Making a ufw cheatsheet since I’m always searching how to do this everytime I need to setup the firewall.
Basics#
| Command |
Description |
sudo ufw enable |
Enable UFW firewall |
sudo ufw disable |
Disable UFW firewall |
sudo ufw status |
Show current rules (simple) |
sudo ufw status verbose |
Show detailed rule info |
sudo ufw reload |
Reload UFW rules |
sudo ufw reset |
Reset all UFW rules (starts fresh) |
Default Policies#
| Command |
Description |
sudo ufw default deny incoming |
Block all incoming connections |
sudo ufw default allow outgoing |
Allow all outgoing connections |
sudo ufw default deny outgoing |
Block all outgoing connections |
Allow Rules#
| Command Example |
Description |
sudo ufw allow 22 |
Allow SSH on all interfaces |
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp |
Allow SSH from LAN only |
sudo ufw allow in on eth0 to any port 80 proto tcp |
Allow HTTP on interface eth0 |
sudo ufw allow out to any port 443 proto tcp |
Allow HTTPS outbound |
Deny Rules#
| Command Example |
Description |
sudo ufw deny 22 |
Block SSH |
sudo ufw deny out to any port 80 proto tcp |
Block HTTP outbound |
Delete Rules#
| Command Example |
Description |
sudo ufw status numbered |
View rule numbers |
sudo ufw delete [number] |
Delete rule by number |
sudo ufw delete allow 22 |
Delete rule by definition |
Common Ports#
| Service |
Port(s) |
| SSH |
22 |
| HTTP |
80 |
| HTTPS |
443 |
| Cockpit |
9090 |
| Portainer |
9443, 8000 |
| Docker Registry |
5000 |
| Samba (SMB) |
139, 445 |
| DNS |
53 |
| NTP |
123 |
| ICMP (ping) |
(not a port, use proto) |
Advanced#
| Command Example |
Description |
sudo ufw allow proto icmp |
Allow ping (ICMP) |
sudo ufw limit 22/tcp |
Rate-limit SSH (prevent brute-force) |
sudo ufw allow from 192.168.1.100 |
Allow all ports from one IP |
sudo ufw allow out to 8.8.8.8 port 53 proto udp |
Allow DNS to Google only |
UFW Command Keywords#
| Keyword |
Description |
enable |
Turns on the firewall, applying the current rules. |
disable |
Turns off the firewall (all rules stop being enforced). |
allow |
Allows specific traffic based on your criteria. |
deny |
Denies or blocks specific traffic. |
delete |
Removes a rule. Often used with rule numbers (ufw status numbered shows these). |
from [IP/subnet] |
Specifies the source IP address or subnet the rule applies to. |
to any port [PORT] |
Specifies the destination port on your server that the rule targets. |
proto |
specifies the protocol |
in |
The rule applies to incoming traffic. |
out |
The rule applies to outgoing traffic. |
on [interface] |
Applies the rule only on a specific network interface. |
limit |
Enables rate limiting on a port to reduce brute-force attacks. |