Pastebin
API
tools
faq
paste
Login
Sign up
Please fix the following errors:
New Paste
Syntax Highlighting
# =============================================== # 🛡️ Complete UFW Firewall Cheatsheet for Linux (Fedora, Ubuntu, Debian) – Secure Your System Easily # =============================================== # UFW (Uncomplicated Firewall) is a frontend for iptables. # This guide covers installation, configuration, and common tasks. # ----------------------------------------------- # 🔧 Install & Manage UFW # ----------------------------------------------- # Install UFW (Fedora / RHEL / CentOS) sudo dnf install ufw -y # For Debian / Ubuntu: # sudo apt install ufw -y # Enable UFW service at startup sudo systemctl enable ufw or sudo systemctl enable ufw --now # Start / Stop / Restart UFW sudo ufw enable sudo ufw disable sudo systemctl start ufw sudo systemctl stop ufw sudo systemctl restart ufw # Check current UFW status sudo ufw status verbose # Show detailed firewall rules sudo ufw show raw # ----------------------------------------------- # ⚙️ Default Policies & Configuration # ----------------------------------------------- # Reset all rules to default sudo ufw reset # or forcefully: sudo ufw --force reset # Default deny all incoming, allow outgoing sudo ufw default deny incoming sudo ufw default allow outgoing # For a hardened setup: sudo ufw default deny incoming sudo ufw default deny outgoing # Allow only necessary outgoing traffic sudo ufw allow out 20,21,22,80,443,123,53 # Check or edit UFW config file sudo nano /etc/default/ufw # Common contents: # DEFAULT_INPUT_POLICY="DROP" # DEFAULT_OUTPUT_POLICY="DROP" # ----------------------------------------------- # ✅ Basic Rules # ----------------------------------------------- # Allow essential services sudo ufw allow ssh sudo ufw allow http sudo ufw allow https # Allow a specific port sudo ufw allow 8080/tcp # Allow access from a specific IP sudo ufw allow from 192.168.1.6 to any port 22 # Deny SSH from everyone else sudo ufw deny 22 # Insert rule at top of rule list sudo ufw insert 1 allow from 192.168.1.6 to any port 22 # ----------------------------------------------- # 🧱 Example Rule Conflict & Ordering # ----------------------------------------------- # Check rule numbers sudo ufw status numbered # Example output: # [ 1] 22 DENY IN Anywhere # [ 2] 22 ALLOW IN 192.168.1.6 # Fix incorrect rule order: sudo ufw delete 1 # delete the deny-all rule sudo ufw deny ssh # re-add deny below allow # Correct order will be: # [ 1] 22 ALLOW IN 192.168.1.6 # [ 2] 22 DENY IN Anywhere # ----------------------------------------------- # 🚫 Block Pings (ICMP Echo) # ----------------------------------------------- # Edit UFW before.rules file sudo nano /etc/ufw/before.rules # Add this line after all DROP lines (around line 31): -A ufw-before-input -p icmp --icmp-type echo-request -j DROP # Reload UFW to apply changes sudo ufw reload # ----------------------------------------------- # 🔍 UFW Application Profiles # ----------------------------------------------- # List available profiles sudo ufw app list # Show details about a specific app sudo ufw app info "OpenSSH" # Enable an app profile sudo ufw allow "OpenSSH" # ----------------------------------------------- # 📦 Advanced: Rate Limiting & Logging # ----------------------------------------------- # Protect SSH from brute-force attacks sudo ufw limit ssh # Enable logging (low, medium, high, full) sudo ufw