Complete UFW Firewall Cheatsheet for Linux (Fedora, Ubuntu, Debian) – Secure Your System Easily

1. # ===============================================
2. # 🛡️ Complete UFW Firewall Cheatsheet for Linux (Fedora, Ubuntu, Debian) – Secure Your System Easily
3. # ===============================================
4.  
5. # UFW (Uncomplicated Firewall) is a frontend for iptables.
6. # This guide covers installation, configuration, and common tasks.
7.  
8. # -----------------------------------------------
9. # 🔧 Install & Manage UFW
10. # -----------------------------------------------
11.  
12. # Install UFW (Fedora / RHEL / CentOS)
13. sudo dnf install ufw -y
14.  
15. # For Debian / Ubuntu:
16. # sudo apt install ufw -y
17.  
18. # Enable UFW service at startup
19. sudo systemctl enable ufw
20. or
21. sudo systemctl enable ufw --now
22.  
23.  
24. # Start / Stop / Restart UFW
25. sudo ufw enable
26. sudo ufw disable
27. sudo systemctl start ufw
28. sudo systemctl stop ufw
29. sudo systemctl restart ufw
30.  
31. # Check current UFW status
32. sudo ufw status verbose
33.  
34. # Show detailed firewall rules
35. sudo ufw show raw
36.  
37. # -----------------------------------------------
38. # ⚙️ Default Policies & Configuration
39. # -----------------------------------------------
40.  
41. # Reset all rules to default
42. sudo ufw reset
43. # or forcefully:
44. sudo ufw --force reset
45.  
46. # Default deny all incoming, allow outgoing
47. sudo ufw default deny incoming
48. sudo ufw default allow outgoing
49.  
50. # For a hardened setup:
51. sudo ufw default deny incoming
52. sudo ufw default deny outgoing
53.  
54. # Allow only necessary outgoing traffic
55. sudo ufw allow out 20,21,22,80,443,123,53
56.  
57. # Check or edit UFW config file
58. sudo nano /etc/default/ufw
59.  
60. # Common contents:
61. # DEFAULT_INPUT_POLICY="DROP"
62. # DEFAULT_OUTPUT_POLICY="DROP"
63.  
64. # -----------------------------------------------
65. # ✅ Basic Rules
66. # -----------------------------------------------
67.  
68. # Allow essential services
69. sudo ufw allow ssh
70. sudo ufw allow http
71. sudo ufw allow https
72.  
73. # Allow a specific port
74. sudo ufw allow 8080/tcp
75.  
76. # Allow access from a specific IP
77. sudo ufw allow from 192.168.1.6 to any port 22
78.  
79. # Deny SSH from everyone else
80. sudo ufw deny 22
81.  
82. # Insert rule at top of rule list
83. sudo ufw insert 1 allow from 192.168.1.6 to any port 22
84.  
85. # -----------------------------------------------
86. # 🧱 Example Rule Conflict & Ordering
87. # -----------------------------------------------
88.  
89. # Check rule numbers
90. sudo ufw status numbered
91.  
92. # Example output:
93. # [ 1] 22 DENY IN Anywhere
94. # [ 2] 22 ALLOW IN 192.168.1.6
95.  
96. # Fix incorrect rule order:
97. sudo ufw delete 1 # delete the deny-all rule
98. sudo ufw deny ssh # re-add deny below allow
99.  
100. # Correct order will be:
101. # [ 1] 22 ALLOW IN 192.168.1.6
102. # [ 2] 22 DENY IN Anywhere
103.  
104. # -----------------------------------------------
105. # 🚫 Block Pings (ICMP Echo)
106. # -----------------------------------------------
107.  
108. # Edit UFW before.rules file
109. sudo nano /etc/ufw/before.rules
110.  
111. # Add this line after all DROP lines (around line 31):
112. -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
113.  
114. # Reload UFW to apply changes
115. sudo ufw reload
116.  
117. # -----------------------------------------------
118. # 🔍 UFW Application Profiles
119. # -----------------------------------------------
120.  
121. # List available profiles
122. sudo ufw app list
123.  
124. # Show details about a specific app
125. sudo ufw app info "OpenSSH"
126.  
127. # Enable an app profile
128. sudo ufw allow "OpenSSH"
129.  
130. # -----------------------------------------------
131. # 📦 Advanced: Rate Limiting & Logging
132. # -----------------------------------------------
133.  
134. # Protect SSH from brute-force attacks
135. sudo ufw limit ssh
136.  
137. # Enable logging (low, medium, high, full)
138. sudo ufw logging on
139. sudo ufw logging medium
140.  
