Skip to content
Learni
View all tutorials
Linux Sécurité

How to Master UFW Firewall in 2026

18 minEXPERT
SécuritéLinuxUFWFirewallIPv6
Lire en français

Introduction

UFW (Uncomplicated Firewall) is the most popular front-end for iptables on Ubuntu and Debian distributions in 2026. Unlike raw iptables with its complex syntax, UFW simplifies rule management with intuitive commands while delivering expert-level power for production environments.

Why master UFW today? DDoS attacks, port scans, and zero-day exploits are skyrocketing: 70% of server breaches stem from exposed ports (source: Verizon DBIR 2025). This expert tutorial takes you from installation to advanced setups like custom chains, structured logging, and IPv6 integration. Think of your server as a fortress: UFW is the locked gates with traps for intruders.

By the end, you'll deploy zero-trust policies, audit logs in real-time, and restore atomic backups. Ready for 1500+ words of pure action? (128 words)

Prerequisites

  • Ubuntu 24.04 LTS or Debian 13+ server (root or sudo access)
  • Stable SSH access (port 22 temporarily open)
  • Advanced knowledge of TCP/UDP/ICMP networking
  • Tools: netstat, tcpdump for verification
  • Backup of /etc/ufw/ before any changes

Installing and Enabling UFW

install-ufw.sh
#!/bin/bash

# Mise à jour des paquets
apt update && apt upgrade -y

# Installation d'UFW
apt install ufw -y

# Activer IPv6 (essentiel pour 2026)
sed -i 's/IPV6=no/IPV6=yes/' /etc/default/ufw

# Politique par défaut : refuser incoming, autoriser outgoing
ufw default deny incoming
ufw default allow outgoing

# Autoriser SSH pour éviter le lockout
ufw allow OpenSSH

# Activer UFW (répond 'y')
ufw --force enable

# Vérifier statut
ufw status verbose

This script installs UFW, enables IPv6 via sed for modern compatibility, sets secure default policies (deny incoming / allow outgoing), and opens SSH to prevent lockouts. The --force option enables without prompting. Always verify with ufw status verbose: To=Action from chain confirms proper startup. Pitfall: Without allow OpenSSH, you'll lose SSH access.

Verifying the Basics and Initial Tests

After running the script, ufw status verbose shows active rules, logging, and limits. Test from an external machine with nmap -p 1-1000 your-ip: only authorized ports (22/SSH) respond. Analogy: UFW is like a bouncer filtering out unwanted guests by default.

Basic Rules for Web Services

regles-web.sh
#!/bin/bash

# Autoriser HTTP/HTTPS (ports 80/443)
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 'Nginx Full'  # Si Nginx installé

# Autoriser un range de ports pour un cluster (ex: 3000-3010)
ufw allow 3000:3010/tcp

# Refuser explicitement un port sensible (ex: RDP 3389)
ufw deny 3389/tcp

# Supprimer une règle par numéro (vérifiez avec ufw status numbered)
# ufw delete 3

# Recharger pour appliquer
ufw reload

# Statut numéroté pour gestion
ufw status numbered

These rules open standard web ports and a range for microservices, while explicitly blocking risks like RDP. Nginx Full is a predefined alias combining 80/443. Use status numbered to delete precisely (e.g., ufw delete 3). reload applies changes without downtime. Pitfall: Forgetting tcp exposes UDP unnecessarily.

Managing Rules by Interface and IP

Conditional rules: Limit to eth0 or a specific IP. Example: ufw allow from 192.168.1.100 to any port 22 allows SSH only from a bastion host. For multi-interface setups (cloud), specify in on eth0. Test with filtered ufw status.