logging on sudo ufw logging medium # Disable logging sudo ufw logging off # View UFW logs sudo less /var/log/ufw.log # ----------------------------------------------- # 🌐 Block / Allow Specific IPs & Networks # ----------------------------------------------- # Deny all connections from a specific IP sudo ufw deny from 203.0.113.5 # Allow entire subnet sudo ufw allow from 192.168.1.0/24 # Deny subnet sudo ufw deny from 10.0.0.0/8 # Allow specific port range sudo ufw allow 6000:6010/tcp # ----------------------------------------------- # 🧩 IPv6 Configuration # ----------------------------------------------- # Enable IPv6 support sudo nano /etc/default/ufw # Set: IPV6=yes # Reload UFW after enabling IPv6 sudo ufw reload # ----------------------------------------------- # 🧰 Troubleshooting & Diagnostics # ----------------------------------------------- # Check UFW version ufw version # Reload UFW rules sudo ufw reload # Check if UFW service is active systemctl status ufw # Show all current iptables rules applied by UFW sudo iptables -L sudo ip6tables -L # ----------------------------------------------- # 🔐 Best Practices # ----------------------------------------------- # 1. Deny all incoming connections by default. # 2. Allow only necessary ports (SSH, HTTP/HTTPS, DNS, NTP). # 3. Use rate limiting for SSH. # 4. Disable ping (optional, for stealth). # 5. Log dropped packets for auditing. # 6. Review rules regularly with `ufw status numbered`. # ----------------------------------------------- # 🌍 Common Ports Reference # ----------------------------------------------- # Port | Protocol | Purpose # -----|-----------|--------------------------------- # 20–21 | TCP | FTP (file transfer) # 22 | TCP | SSH (remote access) # 25 | TCP | SMTP (mail) # 53 | TCP/UDP | DNS # 67–68 | UDP | DHCP # 80 | TCP | HTTP (web) # 123 | UDP | NTP (time sync) # 443 | TCP | HTTPS (secure web) # 3306 | TCP | MySQL # 5432 | TCP | PostgreSQL # 8080 | TCP | Alt HTTP # =============================================== # ⚠️ Special Case Example: Restrict SSH Access # =============================================== # Goal: # Block all SSH requests except from one IP (192.168.1.6). # Problem: # The order of rules in UFW matters. # UFW checks rules from top to bottom and stops at the first match. # Example of incorrect rule order: sudo ufw status numbered # Output: # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere # [ 2] 22 DENY IN Anywhere # [ 3] 80 ALLOW IN Anywhere # [ 4] 443 ALLOW IN Anywhere # [ 5] 22 ALLOW IN 192.168.1.6 # Here, the packet from 192.168.1.6 matches rule [2] (DENY) before reaching [5]. # Therefore, access is blocked even for 192.168.1.6. # ✅ Correct fix: sudo ufw delete 2 sudo ufw deny ssh # After correction, the rule order should be: sudo ufw status numbered # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere # [ 2] 80 ALLOW IN Anywhere # [ 3] 443 ALLOW IN Anywhere # [ 4] 22 ALLOW IN 192.168.1.6 # [ 5] 22 DENY IN Anywhere # [ 6] 22 (v6) DENY IN Anywhere (v6) # Now: # - Packets from 192.168.1.6 match rule [4] (ALLOW) first and are accepted. # - All other SSH attempts match rule [5] (DENY) and are dropped. # For quick setup: sudo ufw insert 1 allow from 192.168.1.6 to any port 22 sudo ufw deny ssh sudo ufw reload # =============================================== # ✅ End of UFW Cheatsheet # ===============================================
Optional Paste Settings
Category:
None
Cryptocurrency
