1UFW:(8) February 2016 UFW:(8)
2
3
4
6 ufw - program for managing a netfilter firewall
7
9 This program is for managing a Linux firewall and aims to provide an
10 easy to use interface for the user.
11
12
14 ufw [--dry-run] enable|disable|reload
15
16 ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]
17
18 ufw [--dry-run] logging on|off|LEVEL
19
20 ufw [--dry-run] reset
21
22 ufw [--dry-run] status [verbose|numbered]
23
24 ufw [--dry-run] show REPORT
25
26 ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out]
27 [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]
28
29 ufw [--dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit
30 [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS
31 [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]]
32 [comment COMMENT]
33
34 ufw [--dry-run] route [delete] [insert NUM] allow|deny|reject|limit
35 [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS
36 [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [com‐
37 ment COMMENT]
38
39 ufw [--dry-run] delete NUM
40
41 ufw [--dry-run] app list|info|default|update
42
43
45 --version
46 show program's version number and exit
47
48 -h, --help
49 show help message and exit
50
51 --dry-run
52 don't modify anything, just show the changes
53
54 enable reloads firewall and enables firewall on boot.
55
56 disable
57 unloads firewall and disables firewall on boot
58
59 reload reloads firewall
60
61 default allow|deny|reject DIRECTION
62 change the default policy for traffic going DIRECTION, where
63 DIRECTION is one of incoming, outgoing or routed. Note that
64 existing rules will have to be migrated manually when changing
65 the default policy. See RULE SYNTAX for more on deny and reject.
66
67 logging on|off|LEVEL
68 toggle logging. Logged packets use the LOG_KERN syslog facility.
69 Systems configured for rsyslog support may also log to
70 /var/log/ufw.log. Specifying a LEVEL turns logging on for the
71 specified LEVEL. The default log level is 'low'. See LOGGING
72 for details.
73
74 reset Disables and resets firewall to installation defaults. Can also
75 give the --force option to perform the reset without confirma‐
76 tion.
77
78 status show status of firewall and ufw managed rules. Use status ver‐
79 bose for extra information. In the status output, 'Anywhere' is
80 synonymous with 'any' and '0.0.0.0/0'. Note that when using sta‐
81 tus, there is a subtle difference when reporting interfaces. For
82 example, if the following rules are added:
83
84 ufw allow in on eth0 from 192.168.0.0/16
85 ufw allow out on eth1 to 10.0.0.0/8
86 ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from
87 192.168.0.0/16
88 ufw limit 2222/tcp comment 'SSH port'
89
90 ufw status will output:
91
92 To Action From
93 -- ------ ----
94 Anywhere on eth0 ALLOW 192.168.0.0/16
95 10.0.0.0/8 ALLOW OUT Anywhere on eth1
96 10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0
97 Anywhere LIMIT Anywhere
98 # SSH port
99
100 For the input and output rules, the interface is reported rela‐
101 tive to the firewall system as an endpoint, whereas with route
102 rules, the interface is reported relative to the direction pack‐
103 ets flow through the firewall.
104
105
106 show REPORT
107 display information about the running firewall. See REPORTS
108
109 allow ARGS
110 add allow rule. See RULE SYNTAX
111
112 deny ARGS
113 add deny rule. See RULE SYNTAX
114
115 reject ARGS
116 add reject rule. See RULE SYNTAX
117
118 limit ARGS
119 add limit rule. Currently only IPv4 is supported. See RULE
120 SYNTAX
121
122 delete RULE|NUM
123 deletes the corresponding RULE
124
125 insert NUM RULE
126 insert the corresponding RULE as rule number NUM
127
128
130 Users can specify rules using either a simple syntax or a full syntax.
131 The simple syntax only specifies the port and optionally the protocol
132 to be allowed or denied on the host.
133
134 Both syntaxes support specifying a comment for the rule. For existing
135 rules, specifying a different comment updates the comment and specify‐
136 ing '' removes the comment.
