{ "mode": "man", "parameter": "ufw", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ufw/8/json", "generated": "2026-06-14T07:25:37Z", "sections": { "NAME": { "content": "ufw - program for managing a netfilter firewall\n", "subsections": [] }, "DESCRIPTION": { "content": "This program is for managing a Linux firewall and aims to provide an easy to use interface\nfor the user.\n\n", "subsections": [] }, "USAGE": { "content": "ufw [--dry-run] enable|disable|reload\n\nufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]\n\nufw [--dry-run] logging on|off|LEVEL\n\nufw [--dry-run] reset\n\nufw [--dry-run] status [verbose|numbered]\n\nufw [--dry-run] show REPORT\n\nufw [--dry-run] [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out]\n[log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]\n\nufw [--dry-run] [rule] [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out [on\nINTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to AD‐\nDRESS [port PORT | app APPNAME ]] [comment COMMENT]\n\nufw [--dry-run] route [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out on IN‐\nTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS\n[port PORT | app APPNAME]] [comment COMMENT]\n\nufw [--dry-run] [--force] delete NUM\n\nufw [--dry-run] app list|info|default|update\n\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "--version", "content": "show program's version number and exit\n", "long": "--version" }, { "name": "-h --help", "content": "show help message and exit\n", "flag": "-h", "long": "--help" }, { "name": "--dry-run", "content": "don't modify anything, just show the changes\n\nenable reloads firewall and enables firewall on boot.\n", "long": "--dry-run" }, { "name": "disable", "content": "unloads firewall and disables firewall on boot\n\nreload reloads firewall\n\ndefault allow|deny|reject DIRECTION\nchange the default policy for traffic going DIRECTION, where DIRECTION is one of in‐‐\ncoming, outgoing or routed. Note that existing rules will have to be migrated manually\nwhen changing the default policy. See RULE SYNTAX for more on deny and reject.\n\nlogging on|off|LEVEL\ntoggle logging. Logged packets use the LOGKERN syslog facility. Systems configured\nfor rsyslog support may also log to /var/log/ufw.log. Specifying a LEVEL turns logging\non for the specified LEVEL. The default log level is 'low'. See LOGGING for details.\n\nreset Disables and resets firewall to installation defaults. Can also give the --force op‐\ntion to perform the reset without confirmation.\n\nstatus show status of firewall and ufw managed rules. Use status verbose for extra informa‐\ntion. In the status output, 'Anywhere' is synonymous with 'any', 0.0.0.0/0 (IPv4) and\n::/0 (IPv6). Note that when using status, there is a subtle difference when reporting\ninterfaces. For example, if the following rules are added:\n\nufw allow in on eth0 from 192.168.0.0/16\nufw allow out on eth1 to 10.0.0.0/8\nufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16\nufw limit 2222/tcp comment 'SSH port'\n\nufw status will output:\n\nTo Action From\n-- ------ ----\nAnywhere on eth0 ALLOW 192.168.0.0/16\n10.0.0.0/8 ALLOW OUT Anywhere on eth1\n10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0\nAnywhere LIMIT Anywhere # SSH port\n\nFor the input and output rules, the interface is reported relative to the firewall\nsystem as an endpoint, whereas with route rules, the interface is reported relative to\nthe direction packets flow through the firewall.\n\n\nshow REPORT\ndisplay information about the running firewall. See REPORTS\n\nallow ARGS\nadd allow rule. See RULE SYNTAX\n\ndeny ARGS\nadd deny rule. See RULE SYNTAX\n\nreject ARGS\nadd reject rule. See RULE SYNTAX\n\nlimit ARGS\nadd limit rule. See RULE SYNTAX\n\ndelete RULE|NUM\ndeletes the corresponding RULE\n\ninsert NUM RULE\ninsert the corresponding RULE as rule number NUM\n\nprepend RULE\nprepend the corresponding RULE to the top of the ruleset\n\n" } ] }, "RULE SYNTAX": { "content": "Users can specify rules using either a simple syntax or a full syntax. The simple syntax only\nspecifies the port and optionally the protocol to be allowed or denied on the host.\n\nBoth syntaxes support specifying a comment for the rule. For existing rules, specifying a\ndifferent comment updates the comment and specifying '' removes the comment.