UFW stands for Uncomplicated Firewall, is a user-friendly interface designed to manage iptables/nftables firewall. It can be used in any Debian Linux server like Ubuntu 12.04/14.04/16.04/18.04/20.04/22.04 LTS server or Debian 8/9/10/11/12.
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | No |
| Requirements | Linux terminal |
| Category | Firewall |
| OS compatibility | AlmaLinux • Alpine • Arch • Debian • Fedora • Linux • Mint • openSUSE • Pop!_OS • RHEL • Rocky • Stream • SUSE • Ubuntu |
Why Use ufw for Network Security?
ufw is designed to simplify firewall management on Debian-based systems. It offers an easy-to-use interface that allows you to create, enable, and disable rules quickly. Using ufw, you can block specific IP addresses that pose a threat or consume too many resources.
Blocking an IP Address
Step 1: Install and Enable ufw
Before blocking any IP address, ensure ufw is installed on your Debian Linux server. You can do this with the following command:
sudo apt-get update
sudo apt-get install ufw
After the installation, enable UFW so it starts automatically:
sudo ufw enable
This ensures that UFW manages your incoming and outgoing traffic right away.
Before continuing, if you access your server from SSH, you should set UFW to allow access to the SSH port by using the following command:
sudo ufw allow ssh
You can run this command before enabling UFW on your server.
Step 2: Check the Current ufw Status
It is a good practice to review your firewall settings before making changes. Run this command to check if ufw is active and to see existing rules:
sudo ufw status verbose
You will see a list of current rules and whether the firewall actively blocks or allows specific ports and services.
Step 3: UFW Block an IP Address
Once you confirm UFW is active, you can block an IP address by using the “deny” command. Here is how you do it:
sudo ufw deny from 123.45.67.88 to anyIn this example, replace 123.45.67.88 with the IP address you want to block. This command prevents all traffic from that IP address from reaching your server.
3.1 UFW Reject an IP Address
Instead of using deny rule, we can reject connection from any IP as follows:
sudo ufw reject from 123.45.67.89 to anyAs the above change the 123.45.67.89 with the IP address you want to block. The difference between the deny and reject rules is:
- deny:
- Silently drops the incoming packets without sending any response to the source.
- For the connecting host, it usually appears as though its traffic is simply being ignored or timing out.
- reject:
- Actively rejects the incoming packets and sends back an error response to the source (for example, an ICMP “port unreachable” or “connection refused” message).
- The connecting host immediately knows that its request was refused rather than waiting for a timeout.
In practice:
- Use deny if you want to mask the existence of a service or system, as it makes it appear that no service is listening.
- Use reject if you want the remote user or process to quickly know the connection is refused, which can help in debugging or reduce unnecessary connection attempts.
3.2 UFW Block specific IP to a particular port number
The syntax for blocking a specific IP to a particular port is:
sudo ufw deny from {ip-address-here} to any port {port-number-here}For example, to block or deny spammer IP address 123.45.67.87 to port 80, enter:
sudo ufw deny from 123.45.67.87 to any port 803.2.1 UFW Block specific IP, port number, and protocol
To block a particular IP, port number, and protocol, use the following command:
sudo ufw deny proto tcp from 123.45.67.86 to any port 803.3 UFW Block Subnet (CIDR)
A subnet (short for sub-network) is a logically defined portion of a larger network. In the context of CIDR (Classless Inter-Domain Routing), a subnet is typically represented by an IP address and a “slash” notation (for example, 192.168.1.0/24). The number following the slash (/24) specifies how many bits of the IP address are used for the network portion (the “subnet mask”), and the remaining bits are available for host addresses within that subnet.
Use the following command to block a subnet (CIDR):
sudo ufw deny proto tcp from 123.45.67.0/24 to any port 80Step 4: Verify the New Rule
After blocking the IP address, check if the new rule is listed in ufw’s status. Use the following command again:
sudo ufw status
Look for a line indicating the IP address is being denied. If it appears in the list, the block rule is working.
Step 5: UFW Unblock an IP Address (If Needed)
If you need to remove the block for any reason, you can delete the rule using:
sudo ufw delete deny from 123.45.67.89This command frees up the IP, allowing traffic from that address again.
5.1 UFW Unblock an IP Address by number
An easier way to delete a rule in UFW is by running the following command to find the rule number:
sudo ufw status numbered
In our case, instead of running the command sudo ufw delete deny from 123.45.67.89 which is rule number 3; we gonna run this to delete it:
sudo ufw delete 3
Tips and tricks:
UFW rules are applied in the same order that you see them when you run the command sudo ufw status numbered .
For example, if you have two rules for port 22, the first one is sudo ufw allow 22, and the second one is for blocking an attacker on the same port sudo ufw deny proto tcp from 123.45.67.89 to any port 22 , the first rule sudo ufw allow 22 will be applied, while the second one with the attacker IP is not.
As you can see in the above picture, the sudo ufw allow 22 rule is 1 and the sudo ufw deny proto tcp from 123.45.67.89 to any port 22 is 6. In this case, first, we should remove the rule number 6:
sudo ufw delete 6
PS.: Change number 6 with your own rule number after you run sudo ufw status numbered .
Next, insert again the rule by specifying the position number by using the following command:
Syntax: sudo ufw insert 1 deny from {BADIPAddress-HERE}
sudo ufw insert 1 deny from 123.45.67.89 to any port 22 comment 'block spammer'Now check if the rule has been added first in line:
sudo ufw status verbose
As you can see in the above picture, the rule position has changed from 6 to 1 and it has a comment to it, “block spammer“, to be easier to spot when you have many rules.
Conclusion
In this tutorial, we learned how to deny and reject an IP address or network subnet (CIDR) and how to change a rule position by using the UFW based firewall.