137
138 Example rules using the simple syntax:
139
140 ufw allow 53
141
142 This rule will allow tcp and udp port 53 to any address on this host.
143 To specify a protocol, append '/protocol' to the port. For example:
144
145 ufw allow 25/tcp
146
147 This will allow tcp port 25 to any address on this host. ufw will also
148 check /etc/services for the port and protocol if specifying a service
149 by name. Eg:
150
151 ufw allow smtp
152
153 ufw supports both ingress and egress filtering and users may optionally
154 specify a direction of either in or out for either incoming or outgoing
155 traffic. If no direction is supplied, the rule applies to incoming
156 traffic. Eg:
157
158 ufw allow in http
159 ufw reject out smtp
160 ufw reject telnet comment 'telnet is unencrypted'
161
162 Users can also use a fuller syntax, specifying the source and destina‐
163 tion addresses and ports. This syntax is loosely based on OpenBSD's PF
164 syntax. For example:
165
166 ufw deny proto tcp to any port 80
167
168 This will deny all traffic to tcp port 80 on this host. Another exam‐
169 ple:
170
171 ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
172
173 This will deny all traffic from the RFC1918 Class A network to tcp port
174 25 with the address 192.168.0.1.
175
176 ufw deny proto tcp from 2001:db8::/32 to any port 25
177
178 This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25
179 on this host. IPv6 must be enabled in /etc/default/ufw for IPv6 fire‐
180 walling to work.
181
182 ufw deny in on eth0 to 224.0.0.1 proto igmp
183
184 This will deny all igmp traffic to 224.0.0.1 on the eth0 interface.
185
186 ufw allow in on eth0 to 192.168.0.1 proto gre
187
188 This will allow all gre traffic to 192.168.0.1 on the eth0 interface.
189
190 ufw allow proto tcp from any to any port 80,443,8080:8090 comment
191 'web app'
192
193 The above will allow all traffic to tcp ports 80, 443 and 8080-8090
194 inclusive and adds a comment for the rule. When specifying multiple
195 ports, the ports list must be numeric, cannot contain spaces and must
196 be modified as a whole. Eg, in the above example you cannot later try
197 to delete just the '443' port. You cannot specify more than 15 ports
198 (ranges count as 2 ports, so the port count in the above example is 4).
199
200 ufw supports several different protocols. The following are valid in
201 any rule and enabled when the protocol is not specified:
202
203 tcp
204 udp
205
206 The following have certain restrictions and are not enabled when the
207 protocol is not specified:
208
209 ah valid without port number
210 esp valid without port number
211 gre valid without port number
212 ipv6 valid for IPv4 addresses and without port number
213 igmp valid for IPv4 addresses and without port number
214
215 Rules for traffic not destined for the host itself but instead for
216 traffic that should be routed/forwarded through the firewall should
217 specify the route keyword before the rule (routing rules differ signif‐
218 icantly from PF syntax and instead take into account netfilter FORWARD
219 chain conventions). For example:
220
221 ufw route allow in on eth1 out on eth2
222
223 This will allow all traffic routed to eth2 and coming in on eth1 to
224 traverse the firewall.
225
226 ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto
227 tcp
228
229 This rule allows any packets coming in on eth0 to traverse the firewall
230 out on eth1 to tcp port 80 on 12.34.45.67.
231
232 In addition to routing rules and policy, you must also setup IP for‐
233 warding. This may be done by setting the following in
234 /etc/ufw/sysctl.conf:
235
236 net/ipv4/ip_forward=1
237 net/ipv6/conf/default/forwarding=1
238 net/ipv6/conf/all/forwarding=1
239
240 then restarting the firewall:
241
242 ufw disable
243 ufw enable
244
245 Be aware that setting kernel tunables is operating system specific and
246 ufw sysctl settings may be overridden. See the sysctl manual page for
247 details.
248
249
250 ufw supports connection rate limiting, which is useful for protecting
251 against brute-force login attacks. When a limit rule is used, ufw will
252 normally allow the connection but will deny connections if an IP
253 address attempts to initiate 6 or more connections within 30 seconds.