\n\nExample rules using the simple syntax:\n\nufw allow 53\n\nThis rule will allow tcp and udp port 53 to any address on this host. To specify a protocol,\nappend '/protocol' to the port. For example:\n\nufw allow 25/tcp\n\nThis will allow tcp port 25 to any address on this host. ufw will also check /etc/services\nfor the port and protocol if specifying a service by name. Eg:\n\nufw allow smtp\n\nufw supports both ingress and egress filtering and users may optionally specify a direction\nof either in or out for either incoming or outgoing traffic. If no direction is supplied, the\nrule applies to incoming traffic. Eg:\n\nufw allow in http\nufw reject out smtp\nufw reject telnet comment 'telnet is unencrypted'\n\nUsers can also use a fuller syntax, specifying the source and destination addresses and\nports. This syntax is loosely based on OpenBSD's PF syntax. For example:\n\nufw deny proto tcp to any port 80\n\nThis will deny all traffic to tcp port 80 on this host. Another example:\n\nufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25\n\nThis will deny all traffic from the RFC1918 Class A network to tcp port 25 with the address\n192.168.0.1.\n\nufw deny proto tcp from 2001:db8::/32 to any port 25\n\nThis will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host. IPv6 must\nbe enabled in /etc/default/ufw for IPv6 firewalling to work.\n\nufw deny in on eth0 to 224.0.0.1 proto igmp\n\nThis will deny all igmp traffic to 224.0.0.1 on the eth0 interface.\n\nufw allow in on eth0 to 192.168.0.1 proto gre\n\nThis will allow all gre traffic to 192.168.0.1 on the eth0 interface.\n\nufw allow proto tcp from any to any port 80,443,8080:8090 comment 'web app'\n\nThe above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive and adds a com‐\nment for the rule. When specifying multiple ports, the ports list must be numeric, cannot\ncontain spaces and must be modified as a whole. Eg, in the above example you cannot later try\nto delete just the '443' port. You cannot specify more than 15 ports (ranges count as 2\nports, so the port count in the above example is 4).\n\nufw supports several different protocols. The following are valid in any rule and enabled\nwhen the protocol is not specified:\n\ntcp\nudp\n\nThe following have certain restrictions and are not enabled when the protocol is not speci‐\nfied:\n\nah valid without port number\nesp valid without port number\ngre valid without port number\nipv6 valid for IPv4 addresses and without port number\nigmp valid for IPv4 addresses and without port number\n\nRules for traffic not destined for the host itself but instead for traffic that should be\nrouted/forwarded through the firewall should specify the route keyword before the rule (rout‐\ning rules differ significantly from PF syntax and instead take into account netfilter FORWARD\nchain conventions). For example:\n\nufw route allow in on eth1 out on eth2\n\nThis will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.\n\nufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp\n\nThis rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp\nport 80 on 12.34.45.67.\n\nIn addition to routing rules and policy, you must also setup IP forwarding. This may be done\nby setting the following in /etc/ufw/sysctl.conf:\n\nnet/ipv4/ipforward=1\nnet/ipv6/conf/default/forwarding=1\nnet/ipv6/conf/all/forwarding=1\n\nthen restarting the firewall:\n\nufw disable\nufw enable\n\nBe aware that setting kernel tunables is operating system specific and ufw sysctl settings\nmay be overridden. See the sysctl manual page for details.\n\n\nufw supports connection rate limiting, which is useful for protecting against brute-force lo‐\ngin attacks. When a limit rule is used, ufw will normally allow the connection but will deny\nconnections if an IP address attempts to initiate 6 or more connections within 30 seconds.\nSee http://www.debian-administration.org/articles/187 for details. Typical usage is:\n\nufw limit ssh/tcp\n\n\nSometimes it is desirable to let the sender know when traffic is being denied, rather than\nsimply ignoring it. In these cases, use reject instead of deny. For example:\n\nufw reject auth\n\n\nBy default, ufw will apply rules to all available interfaces. To limit this, specify DIREC‐‐\nTION on INTERFACE, where DIRECTION is one of in or out (interface aliases are not supported).