Cybersecurity
Fixit
Food
Gaming
Haiku
Help
History
Housing
Jokes
Legal
Money
Movies
Music
Pets
Photo
Science
Software
Source Code
Spirit
Sports
Travel
TV
Writing
Tags:
Syntax Highlighting:
None
Bash
C
C#
C++
CSS
HTML
JSON
Java
JavaScript
Lua
Markdown (PRO members only)
Objective C
PHP
Perl
Python
Ruby
Swift
4CS
6502 ACME Cross Assembler
6502 Kick Assembler
6502 TASM/64TASS
ABAP
AIMMS
ALGOL 68
APT Sources
ARM
ASM (NASM)
ASP
ActionScript
ActionScript 3
Ada
Apache Log
AppleScript
Arduino
Asymptote
AutoIt
Autohotkey
Avisynth
Awk
BASCOM AVR
BNF
BOO
Bash
Basic4GL
Batch
BibTeX
Blitz Basic
Blitz3D
BlitzMax
BrainFuck
C
C (WinAPI)
C Intermediate Language
C for Macs
C#
C++
C++ (WinAPI)
C++ (with Qt extensions)
C: Loadrunner
CAD DCL
CAD Lisp
CFDG
CMake
COBOL
CSS
Ceylon
ChaiScript
Chapel
Clojure
Clone C
Clone C++
CoffeeScript
ColdFusion
Cuesheet
D
DCL
DCPU-16
DCS
DIV
DOT
Dart
Delphi
Delphi Prism (Oxygene)
Diff
E
ECMAScript
EPC
Easytrieve
Eiffel
Email
Erlang
Euphoria
F#
FO Language
Falcon
Filemaker
Formula One
Fortran
FreeBasic
FreeSWITCH
GAMBAS
GDB
GDScript
Game Maker
Genero
Genie
GetText
Go
Godot GLSL
Groovy
GwBasic
HQ9 Plus
HTML
HTML 5
Haskell
Haxe
HicEst
IDL
INI file
INTERCAL
IO
ISPF Panel Definition
Icon
Inno Script
J
JCL
JSON
Java
Java 5
JavaScript
Julia
KSP (Kontakt Script)
KiXtart
Kotlin
LDIF
LLVM
LOL Code
LScript
Latex
Liberty BASIC
Linden Scripting
Lisp
Loco Basic
Logtalk
Lotus Formulas
Lotus Script
Lua
M68000 Assembler
MIX Assembler
MK-61/52
MPASM
MXML
MagikSF
Make
MapBasic
Markdown (PRO members only)
MatLab
Mercury
MetaPost
Modula 2
Modula 3
Motorola 68000 HiSoft Dev
MySQL
Nagios
NetRexx
Nginx
Nim
NullSoft Installer
OCaml
OCaml Brief
Oberon 2
Objeck Programming Langua
Objective C
Octave
Open Object Rexx
OpenBSD PACKET FILTER
OpenGL Shading
Openoffice BASIC
Oracle 11
Oracle 8
Oz
PARI/GP
PCRE
PHP
PHP Brief
PL/I
PL/SQL
POV-Ray
ParaSail
Pascal
Pawn
Per
Perl
Perl 6
Phix
Pic 16
Pike
Pixel Bender
PostScript
PostgreSQL
PowerBuilder
PowerShell
ProFTPd
Progress
Prolog
Properties
ProvideX
Puppet
PureBasic
PyCon
Python
Python for S60
QBasic
QML
R
RBScript
REBOL
REG
RPM Spec
Racket
Rails
Rexx
Robots
Roff Manpage
Ruby
Ruby Gnuplot
Rust
SAS
SCL
SPARK
SPARQL
SQF
SQL
SSH Config
Scala
Scheme
Scilab
SdlBasic
Smalltalk
Smarty
StandardML
StoneScript
SuperCollider
Swift
SystemVerilog
T-SQL
TCL
TeXgraph
Tera Term
TypeScript
TypoScript
UPC
Unicon
UnrealScript
Urbi
VB.NET
VBScript
VHDL
VIM
Vala
Vedit
VeriLog
Visual Pro Log
VisualBasic
VisualFoxPro
WHOIS
WhiteSpace
Winbatch
XBasic
XML
XPP
Xojo
Xorg Config
YAML
YARA
Z80 Assembler
ZXBasic
autoconf
jQuery
mIRC
newLISP
q/kdb+
thinBasic
Paste Expiration:
Never
Burn after read
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Exposure:
Public
Unlisted
Private
Folder:
(members only)
Password
NEW
Enabled
Disabled
Burn after read
NEW
Paste Name / Title:
Create New Paste
Hello
Guest
Sign Up
or
Login
Sign in with Facebook
Sign in with Twitter
Sign in with Google
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Public Pastes
Bitcoin is Amazing
47 min ago | 0.12 KB
Roblox Scripts
5 hours ago | 0.02 KB
December smells like money
6 hours ago | 0.06 KB
Decentralized Moneys
7 hours ago | 0.42 KB
Bitcoin
7 hours ago | 0.23 KB
Untitled
8 hours ago | 13.75 KB
Untitled
8 hours ago | 0.06 KB
Untitled
12 hours ago | 3.86 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the
Cookies Policy
.
OK, I Understand
Not a member of Pastebin yet?
Sign Up
, it unlocks many cool features!