254 See http://www.debian-administration.org/articles/187 for details. Typ‐
255 ical usage is:
256
257 ufw limit ssh/tcp
258
259
260 Sometimes it is desirable to let the sender know when traffic is being
261 denied, rather than simply ignoring it. In these cases, use reject
262 instead of deny. For example:
263
264 ufw reject auth
265
266
267 By default, ufw will apply rules to all available interfaces. To limit
268 this, specify DIRECTION on INTERFACE, where DIRECTION is one of in or
269 out (interface aliases are not supported). For example, to allow all
270 new incoming http connections on eth0, use:
271
272 ufw allow in on eth0 to any port 80 proto tcp
273
274
275 To delete a rule, simply prefix the original rule with delete with or
276 without the rule comment. For example, if the original rule was:
277
278 ufw deny 80/tcp
279
280 Use this to delete it:
281
282 ufw delete deny 80/tcp
283
284 You may also specify the rule by NUM, as seen in the status numbered
285 output. For example, if you want to delete rule number '3', use:
286
287 ufw delete 3
288
289 If you have IPv6 enabled and are deleting a generic rule that applies
290 to both IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting by rule number
291 will delete only the specified rule. To delete both with one command,
292 prefix the original rule with delete.
293
294 To insert a rule, specify the new rule as normal, but prefix the rule
295 with the rule number to insert. For example, if you have four rules,
296 and you want to insert a new rule as rule number three, use:
297
298 ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp
299
300 To see a list of numbered rules, use:
301
302 ufw status numbered
303
304
305 ufw supports per rule logging. By default, no logging is performed when
306 a packet matches a rule. Specifying log will log all new connections
307 matching the rule, and log-all will log all packets matching the rule.
308 For example, to allow and log all new ssh connections, use:
309
310 ufw allow log 22/tcp
311
312 See LOGGING for more information on logging.
313
314
316 Deny all access to port 53:
317
318 ufw deny 53
319
320
321 Allow all access to tcp port 80:
322
323 ufw allow 80/tcp
324
325
326 Allow all access from RFC1918 networks to this host:
327
328 ufw allow from 10.0.0.0/8
329 ufw allow from 172.16.0.0/12
330 ufw allow from 192.168.0.0/16
331
332
333 Deny access to udp port 514 from host 1.2.3.4:
334
335 ufw deny proto udp from 1.2.3.4 to any port 514
336
337
338 Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:
339
340 ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
341
342
344 When running ufw enable or starting ufw via its initscript, ufw will
345 flush its chains. This is required so ufw can maintain a consistent
346 state, but it may drop existing connections (eg ssh). ufw does support
347 adding rules before enabling the firewall, so administrators can do:
348
349 ufw allow proto tcp from any to any port 22
350
351 before running 'ufw enable'. The rules will still be flushed, but the
352 ssh port will be open after enabling the firewall. Please note that
353 once ufw is 'enabled', ufw will not flush the chains when adding or
354 removing rules (but will when modifying a rule or changing the default
355 policy). By default, ufw will prompt when enabling the firewall while
356 running under ssh. This can be disabled by using 'ufw --force enable'.
357
358
360 ufw supports application integration by reading profiles located in
361 /etc/ufw/applications.d. To list the names of application profiles
362 known to ufw, use:
363
364 ufw app list
365
366 Users can specify an application name when adding a rule (quoting any
367 profile names with spaces). For example, when using the simple syntax,
368 users can use:
369
370 ufw allow <name>
371
372 Or for the extended syntax:
373
374 ufw allow from 192.168.0.0/16 to any app <name>
375
376 You should not specify the protocol with either syntax, and with the
377 extended syntax, use app in place of the port clause.
378
379 Details on the firewall profile for a given application can be seen
380 with:
381
382 ufw app info <name>
383
384 where '<name>' is one of the applications seen with the app list com‐
385 mand. User's may also specify all to see the profiles for all known
386 applications.