\nFor example, to allow all new incoming http connections on eth0, use:\n\nufw allow in on eth0 to any port 80 proto tcp\n\n\nTo delete a rule, simply prefix the original rule with delete with or without the rule com‐\nment. For example, if the original rule was:\n\nufw deny 80/tcp\n\nUse this to delete it:\n\nufw delete deny 80/tcp\n\nYou may also specify the rule by NUM, as seen in the status numbered output. For example, if\nyou want to delete rule number '3', use:\n\nufw delete 3\n\nIf you have IPv6 enabled and are deleting a generic rule that applies to both IPv4 and IPv6\n(eg 'ufw allow 22/tcp'), deleting by rule number will delete only the specified rule. To\ndelete both with one command, prefix the original rule with delete.\n\nTo insert a rule, specify the new rule as normal, but prefix the rule with the rule number to\ninsert. For example, if you have four rules, and you want to insert a new rule as rule number\nthree, use:\n\nufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp\n\nSimilarly, to add a rule before all other rules matching the rule's IP type, use the prepend\nrule:\n\nufw prepend deny from 1.2.3.4\n\nThis is particularly useful for dynamic firewalls as found in an IPS. Importantly, if the\nspecified rule is an IPv4 rule, it will be prepended before all other IPv4 rules. If it is an\nIPv6 rule, it will be prepended before any IPv6 rules.\n\nTo see a list of numbered rules, use:\n\nufw status numbered\n\n\nufw supports per rule logging. By default, no logging is performed when a packet matches a\nrule. Specifying log will log all new connections matching the rule, and log-all will log all\npackets matching the rule. For example, to allow and log all new ssh connections, use:\n\nufw allow log 22/tcp\n\nSee LOGGING for more information on logging.\n\n", "subsections": [] }, "EXAMPLES": { "content": "Deny all access to port 53:\n\nufw deny 53\n\n\nAllow all access to tcp port 80:\n\nufw allow 80/tcp\n\n\nAllow all access from RFC1918 networks to this host:\n\nufw allow from 10.0.0.0/8\nufw allow from 172.16.0.0/12\nufw allow from 192.168.0.0/16\n\n\nDeny access to udp port 514 from host 1.2.3.4:\n\nufw deny proto udp from 1.2.3.4 to any port 514\n\n\nAllow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:\n\nufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469\n\n", "subsections": [] }, "REMOTE MANAGEMENT": { "content": "When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This\nis required so ufw can maintain a consistent state, but it may drop existing connections (eg\nssh). ufw does support adding rules before enabling the firewall, so administrators can do:\n\nufw allow proto tcp from any to any port 22\n\nbefore running 'ufw enable'. The rules will still be flushed, but the ssh port will be open\nafter enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the\nchains when adding or removing rules (but will when modifying a rule or changing the default\npolicy). By default, ufw will prompt when enabling the firewall while running under ssh. This\ncan be disabled by using 'ufw --force enable'.\n\n", "subsections": [] }, "APPLICATION INTEGRATION": { "content": "ufw supports application integration by reading profiles located in /etc/ufw/applications.d.\nTo list the names of application profiles known to ufw, use:\n\nufw app list\n\nUsers can specify an application name when adding a rule (quoting any profile names with spa‐\nces). For example, when using the simple syntax, users can use:\n\nufw allow \n\nOr for the extended syntax:\n\nufw allow from 192.168.0.0/16 to any app \n\nYou should not specify the protocol with either syntax, and with the extended syntax, use app\nin place of the port clause.\n\nDetails on the firewall profile for a given application can be seen with:\n\nufw app info \n\nwhere '' is one of the applications seen with the app list command. Users may also\nspecify all to see the profiles for all known applications.\n\nSyntax for the application profiles is a simple .INI format:\n\n[]\ntitle=\ndescription=<description>\nports=<ports>\n\nThe 'ports' field may specify a '|'-separated list of ports/protocols where the protocol is\noptional. A comma-separated list or a range (specified with 'start:end') may also be used to\nspecify multiple ports, in which case the protocol is required. For example:\n\n[SomeService]\ntitle=Some title\ndescription=Some description\nports=12/udp|34|56,78:90/tcp\n\nIn the above example, 'SomeService' may be used in app rules and it specifies UDP port 12,\nTCP and UDP on port 34 and TCP ports 56 and 78-90 inclusive.