141. # Disable logging
142. sudo ufw logging off
143.  
144. # View UFW logs
145. sudo less /var/log/ufw.log
146.  
147. # -----------------------------------------------
148. # 🌐 Block / Allow Specific IPs & Networks
149. # -----------------------------------------------
150.  
151. # Deny all connections from a specific IP
152. sudo ufw deny from 203.0.113.5
153.  
154. # Allow entire subnet
155. sudo ufw allow from 192.168.1.0/24
156.  
157. # Deny subnet
158. sudo ufw deny from 10.0.0.0/8
159.  
160. # Allow specific port range
161. sudo ufw allow 6000:6010/tcp
162.  
163. # -----------------------------------------------
164. # 🧩 IPv6 Configuration
165. # -----------------------------------------------
166.  
167. # Enable IPv6 support
168. sudo nano /etc/default/ufw
169. # Set: IPV6=yes
170.  
171. # Reload UFW after enabling IPv6
172. sudo ufw reload
173.  
174. # -----------------------------------------------
175. # 🧰 Troubleshooting & Diagnostics
176. # -----------------------------------------------
177.  
178. # Check UFW version
179. ufw version
180.  
181. # Reload UFW rules
182. sudo ufw reload
183.  
184. # Check if UFW service is active
185. systemctl status ufw
186.  
187. # Show all current iptables rules applied by UFW
188. sudo iptables -L
189. sudo ip6tables -L
190.  
191. # -----------------------------------------------
192. # 🔐 Best Practices
193. # -----------------------------------------------
194.  
195. # 1. Deny all incoming connections by default.
196. # 2. Allow only necessary ports (SSH, HTTP/HTTPS, DNS, NTP).
197. # 3. Use rate limiting for SSH.
198. # 4. Disable ping (optional, for stealth).
199. # 5. Log dropped packets for auditing.
200. # 6. Review rules regularly with `ufw status numbered`.
201.  
202. # -----------------------------------------------
203. # 🌍 Common Ports Reference
204. # -----------------------------------------------
205.  
206. # Port | Protocol | Purpose
207. # -----|-----------|---------------------------------
208. # 20–21 | TCP | FTP (file transfer)
209. # 22 | TCP | SSH (remote access)
210. # 25 | TCP | SMTP (mail)
211. # 53 | TCP/UDP | DNS
212. # 67–68 | UDP | DHCP
213. # 80 | TCP | HTTP (web)
214. # 123 | UDP | NTP (time sync)
215. # 443 | TCP | HTTPS (secure web)
216. # 3306 | TCP | MySQL
217. # 5432 | TCP | PostgreSQL
218. # 8080 | TCP | Alt HTTP
219.  
220. # ===============================================
221. # ⚠️ Special Case Example: Restrict SSH Access
222. # ===============================================
223.  
224. # Goal:
225. # Block all SSH requests except from one IP (192.168.1.6).
226.  
227. # Problem:
228. # The order of rules in UFW matters.
229. # UFW checks rules from top to bottom and stops at the first match.
230.  
231. # Example of incorrect rule order:
232. sudo ufw status numbered
233. # Output:
234. # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere
235. # [ 2] 22 DENY IN Anywhere
236. # [ 3] 80 ALLOW IN Anywhere
237. # [ 4] 443 ALLOW IN Anywhere
238. # [ 5] 22 ALLOW IN 192.168.1.6
239.  
240. # Here, the packet from 192.168.1.6 matches rule [2] (DENY) before reaching [5].
241. # Therefore, access is blocked even for 192.168.1.6.
242.  
243. # ✅ Correct fix:
244. sudo ufw delete 2
245. sudo ufw deny ssh
246.  
247. # After correction, the rule order should be:
248. sudo ufw status numbered
249. # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere
250. # [ 2] 80 ALLOW IN Anywhere
251. # [ 3] 443 ALLOW IN Anywhere
252. # [ 4] 22 ALLOW IN 192.168.1.6
253. # [ 5] 22 DENY IN Anywhere
254. # [ 6] 22 (v6) DENY IN Anywhere (v6)
255.  
256. # Now:
257. # - Packets from 192.168.1.6 match rule [4] (ALLOW) first and are accepted.
258. # - All other SSH attempts match rule [5] (DENY) and are dropped.
259.  
260. # For quick setup:
261. sudo ufw insert 1 allow from 192.168.1.6 to any port 22
262. sudo ufw deny ssh
263. sudo ufw reload
264.  
265. # ===============================================
266. # ✅ End of UFW Cheatsheet
267. # ===============================================
268.