top of page
  • Writer's pictureotw

Linux Firewalls: Uncomplicated Firewall (ufw)

Updated: Dec 28, 2022

Welcome back, my aspiring security engineers!

There are a multitude of reasons for using Linux but one of the most overlooked is its capabilities and versatility as a firewall. While many firms spend thousands or tens of thousands of dollars on state-of-the art firewalls, you can build your own with just few hours of your time. If that doesn't make you the hero in your workplace, nothing will!

In a previous post here, I showed you how to use iptables to develop a firewall for your Linux system or network. In this tutorial, I'll demonstrate the uncomplicated firewall or ufw that utilizes iptables to configure your firewall. ufw does just what its name implies, it makes creating a firewall simple and uncomplicated.

Step #1: Download and Install ufw

First, download and install ufw. ufw is in nearly every Linux distribution repository including Kali and is pre-installed in Ubuntu.

kali > sudo apt install ufw

Step #2: ufw help

Next, let's take a look at the help screen for ufw to get some idea of how it works.

kali > sudo ufw --help

Step #3: Check the status of ufw

Now, before we begin to configure our firewall, let's check its status.

kali> sudo ufw status

When it is first installed it is disabled by default. Let's enable it.

kali > sudo ufw enable

If we want to disable it later, we can simply execute the following command.

kali > sudo ufw disable

Step #4: Default Policy

Generally, the safest firewall is one that has a default policy to block everything unless it has been explicitly allowed. We can choose this before proceeding by setting the default policy to deny. Then we can allow only traffic that is necessary making certain to block everything else. This is the safest and most secure approach.

Step #5: Block an IP address

To illustrate the commands and capabilities of ufw, we will set the default policy to allow simply for the purposes of illustrating both allow and deny traffic.

For instance, if we want to write rule to deny traffic from IP address, we can write the following rule

kali > sudo ufw deny from

If we want to block all IP addresses on a subnet, we can use CIDER notation to block all 255 Ip addresses on the subnet such as;

kali > sudo ufw deny from

In addition, we can specify which network interface to block the traffic on by specifying "in on <interface>" such as;

kali > sudo deny in on eth0 from

Now, we can check the status of our firewall to review our rules

kali > sudo ufw status

Step #6: Allowing Traffic

If you chose a default policy of deny all, it critical to define what traffic will be allowed, otherwise you have bricked your entire network (not a good thing). Let's write rules to allow some traffic. For instance, as the administrator of this firewall, you will need access to configure and maintain the firewall. Make certain you give yourself access from your IP.

kali > sudo ufw allow from

If later you need to delete a rule, you can simply use the keyword delete before the rule such as;

kali > sudo ufw delete allow from

Maybe easier, you can get the rule numbers by entering...

kali > sudo ufw status numbered

and then delete the rule by its number such as;

kali > sudo ufw delete 1

Step #7: Application List

Generally, new applications that rely on network communications will open a port on the firewall automatically if the application is on the same system as the firewall such as your host system. If the application is on another system on the network, you will need to manually open a port to allow communication. UFW has a list of applications that enable you to just specify the application and ufw will automatically open the appropriate ports.

To see the list of applications, enter;

kali> sudo ufw app list

So, for instance, if you had a nginx web server on your network that needed access to web traffic, ufw allows the simplified syntax of;

kali > sudo ufw allow "Nginx Full"

This allows nginx traffic on both port 80 and 443 using both IPv4 and IPv6 addresses. Note that it creates 2 rules.

If you just wanted to enable https traffic, you can enter a rule such as;

kali > sudo ufw allow https

When you check the status, you can view all the rules created up to this point in time.

kali > sudo ufw status

Instead of using the name of the application, you can specify the port to open such as;

kali > sudo ufw allow 80

If you want to open both port 80 and 443;

kali > sudo ufw allow 80, 443

Note that this syntax throws an error. To enable multiple ports, you must specific the protocol with the keyword "proto" (TCP, in this case) and the clause "from any to any" preceding the ports

kali> sudo ufw allow proto tcp from any to any 80,443

Now, we have successfully enabled traffic on both port 80 and port 443.

You can be even more specific and limit this traffic to just one interface such as eth0;

kali > sudo ufw allow in on eth0 proto tcp from any to any 80,443

Step #8: Enabling Access to a MySQL Database

Imagine a case where you have a MySQL (or any other) database on a system in your network. You will likely need to give the administrator access to the database as well as any applications (website, snort, etc.) that use the database. Of course, no one else should have access to the database as it's the target of nearly every hacker group. We can limit access to just the admin by allowing traffic from the admin's IP address and only on MySQL's default port, 3306.

kali > sudo ufw allow from to any port 3306


iptables can be powerful tool to create a secure and professional firewall without the expense of commercial firewalls. ufw or uncomplicated firewall utilizes the power of iptables to create secure firewalls with a very simple syntax. ufw is especially useful for creating a simple but powerful firewall to protect a simple network or your host system. For larger and complex networks, nftables is the firewall of choice.

7,031 views2 comments

Recent Posts

See All


Jan 03, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp…


You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker @ gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.

bottom of page