\n\nAfter creating or editing an application profile, users can run:\n\nufw app update <name>\n\nThis command will automatically update the firewall with updated profile information. If\nspecify 'all' for name, then all the profiles will be updated. To update a profile and add a\nnew rule to the firewall automatically, users can run:\n\nufw app update --add-new <name>\n\nThe behavior of the update --add-new command can be configured using:\n\nufw app default <policy>\n\nThe default application policy is skip, which means that the update --add-new command will do\nnothing. Users may also specify a policy of allow or deny so the update --add-new command may\nautomatically update the firewall. WARNING: it may be a security to risk to use a default\nallow policy for application profiles. Carefully consider the security ramifications before\nusing a default allow policy.\n\n", "subsections": [] }, "LOGGING": { "content": "ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is\nnot specified. Users may specify a loglevel with:\n\nufw logging LEVEL\n\nLEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined as:\n\noff disables ufw managed logging\n\nlow logs all blocked packets not matching the defined policy (with rate limiting), as well\nas packets matching logged rules\n\nmedium log level low, plus all allowed packets not matching the defined policy, all INVALID\npackets, and all new connections. All logging is done with rate limiting.\n\nhigh log level medium (without rate limiting), plus all packets with rate limiting\n\nfull log level high without rate limiting\n\n\nLoglevels above medium generate a lot of logging output, and may quickly fill up your disk.\nLoglevel medium may generate a lot of logging output on a busy system.\n\nSpecifying 'on' simply enables logging at log level 'low' if logging is currently not en‐\nabled.\n\n", "subsections": [] }, "REPORTS": { "content": "The following reports are supported. Each is based on the live system and with the exception\nof the listening report, is in raw iptables format:\n\nraw\nbuiltins\nbefore-rules\nuser-rules\nafter-rules\nlogging-rules\nlistening\nadded\n\nThe raw report shows the complete firewall, while the others show a subset of what is in the\nraw report.\n\nThe listening report will display the ports on the live system in the listening state for tcp\nand the open state for udp, along with the address of the interface and the executable lis‐\ntening on the port. An '*' is used in place of the address of the interface when the exe‐\ncutable is bound to all interfaces on that port. Following this information is a list of\nrules which may affect connections on this port. The rules are listed in the order they are\nevaluated by the kernel, and the first match wins. Please note that the default policy is not\nlisted and tcp6 and udp6 are shown only if IPV6 is enabled.\n\nThe added report displays the list of rules as they were added on the command-line. This re‐\nport does not show the status of the running firewall (use 'ufw status' instead). Because\nrules are normalized by ufw, rules may look different than the originally added rule. Also,\nufw does not record command ordering, so an equivalent ordering is used which lists IPv6-only\nrules after other rules.\n\n", "subsections": [] }, "NOTES": { "content": "On installation, ufw is disabled with a default incoming policy of deny, a default forward\npolicy of deny, and a default outgoing policy of allow, with stateful tracking for NEW con‐\nnections for incoming and forwarded connections. In addition to the above, a default ruleset\nis put in place that does the following:\n\n- DROP packets with RH0 headers\n\n- DROP INVALID packets\n\n- ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench,\ntime-exceeded, parameter-problem, and echo-request for IPv4. destination-unreachable, packet-\ntoo-big, time-exceeded, parameter-problem, and echo-request for IPv6.