UFW, or Uncomplicated Firewall is very simple interface for managing iptables firewall rules. It’s available in the default Debian repositories. This article shows you how to set up a firewall with UFW on Debian 10 Buster.
Before start, make sure you login as root or user with sudo privileges.
Run the following command to update the index list and install
sudo apt update
sudo apt install ufw
UFW won’t start immediately and getting locked out like other services. You can check the status of UFW by typing:
sudo ufw status verbose
It will show like below:
Set Up Default Policies
At first, you should define your default policies. By default, UFW is set to block all incoming connections and allow all outgoing connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.
The default polices are defined in the
/etc/default/ufw file and you can change using below command:
sudo ufw default <policy> <chain>
Allow SSH Connections
If we enabled our UFW firewall now, it would deny all incoming connections. Ensure that before enabling the UFW firewall, you need to allow incoming SSH connections. Otherwise you will not be able to connect to your Debian server remotely.
To accept SSH connections configure your UFW firewall using following command:
sudo ufw allow OpenSSH
Rules updated Rules updated (v6)
If your SSH server is configured on a port different port than the default port 22, you will need to open that port.
For instance, your ssh server listening on port
3456, you should run:
sudo ufw allow 3456/tcp
At this point, your firewall is configured to allow incoming SSH connections, you can enable it.
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
It will show you a warning that command may disrupt existing SSH connections. We already set up a firewall rule that allows SSH connections, so it should be fine to continue. Type y and hit Enter key.
You should allow other port depending your other installed application on your server. Below are some of examples which are commonly used.
Open port 80 – HTTP
To allow HTTP connections to server run:
sudo ufw allow http
You can use port
80 instead of
http profile, type:
sudo ufw allow 80/tcp
Open port 443 – HTTPS
Allow HTTPS connections by typing:
sudo ufw allow https
443 is for
https profile, you can use use it by:
sudo ufw allow 443/tcp
Specific Port Ranges
You can allow port range with UFW. For example, some of applications are using multiple points instead of single port. To allow ports from
5300, use below command:
sudo ufw allow 5000:5300/tcp
sudo ufw allow 5000:5300/udp
Make sure for port range, you should allow for both
Allow Specific IP Addresses
In UFW you can allow access from a specific ip address. Use
ufw allow from command followed by the IP address:
sudo ufw allow from 220.127.116.11
Allowing Specific IP Addresses on Specific port
To allow access on a specific port, for instance, allow port
22 from your system with IP address of
18.104.22.168 use the following command:
sudo ufw allow from 22.214.171.124 to any port 22
You also can allow connection from a subnet mask of IP addresses. For example, if you want to allow access for IP addresses ranging from
126.96.36.199 to port
3306 (MariaDB) you can use this command:
sudo ufw allow from 188.8.131.52/24 to any port 3306
Connections to a Specific Network Interface
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying allow in on, followed by the name of the network interface.
sudo ufw allow in on eth1 to any port 3306
The default policy for all incoming connections is set to deny. It means UFW will block all incoming connections unless you allow the connection for specific port.
Sometimes, it required to block requests from a specific ip address or subnet, due to malicious attacked to your server. For example, your server is being attacked from
184.108.40.206/24 network. Deny all connections from
220.127.116.11/24, use the following command:
sudo ufw deny from 18.104.22.168/24
For deny from a specific IP address, type:
sudo ufw deny from 22.214.171.124
You can delete rules by rule number or by specifying the actual rule.
To delete rule by number, first you should find the number for which you want to delete. To do that run following command:
sudo ufw status numbered
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN 126.96.36.199/24 [ 2] 80 ALLOW IN Anywhere
Use the below command to delete rule number 1:
sudo ufw delete 1
Second method is delete by actual rule. For example, if you want to remove the allow
http rule, you could write it like this:
sudo ufw delete allow http
Disable & Reset UFW
If don’t want to active the UFW, you can make disable it by:
sudo ufw disable
Again to re-enable UTF and activate all rules just type:
sudo ufw enable
By resetting UFW, it will disable UFW and delete all active rules. It will be helpful when you want to revert all of your changes and start as a fresh.
To reset UFW simply type in the following command:
sudo ufw reset
You successfully learned how to set up and configure UFW firewall on your Debian 10 system. It’s recommended that only allow necessary ports and deny all other for server security.
If you have questions, feel free to leave a comment below.