UFW (Uncomplicated Firewall): Making Linux IP Rules Easy

What UFW is

UFW (Uncomplicated Firewall) is a command-line wrapper that generates netfilter rules (traditionally iptables; on modern Ubuntu often nftables via the iptables-nft compatibility layer). It exists so operators can express policy as ufw allow 22/tcp instead of long rule chains, while still benefiting from stateful connection tracking.

Mechanics practitioners care about

UFW installs jump rules into filter tables, tracks NEW/ESTABLISHED/RELATED flows like other stateful firewalls, and supports application profiles under /etc/ufw/applications.d. Enabling UFW sets a default deny inbound policy with explicit allows. IPv6 is controlled separately via IPV6=yes in /etc/default/ufw; mismatched IPv4/IPv6 rules are a common source of “it works on v4 but not v6” incidents.

Goal	Example	Notes
Allow SSH	`ufw allow OpenSSH`	Prefer named profile or restrict to admin prefix
Deny host	`ufw deny from 203.0.113.10`	Evaluated before broad allows if ordered correctly
Status	`ufw status verbose`	Shows numbered rules and logging flags

Enterprise context

In production fleets, UFW is often avoided in favor of centralized policy (Ansible roles, cloud security groups, or distribution-specific network managers). Where UFW remains, changes should be tracked in version control, peer reviewed, and rolled out with health checks. CIS and STIG hardening baselines still expect an explicit default-deny inbound posture with documented exceptions.

Interpreting odd behavior

Containers published with -p may program DOCKER-USER chains that interact with UFW ordering; traffic can appear to “bypass” UFW if chains are not linked as expected. Always validate from an external host with a port scan (Nmap basics) rather than trusting local socket listings alone.

Rule placement, logging, and rate limits

UFW numbers rules in ufw status numbered; insert with ufw insert 1 deny from 198.51.100.0/24 when precedence matters. Raw hooks live in /etc/ufw/before.rules and after.rules for NAT or conntrack exceptions—keep these files in Git because package upgrades can prompt merges. Enable moderate logging with ufw logging medium and ship /var/log/ufw.log to your SIEM; pair deny storms with ufw limit 22/tcp to mitigate password spraying without permanent blocks.

IPv6 and default policies

DEFAULT_INPUT_POLICY, DEFAULT_FORWARD_POLICY, and DEFAULT_OUTPUT_POLICY in /etc/default/ufw govern baseline drops. Remember forward rules if the box routes for containers or VMs—filtering only INPUT leaves forwarded traffic exposed unless ufw route rules or forward defaults are set.

Related reading

For raw rule semantics, see iptables on Linux and firewall rule design.

Confirm your public egress address when testing allow rules from outside your LAN.

Frequently Asked Questions

Q.Does UFW replace iptables?

UFW generates netfilter rules. On many systems nftables is the backend; iptables commands may be translated. You still need to understand ordering and default policies.

Q.Will UFW block Docker ports?

Docker publishes its own NAT rules. Traffic may match Docker chains before or after UFW depending on hook order—validate with external tests and adjust DOCKER-USER if required.

Q.How do I avoid locking myself out?

Allow management SSH before enabling (`ufw allow OpenSSH`), keep a second session open, or use a serial/out-of-band console when changing remote firewalls.

Q.Does UFW cover IPv6 automatically?

Only if IPV6 is enabled in `/etc/default/ufw`. Otherwise only IPv4 rules are programmed, which can leave IPv6 unexpectedly open or inconsistent with IPv4 policy.

Q.How do I control rule order in UFW?

Use `ufw status numbered` and `ufw insert N ...` to place denies before broad allows. Raw ordering hooks live in `/etc/ufw/before.rules` and `after.rules` for advanced cases.

Q.Does UFW filter forwarded traffic for VMs?

Default policies target INPUT; forwarded traffic needs explicit route rules or DEFAULT_FORWARD_POLICY changes. Docker and LXC often add their own chains—validate with external tests.