Basic ufw Firewall Management

This article provides some basic information about how to use the Uncomplicated Firewall (ufw) software firewall. This firewall is the default firewall solution for the Ubutu® operating system and Debian®-based distributions.


The steps in this article are not intended for use on RackConnect® servers. If you need to make changes to your firewall on a RackCconnect server, you need to use your Dedicated Firewall Manager.


You need to have the following prerequisites:

  • Basic understanding of SecureShell® (SSH)
  • Sudo or administrative access to your server
  • A non-RackConnect Cloud Server running a Debian-based system

What is "ufw"?

The Uncomplicated Firewall (ufw) is the default software firewall solution for Debian-based operating systems. It is essentially a wrapper on top of iptables that allows for a more streamlined approach to managing the access on your server.

Anatomy of a rule

The following example shows the format for rules within ufw:

   ufw [allow/deny] from [ip] to [dest/any] port [port]


You can also specify ranges of ports by separating the ports by a colon, such as 2222:3333. Additionally, you can specify a subnet mask for IP addresses, such as Furthermore, ufw allows for common service whitelisting by name. This means you can you specify ssh in the rule rather than specifying port 22.

Enabling and checking status of "ufw"

To check the status of ufw on your server, run the following command:

   systemctl status ufw

If it's active, you should get a message showing Status: active along with a listing of the rules on the server. If not, you can start the service by running the systemctl start ufw command.

After the service starts, list the rules that are active in ufw before you add new rules. Use the following command to list the rules:

   ufw status

This lists the active rules in ufw on the server. If you haven't added any rules yet, you should see output similar to the following:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere 


There might be additional rules in place for Managed Operations customers to allow Rackspace support access to the server from the Rackspace network.

"ufw" rule examples

The following examples show some basic rules and their function in ufw:

CommandWhat it does
ufw allow from to any port 22This command allows access from the specified IP address on port 22.
ufw allow from command allows access from the specified IP.
ufw deny from packet information is logged on the server and iptables continues processing rules.
ufw allow 3200:3205This command allows connection to ports 3200 through 3205.
ufw deny 22/tcpThis command denies connections via tcp on port 22.
ufw allow in on eth1This command allows all connections on the eth1 interface. This interface may also be called em1. You can verify the interface name by running ifconfig on your server.
ufw status numberedThis command displays the active rules with a number for each line.
ufw delete 2When used in conjunction with ufw status numbered, this command removes the second line in the ufw rules list.

Further reading

This article covers only the basics of ufw. There are several other tasks and rules that you can configure to limit access to your server. For more information on ufw, see ufw - Linux man page.