387
388 Syntax for the application profiles is a simple .INI format:
389
390 [<name>]
391 title=<title>
392 description=<description>
393 ports=<ports>
394
395 The 'ports' field may specify a '|'-separated list of ports/protocols
396 where the protocol is optional. A comma-separated list or a range
397 (specified with 'start:end') may also be used to specify multiple
398 ports, in which case the protocol is required. For example:
399
400 [SomeService]
401 title=Some title
402 desctiption=Some description
403 ports=12/udp|34|56,78:90/tcp
404
405 In the above example, 'SomeService' may be used in app rules and it
406 specifies UDP port 12, TCP and UDP on port 34 and TCP ports 56 and
407 78-90 inclusive.
408
409 After creating or editing an application profile, user's can run:
410
411 ufw app update <name>
412
413 This command will automatically update the firewall with updated pro‐
414 file information. If specify 'all' for name, then all the profiles will
415 be updated. To update a profile and add a new rule to the firewall
416 automatically, user's can run:
417
418 ufw app update --add-new <name>
419
420 The behavior of the update --add-new command can be configured using:
421
422 ufw app default <policy>
423
424 The default application policy is skip, which means that the update
425 --add-new command will do nothing. Users may also specify a policy of
426 allow or deny so the update --add-new command may automatically update
427 the firewall. WARNING: it may be a security to risk to use a default
428 allow policy for application profiles. Carefully consider the security
429 ramifications before using a default allow policy.
430
431
433 Disallow incoming SSH (allowed by default):
434 ufw delete allow to any app SSH
435
436 Allow incoming UPnP (Universal Plug and Play) where the destination
437 address is one of the standard multicast destination addresses for
438 UPnP:
439
440 ufw allow to 239.255.255.250 app UPnP
441 ufw allow to ff02::f app UPnP
442
443 Disallow incoming mDNS (Multicast DNS) where the destination address is
444 one of the standard multicast destination addresses for mDNS (allowed
445 by default):
446
447 ufw delete allow to 224.0.0.251 app mDNS
448 ufw delete allow to ff02::fb app mDNS
449
450 (Unfortunately, it is not currently possible to store the destination
451 addresses as part of the application definition.)
452
453
455 ufw supports multiple logging levels. ufw defaults to a loglevel of
456 'low' when a loglevel is not specified. Users may specify a loglevel
457 with:
458
459 ufw logging LEVEL
460
461 LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are
462 defined as:
463
464 off disables ufw managed logging
465
466 low logs all blocked packets not matching the defined policy (with
467 rate limiting), as well as packets matching logged rules
468
469 medium log level low, plus all allowed packets not matching the defined
470 policy, all INVALID packets, and all new connections. All log‐
471 ging is done with rate limiting.
472
473 high log level medium (without rate limiting), plus all packets with
474 rate limiting
475
476 full log level high without rate limiting
477
478
479 Loglevels above medium generate a lot of logging output, and may
480 quickly fill up your disk. Loglevel medium may generate a lot of log‐
481 ging output on a busy system.
482
483 Specifying 'on' simply enables logging at log level 'low' if logging is
484 currently not enabled.
485
486
488 The following reports are supported. Each is based on the live system
489 and with the exception of the listening report, is in raw iptables for‐
490 mat:
491
492 raw
493 builtins
494 before-rules
495 user-rules
496 after-rules
497 logging-rules
498 listening
499 added
500
501 The raw report shows the complete firewall, while the others show a
502 subset of what is in the raw report.
503
504 The listening report will display the ports on the live system in the
505 listening state for tcp and the open state for udp, along with the
506 address of the interface and the executable listening on the port. An
507 '*' is used in place of the address of the interface when the exe‐
508 cutable is bound to all interfaces on that port. Following this infor‐
509 mation is a list of rules which may affect connections on this port.
510 The rules are listed in the order they are evaluated by the kernel, and
511 the first match wins. Please note that the default policy is not listed
512 and tcp6 and udp6 are shown only if IPV6 is enabled.
