UFW Complete Guide

UFW Complete Guide

UFW (Uncomplicated Firewall) is Ubuntu's front-end for iptables. It provides a simple syntax for defining firewall rules that is far easier to read and manage than raw iptables commands. UFW is appropriate for most server firewall needs. Understanding its defaults, how to add and manage rules, and its limitations (particularly the Docker interaction problem) is essential for anyone administering Ubuntu servers.

What is UFW and how does it work?

UFW is a frontend for netfilter (kernel firewall):

  Your rules (ufw allow 80)
         ↓ translated to
  iptables/nftables rules
         ↓ evaluated for
  Each incoming/outgoing packet

  Rule evaluation order: rules are evaluated top to bottom,
  first match wins. Default policy applies if no rule matches.

Enabling UFW and default policies

# IMPORTANT: Allow SSH BEFORE enabling UFW or you will lock yourself out
sudo ufw allow ssh     # Allow SSH (port 22)

# Set default policies
sudo ufw default deny incoming    # Block all inbound traffic by default
sudo ufw default allow outgoing   # Allow all outbound traffic

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status verbose

ufw status verbose output

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

⚠️ WARNING: Always run sudo ufw allow ssh BEFORE sudo ufw enable. If you enable UFW without allowing SSH first, you will be locked out of your server immediately. If this happens, you need console access to run ufw allow ssh or ufw disable.

Managing rules

# Allow by port number
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 8080

# Allow by service name (defined in /etc/services)
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Allow from specific IP or subnet
sudo ufw allow from 192.168.1.0/24 to any port 22    # SSH only from LAN
sudo ufw allow from 10.0.0.5 to any port 3306        # MySQL from specific host

# Deny specific traffic
sudo ufw deny from 203.0.113.100    # Block a specific IP

# Delete rules
sudo ufw status numbered             # Show rules with numbers
sudo ufw delete 3                    # Delete rule #3
sudo ufw delete allow 8080           # Delete by rule content

# Application profiles (pre-defined rule sets)
sudo ufw app list                    # Show available app profiles
sudo ufw allow 'Nginx Full'          # Allow HTTP + HTTPS for Nginx

Rate limiting with ufw limit

# Rate limit SSH connections to prevent brute-force attacks
# UFW blocks connections if 6+ attempts from same IP in 30 seconds
sudo ufw limit ssh

# This adds a rate-limit rule — more specific than simple allow
# Replace existing "allow ssh" with "limit ssh":
sudo ufw delete allow ssh
sudo ufw limit ssh
sudo ufw status | grep ssh

The UFW and Docker bypass problem

⚠️ WARNING: Docker manipulates iptables directly, bypassing UFW rules. If you run docker run -p 8080:80 myapp, port 8080 becomes accessible from the internet EVEN IF you have ufw deny 8080. Docker adds ACCEPT rules to iptables PREROUTING that execute before UFW's rules. This is a well-known issue. Fix: either use Docker's firewall integration settings, or bind Docker ports to localhost only (-p 127.0.0.1:8080:80) for services that should not be internet-accessible.

# Fix: bind Docker ports to localhost when external access is not needed
docker run -p 127.0.0.1:8080:80 myapp    # Only accessible locally, not from internet

# For Docker Compose:
ports:
  - "127.0.0.1:8080:80"    # Bind to localhost only

Conclusion

UFW basics: allow SSH before enabling, set default deny incoming, then explicitly allow each required service. Use ufw limit ssh instead of ufw allow ssh to add rate limiting. Check status with ufw status verbose and review numbered rules with ufw status numbered. The critical caveat: Docker bypasses UFW — bind Docker ports to 127.0.0.1 for services that should not be internet-accessible, rather than relying on UFW to block them.