How UFW works (conceptual)

Topic: Networking basics

UFW (Uncomplicated Firewall) is a front end to iptables or nftables that uses allow/deny rules and a default policy. Learn how rules are ordered, how default deny works, and how to allow a port or subnet so you can use UFW correctly and avoid locking yourself out. Use this before enabling UFW on a server.

Intent: How-to

Quick answer

  • UFW translates high-level rules (allow 22/tcp, deny from 1.2.3.4) into iptables/nftables rules; order is determined by UFW; the default policy (incoming deny, outgoing allow) applies when no rule matches.
  • Allow SSH (or your admin port) before enabling UFW so you do not lock yourself out; ufw enable turns on the firewall; ufw status shows rules; rules are evaluated in a fixed order (allow before default deny).
  • Changes take effect immediately; deleting a rule or disabling UFW (ufw disable) removes protection immediately; have console access when enabling or changing rules the first time.

Prerequisites

Steps

  1. Understand default policy

    Default is incoming deny, outgoing allow. So all inbound is blocked until you add allow rules; outbound and established return traffic are allowed. This is a safe starting point.

  2. Understand rule syntax

    ufw allow 22/tcp (allow inbound TCP 22); ufw allow from 10.0.0.0/8 (allow from that subnet); ufw deny 80/tcp (deny inbound TCP 80). Rules are added in order; UFW inserts them into the underlying tables in a consistent order.

  3. Enable safely

    Add allow 22/tcp (or your SSH port) first; then ufw enable; test SSH in a second session before closing the first. If you use a non-default SSH port, allow that port before enabling.

  4. Relate to iptables/nftables

    UFW is a front end; it writes rules to iptables or nftables. ufw status verbose shows the rules; for raw details use iptables -L or nft list ruleset. Do not mix UFW with manual iptables/nft rules unless you know the order.

Summary

UFW is a simple interface to the host firewall (iptables/nftables) with default deny inbound and allow outbound. Add allow rules for required ports (e.g. SSH) before enabling. Use this so you can enable UFW without locking yourself out and so you understand how rules and defaults work.

Prerequisites

Steps

Step 1: Understand default policy

Default: deny incoming, allow outgoing. So all inbound traffic is dropped until you add allow rules. Outbound and typically established/related return traffic are allowed.

Step 2: Understand rule syntax

  • ufw allow 22/tcp: Allow inbound TCP port 22.
  • ufw allow from 10.0.0.0/8: Allow from that subnet.
  • ufw deny 80/tcp: Deny inbound TCP 80.

Rules are applied in a consistent order by UFW.

Step 3: Enable safely

sudo ufw allow 22/tcp
sudo ufw enable

Allow your admin port (e.g. SSH) before enabling. Test in a second session before closing the first. If SSH is on a non-default port, allow that port.

Step 4: Relate to iptables/nftables

UFW generates iptables or nftables rules. ufw status verbose shows the effective rules. Avoid mixing UFW with hand-written iptables/nft rules unless you understand the order.

Verification

  • You can state UFW’s default policy and add an allow rule; you know to allow SSH (or admin port) before enabling.

Troubleshooting

Locked out after enable — Use console; run ufw disable or ufw allow 22/tcp and reload; then fix rules and re-enable.

Rule not taking effect — Reload: ufw reload; check ufw status numbered and that the rule appears; ensure no earlier rule blocks the traffic.

Next steps

Continue to