{"id":46964,"date":"2024-07-29T18:00:43","date_gmt":"2024-07-29T18:00:43","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=46964"},"modified":"2025-09-25T10:32:34","modified_gmt":"2025-09-25T10:32:34","slug":"enable-disable-configure-firewall-ubuntu","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/07\/enable-disable-configure-firewall-ubuntu\/","title":{"rendered":"Enable, Disable, Configure Firewall in Ubuntu 24.04 [Beginner’s Guide]"},"content":{"rendered":"

\"\"<\/a><\/p>\n

This is a beginner’s guide shows you how to enable, disable, and configure firewall in Ubuntu using UFW.<\/p>\n

Firewall is a network security system that monitors incoming and outgoing network traffic, and decides whether to allow or block specific traffic based on pre-defined security rules.<\/p>\n

Linux Kernel has the Netfilter subsystem<\/b>, which is implemented as a packet filter and firewall. Iptables<\/b> (and nftables<\/b>, the successor of iptables) is the user-level command line tool to configure the firewall by adding\/removing netfilter rules.<\/p>\n

Iptables (and nftables) is much more flexible but really hard for beginners. UFW<\/b> (Uncomplicated Firewall), the user-friendly front-end for iptables, is which I’m going to talk about below.<\/p>\n

\"\"<\/a>

Image by Pete Linforth from Pixabay<\/p><\/div>\n

<\/p>\n

Enable Firewall in Ubuntu<\/h3>\n

UFW is usually pre-installed in both Ubuntu Desktop and Server, though NOT enabled by default.<\/p>\n

Just in case, you may open terminal (Ctrl+Alt+T) and run command to install it:<\/p>\n

sudo apt install ufw<\/pre>\n
As mentioned, the firewall is usually not enabled by default. To check its status<\/b>, use command:<\/p>\n
sudo ufw status<\/pre>\n
It will show you either “Status: in active<\/em>” or “Status: active” along with user added rule<\/em>s.<\/p>\n
NOTE: It supports adding rules before ufw enabled. For remote server, run sudo ufw allow ssh<\/code> to whitelist ssh first, or you’ll lost SSH connection. If non-default SSH port is in use, for example port 1234, then use sudo ufw allow 1234\/tcp<\/code> command instead.<\/b><\/p>\n
To enable the firewall<\/b>, just run command:<\/p>\n
sudo ufw enable<\/pre>\n
It should output “Firewall is active and enabled on system startup<\/i>” if command’s done successfully.<\/p>\n
\"\"<\/a><\/p>\n
Configure Firewall using UFW<\/h3>\n
1. Check status & added rules<\/h4>\n
As mentioned above, you may check the firewall status by running the command below:<\/p>\n
sudo ufw status<\/pre>\n
It will show you if the firewall is activated or not. If yes, it also shows all the user added rules.<\/p>\n
However, to check user added rules even when firewall is in-activated<\/b>, this command may be helpful:<\/p>\n
sudo ufw show added<\/pre>\n
\"\"<\/a><\/p>\n
2. Configure UFW default policy<\/h4>\n
The default firewall policy allows any outgoing traffic<\/b>, meaning from the Ubuntu PC\/Server you can access any website, use apt<\/code>, wget<\/code>, etc commands to install\/download something in your system.<\/p>\n
However, incoming<\/b> by default is disabled. You need to add your own rules to allow outside systems to connect to your machine. All routing and forwarding are also disabled, which is good default if you are not using your machine as a router.<\/p>\n
To check default policy<\/b>, use command:<\/p>\n
sudo ufw status verbose<\/pre>\n
\"\"<\/a><\/p>\n
If you want to change the default policy, for example deny outgoing, use command:<\/p>\n
sudo ufw default deny outgoing<\/pre>\n
After that, if you want to access outside systems, then you can either re-allow all outgoing traffic via:<\/p>\n
sudo ufw default allow outgoing<\/pre>\n
Or, manually add outgoing rules for certain ports. For example, add firewall rules below to allow using apt command to install something:<\/b><\/p>\n
sudo ufw allow out 53\/udp<\/pre>\n
sudo ufw allow out 80\/tcp<\/pre>\n
When done, you may delete the rules<\/b>, so all outgoing denied again:<\/p>\n
sudo ufw delete allow out 53\/udp<\/pre>\n
sudo ufw delete allow out 80\/tcp<\/pre>\n
3. Add UFW Rules<\/h4>\n
As commands above mentioned, you may use ufw allow<\/code> command to allow incoming (and\/or outgoing) traffic to specific port, and use ufw deny<\/code> command to deny traffics.<\/p>\n
For example, allow incoming to port 80<\/b> (both tcp & udp) from any where, use command:<\/p>\n
sudo ufw allow 80<\/pre>\n
Or, allow incoming to port 53 only for udp, use command:<\/p>\n
sudo ufw allow 53\/udp<\/pre>\n
To be more specific, you can tell from where the traffic is allowed to certain port on current machine. For example, the command below set the firewall to allow remote IP ranging from 192.168.0.0 to 192.168.0.255 to tcp port 22 in this host.<\/p>\n
sudo ufw allow from 192.168.0.0\/24 to any port 22 proto tcp<\/pre>\n
The “any<\/b>” in last command means any network interfaces in local host. To specify certain IP in this host, 192.168.0.100 for example, then the last command can be:<\/p>\n
sudo ufw allow from 192.168.0.0\/24 to 192.168.0.100 port 22 proto tcp<\/pre>\n
As mentioned above, you can also use service name in UFW command<\/b> to allow (or deny) certain traffics. For example:<\/p>\n
sudo ufw allow smtp<\/pre>\n
This command will allow the SMTP port 25<\/b>, even when the service is not installed. However, it only and will always sets the service’s default port (e.g, 22 for ssh)<\/b> even when a custom one is in use.<\/p>\n
4. Remove UFW filewall rules<\/h4>\n
To delete ufw rules<\/b>, just add delete<\/code> operation between ufw<\/code> and allow<\/code> (or deny<\/code>) in the last commands you run.<\/p>\n