\n\n- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)\n\n- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT)\n\n- ACCEPT DHCP client traffic (INPUT)\n\n- DROP non-local traffic (INPUT)\n\n- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service\ndiscovery (INPUT)\n\n- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service discovery (INPUT)\n\n\nRule ordering is important and the first match wins. Therefore when adding rules, add the\nmore specific rules first with more general rules later.\n\nufw is not intended to provide complete firewall functionality via its command interface, but\ninstead provides an easy way to add or remove simple rules.\n\nThe status command shows basic information about the state of the firewall, as well as rules\nmanaged via the ufw command. It does not show rules from the rules files in /etc/ufw. To see\nthe complete state of the firewall, users can ufw show raw. This displays the filter, nat,\nmangle and raw tables using:\n\niptables -n -L -v -x -t <table>\nip6tables -n -L -v -x -t <table>\n\nSee the iptables and ip6tables documentation for more details.\n\nIf the default policy is set to REJECT, ufw may interfere with rules added outside of the ufw\nframework. See README for details.\n\nIPV6 is allowed by default. To change this behavior to only accept IPv6 traffic on the loop‐\nback interface, set IPV6 to 'no' in /etc/default/ufw and reload ufw. When IPv6 is enabled,\nyou may specify rules in the same way as for IPv4 rules, and they will be displayed with ufw\nstatus. Rules that match both IPv4 and IPv6 addresses apply to both IP versions. For example,\nwhen IPv6 is enabled, the following rule will allow access to port 22 for both IPv4 and IPv6\ntraffic:\n\nufw allow 22\n\nIPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' protocol ('41'). This pro‐\ntocol can only be used with the full syntax. For example:\n\nufw allow to 10.0.0.1 proto ipv6\nufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6\n\nIPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols. These protocols can\nonly be used with the full syntax. For example:\n\nufw allow to 10.0.0.1 proto esp\nufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp\nufw allow to 10.0.0.1 proto ah\nufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah\n\nIn addition to the command-line interface, ufw also provides a framework which allows admin‐\nistrators to modify default behavior as well as take full advantage of netfilter. See the\nufw-framework manual page for more information.\n\n", "subsections": [] }, "SEE ALSO": { "content": "ufw-framework(8), iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8),\nsysctl(8), sysctl.conf(5)\n\n", "subsections": [] }, "AUTHOR": { "content": "ufw is Copyright 2008-2021, Canonical Ltd.\n\n\n", "subsections": [] }, "September 2021 UFW:(8)": { "content": "", "subsections": [] } }, "summary": "ufw - program for managing a netfilter firewall", "flags": [ { "flag": "", "long": "--version", "arg": null, "description": "show program's version number and exit" }, { "flag": "-h", "long": "--help", "arg": null, "description": "show help message and exit" }, { "flag": "", "long": "--dry-run", "arg": null, "description": "don't modify anything, just show the changes enable reloads firewall and enables firewall on boot." } ], "examples": [ "Deny all access to port 53:", "ufw deny 53", "Allow all access to tcp port 80:", "ufw allow 80/tcp", "Allow all access from RFC1918 networks to this host:", "ufw allow from 10.0.0.0/8", "ufw allow from 172.16.0.0/12", "ufw allow from 192.168.0.0/16", "Deny access to udp port 514 from host 1.2.3.4:", "ufw deny proto udp from 1.2.3.4 to any port 514", "Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:", "ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469" ], "see_also": [ { "name": "ufw-framework", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ufw-framework/8/json" }, { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" }, { "name": "ip6tables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip6tables/8/json" }, { "name": "iptables-restore", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables-restore/8/json" }, { "name": "ip6tables-restore", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip6tables-restore/8/json" }, { "name": "sysctl", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sysctl/8/json" }, { "name": "sysctl.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sysctl.conf/5/json" } ] }