513
514 The added report displays the list of rules as they were added on the
515 command-line. This report does not show the status of the running fire‐
516 wall (use 'ufw status' instead). Because rules are normalized by ufw,
517 rules may look different than the originally added rule. Also, ufw does
518 not record command ordering, so an equivalent ordering is used which
519 lists IPv6-only rules after other rules.
520
521
523 On installation, ufw is 'enabled' (but only actually enabled on bootup
524 if ufw.service is enabled in systemd) with a default incoming policy of
525 deny, a default forward policy of deny, and a default outgoing policy
526 of allow, with stateful tracking for NEW connections for incoming and
527 forwarded connections. As exceptions to the default deny policy, INPUT
528 on the following application ports is allowed by default:
529
530 - SSH (port 22/tcp)
531
532 - mDNS (port 5353/udp with the multicast destination addresses
533 224.0.0.251 for IPv4 and ff02::fb for IPv6)
534
535 These rules can easily be removed through the ufw command line or its
536 graphical frontends. In addition to the above, a default ruleset is put
537 in place that does the following:
538
539 - DROP packets with RH0 headers
540
541 - DROP INVALID packets
542
543 - ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreach‐
544 able, source-quench, time-exceeded, parameter-problem, and echo-request
545 for IPv4. destination-unreachable, packet-too-big, time-exceeded,
546 parameter-problem, and echo-request for IPv6.
547
548 - ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)
549
550 - ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses
551 (INPUT)
552
553 - ACCEPT DHCP client traffic (INPUT)
554
555 - DROP non-local traffic (INPUT)
556
557
558 Rule ordering is important and the first match wins. Therefore when
559 adding rules, add the more specific rules first with more general rules
560 later.
561
562 ufw is not intended to provide complete firewall functionality via its
563 command interface, but instead provides an easy way to add or remove
564 simple rules.
565
566 The status command shows basic information about the state of the fire‐
567 wall, as well as rules managed via the ufw command. It does not show
568 rules from the rules files in /etc/ufw. To see the complete state of
569 the firewall, users can ufw show raw. This displays the filter, nat,
570 mangle and raw tables using:
571
572 iptables -n -L -v -x -t <table>
573 ip6tables -n -L -v -x -t <table>
574
575 See the iptables and ip6tables documentation for more details.
576
577 If the default policy is set to REJECT, ufw may interfere with rules
578 added outside of the ufw framework. See README for details.
579
580 IPV6 is allowed by default. To change this behavior to only accept IPv6
581 traffic on the loopback interface, set IPV6 to 'no' in /etc/default/ufw
582 and reload ufw. When IPv6 is enabled, you may specify rules in the same
583 way as for IPv4 rules, and they will be displayed with ufw status.
584 Rules that match both IPv4 and IPv6 addresses apply to both IP ver‐
585 sions. For example, when IPv6 is enabled, the following rule will allow
586 access to port 22 for both IPv4 and IPv6 traffic:
587
588 ufw allow 22
589
590 IPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' pro‐
591 tocol ('41'). This protocol can only be used with the full syntax. For
592 example:
593
594 ufw allow to 10.0.0.1 proto ipv6
595 ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6
596
597 IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols.
598 These protocols can only be used with the full syntax. For example:
599
600 ufw allow to 10.0.0.1 proto esp
601 ufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp
602 ufw allow to 10.0.0.1 proto ah
603 ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah
604
605 In addition to the command-line interface, ufw also provides a frame‐
606 work which allows administrators to modify default behavior as well as
607 take full advantage of netfilter. See the ufw-framework manual page for
608 more information.
609
610
612 ufw-framework(8), iptables(8), ip6tables(8), iptables-restore(8),
613 ip6tables-restore(8), sysctl(8), sysctl.conf(5)
614
615
617 ufw is Copyright 2008-2014, Canonical Ltd.
618
619
620 ufw and this manual page was originally written by Jamie Strandboge
621 <jamie@canonical.com>
622
623
624
625February 2016 UFW:(8)