Through UFW

sudo ufw allow 80/tcp

How to Deny Traffic from a Specific IP with UFW

sudo ufw deny from 203.0.113.50

For detailed instructions, see How to allow a specific port through UFW.

UFW Troubleshooting

Related Tools and Guides

SSHrequires port 22 open in UFW for remote server access. Certbotrequires port 80 open for HTTP-01 ACME challenges. Dockermanipulates iptables directly and can bypass UFW rules — see the dedicated Docker bypasses UFWtroubleshooting article.