Skip to main content
Engineering LibreTexts

12-D.14: UFW & firewalld

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)


    The uncomplicated firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy-to-use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

    Basic Usage

    Getting started with ufw is easy. For example, to enable firewall, allow SSH access, enable logging, and check the status of the firewall, perform:

    pbmac@pbmac-server $ sudo ufw allow ssh/tcp
    pbmac@pbmac-server $ sudo ufw logging on
    pbmac@pbmac-server $ sudo ufw enable
    pbmac@pbmac-server $ sudo ufw status
    Firewall loaded
    To                         Action  From
    --                         ------  ----
    22:tcp                     ALLOW   Anywhere

    This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

    On Ubuntu Core, simply replace ' ufw ' with 'ufw.cmd':

    pbmac@pbmac-server $ sudo ufw.cmd enable

    Advanced Functionality

    As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:

    • /etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use.


    • /etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command.


    • /etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command.


    • /etc/ufw/sysctl.conf: kernel network tunables.


    • /var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand).


    • /etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL.


    • /etc/ufw/after.init: initialization customization script runs after ufw is initialized (ufw 0.34 and later).


    • /etc/ufw/before.init: initialization customization script runs before ufw is initialized (ufw 0.34 and later).


    After modifying any of the above files, activate the new settings with:

    pbmac@pbmac-server $ sudo ufw disable
    pbmac@pbmac-server $ sudo ufw enable


    firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. It also provides an interface for services or applications to add iptables, ip6tables and ebtables rules directly. This interface can also be used by advanced users.

    firewalld supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Administrators can configure Network Manager to automatically switch zone profiles based on known Wi-Fi (wireless) and Ethernet (wired) networks, but firewalld cannot do this on its own.

    Services and applications can use the D-Bus interface to query and configure the firewall. firewalld supports timed rules, meaning the number of connections (or "hits") to a service can be limited globally. There is no support for hit-counting and subsequent connection rejection per source IP; a common technique deployed to limit the impact of brute-force hacking and distributed denial-of-service attacks.

    firewalld's command syntax is similar to but more verbose than other iptables front-ends like Ubuntu's Uncomplicated Firewall (ufw). The command-line interface allows managing firewall rulesets for protocol, ports, source and destination; or predefined services by name.

    The firewall-cmd Command

    firewall-cmd is the command line client of the firewalld daemon. firewalld uses the command line utility firewall-cmd to configure and manipulate rules. Before we begin to configure this, we need to make sure that the service is running. Using the systemctl command, you can enable, disable, start, stop, and restart the firewalld service. For most of these commands, there is no meaningful output from systemctl. To verify each of these, you should always check the status of firewalld.

    The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.

    To get the firewalld state with firewall-cmd, use the following command:

    $ firewall-cmd --state

    Another example: to open port 80/tcp with firewall-cmd:

    firewall-cmd --zone=public --add-port=80/tcp

    This will open the port 80 with protocol tcp in the public zone of the runtime environment. The runtime environment is only effective until the machine has been rebooted or the firewalld service has been restarted. The zone option can be omitted here if the port should be added to the default zone.

    In order to reload firewalld, the command line client firewall-cmd:

    firewall-cmd --reload

    Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration, i.e., all runtime only changes done until reload are lost with reload if they have not been also put into the permanent configuration.

    firewall-cmd --complete-reload

    Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems, for example, if there are state information problems that no connection can be established with correct firewall rules.

    Adapted from:
    "Uncomplicated Firewall" by Alex Murray, Ubuntu Wiki is licensed under CC BY-SA 3.0
    "Firewalld Documentation" by Unknown, firewalld is in the Public Domain, CC0

    12-D.14: UFW & firewalld is shared under a CC BY-SA 4.0 license and was authored, remixed, and/or curated by LibreTexts.

    • Was this article helpful?