Advanced Rules: IPs, Interfaces, and Rate Limiting

regles-avancees.sh
#!/bin/bash

# Autoriser depuis IP spécifique (bastion SSH)
ufw allow from 192.168.1.100 to any port 22 proto tcp

# Limiter connexions SSH (3/minute)
ufw limit OpenSSH

# Règle sur interface (ex: lo pour loopback, eth0 pour public)
ufw allow in on lo
ufw deny in on eth1  # Bloquer interface privée

# Chaîne personnalisée pour DMZ
ufw route allow in on eth0 out on eth1

# Appliquer et vérifier logging
ufw reload
echo "[*] Test rate limit: ssh depuis autre IP >3x/min devrait fail"
ufw status numbered

Here, from IP restricts SSH to a safe subnet, limit enables rate-limiting against brute-force (default 6/30s, editable in /etc/ufw/user.limit). in on targets NIC interfaces. Inter-chain routes isolate DMZ. Always reload. Pitfall: Rate-limiting doesn't apply without explicit limit on SSH.

Logging and Real-Time Monitoring

Enable logs with ufw logging high (levels: low/off/high/full). Events land in /var/log/ufw.log. Monitor with tail -f /var/log/ufw.log | grep BLOCK. Integrate with ELK or Fail2Ban for automated alerts.

Enabling Logging and IPv6

logging-ipv6.sh
#!/bin/bash

# Logging avancé (high = DROP+REJECT)
ufw logging high

# Règles IPv6 exemples
ufw allow 80/tcp  # Applique aussi IPv6
ufw v6 allow from 2001:db8::/32 to any port 443

# Bloquer IPv6 global sauf loopback
ip6tables -P INPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ufw reload

# Vérifier logs et statut IPv6
ufw status logged
journalctl -u ufw -f  # Alternative systemd

tail -f /var/log/ufw.log

Logging 'high' captures all drops/rejects with details (IP, port, proto). IPv6 rules are auto-enabled; use v6 for granularity. journalctl is modern for systemd. Run tail in the background for live monitoring. Pitfall: Without IPv6=yes, v6 rules are ignored, exposing you to IPv6 scans.

Backups and Resets for Production

Backup: ufw show raw > backup.rules exports everything. Restore: ufw reset && ufw --force enable then reimport. In production, automate via cron.

Full Backup, Restore, and Reset

backup-reset.sh
#!/bin/bash

# Backup complet (rules + raw + defaults)
ufw show raw > /root/ufw-backup-$(date +%Y%m%d).rules
cp /etc/default/ufw /root/
cp /etc/ufw/* /root/ufw-backup/ -r

tar czf ufw-backup-$(date +%Y%m%d).tar.gz /root/ufw-backup/

# Reset total (désactive et purge)
ufw --force reset

# Restore exemple
dpkg-reconfigure ufw  # Interactive
# Ou manual: ufw deny incoming && ufw allow OpenSSH && ufw enable

# Vérif
ufw show added
ls -la /root/ufw-backup*

This script backs up everything (raw rules for underlying iptables), creates a versioned tar.gz. reset purges without mercy (reallow SSH!). Restore via dpkg-reconfigure or manually. show added lists your additions. Pitfall: Reset without backup leaves a blank firewall, temporarily opening all incoming traffic.

Best Practices

  • Default deny/allow policy: Block all incoming unless explicitly allowed.
  • Rate-limit SSH + Fail2Ban: ufw limit SSH + install fail2ban.
  • Logging + rotation: Use logrotate on /var/log/ufw.log, alerts via Prometheus.
  • Test in staging: ufw simulate ADD RULE before applying.
  • Monthly audits: ufw show raw | grep -v ACCEPT for orphaned rules.

Common Errors to Avoid

  • SSH lockout: Always allow OpenSSH before enable.
  • IPv6 oversight: Check IPV6=yes; test with nmap -6.
  • Missing reload: In-memory rules aren't persisted without ufw reload.
  • Logging off: Default is low; bump to high for post-breach forensics.

Next Steps

Dive into native iptables with iptables -L -nv -x. Integrate UFW with Ansible for IaC: community.general.ufw role.

Check out our advanced Linux security training or Docker + UFW guide.

Resources: Official UFW docs, nftables migration for post-2026.