Simplify your firewall setup


Since version 0.34, ufw now also supports routing. This means that the firewall can wave through incoming packets and, for example, forward all requests arriving on network interface enp0s3 to the interface enp0s8 (shown in Listing 4).

Listing 4

Forwarding Requests

$ sudo ufw route allow in on enp0s3 out on enp0s8

For IP forwarding to work, the corresponding function must be enabled in the sysctl.conf configuration file. On Ubuntu, you use the /etc/ufw/sysctl.conf file for this purpose; enter the lines from Listing 5 or – if they already exist – enable them by removing the preceding hashtags (#). If you made some changes, restart ufw by typing

sudo ufw disable

Listing 5

Enable Forwarding


followed by

sudo ufw enable

This more or less brings us to the end of ufw's feature set. In particular, ufw does not yet support masquerading, where the firewall changes, among other things, the source and destination ports in the packets that pass through the firewall. But, as mentioned earlier, more complex rules can be added using iptables. The corresponding configuration is stored either in the /etc/ufw/before.rules file or in /etc/ufw/after.rules. These rules are applied by the firewall before or after the rules that you defined with the ufw command-line program.


It is even easier to configure the firewall with Gufw [3], the ufw's graphical user interface. However, since it is not officially part of the ufw project, you usually have to install it in a second step. On Ubuntu, you can install Gufw with:

sudo apt install gufw

After starting Gufw, click the button next to Status to fire up the firewall. Then, in Inbound and Outbound, set the respective default rules. The Report tab (Figure 4), an extremely practical feature, displays the running services more clearly than the matching ufw show listening command. Clicking the plus icon also automatically creates a matching firewall rule.

Figure 4: The Report tab in the Gufw user interface shows the services running on the system.

All existing rules can be found in the Rules tab. Use the gear icon to edit the currently selected rule and the plus icon to add another rule. Under Preconfigured, you can select an application profile; Gufw sorts the applications into categories. CUPS, for example, can be found below Network in the Print subcategory. If you don't want to use application profiles, switch to the Simple tab. Even more granular settings are allowed by the Advanced tab (Figure 5).

Figure 5: This rule blocks access to port 22 via TCP.


With the comparatively simple ufw, a firewall can be configured far faster than with the more complex iptables. The simple ufw rules also reduce the risk of misconfiguration and simplify maintenance. Nevertheless, ufw provides all the critical functions required to harden popular services. If you reach ufw's limits, you can add further rules with iptables. However, ufw and iptables' different syntax does prove to be a hindrance here. The bottom line, however, is that ufw makes setting up a firewall far easier.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Persistent iptables

    The Linux iptables packet filter lacks an easy way to load rules automatically after restarting a system, but you can automate this process several ways.

  • Charly's Column: UFW

    Things were better back then. No way! Charly takes a look back at the bad old firewall days and explains why things are better today – assuming you have the right tools.

  • FAQ

    Nftables promises to be the future of Linux firewalls. Meet iptables' replacement.

  • KTools: KMyFirewall

    Linux has a fantastic selection of firewalls for securing stand-alone computers or whole networks. Although you can use IPTables to set up a firewall, the configuration is often the most difficult step. KMyFirewall offers a powerful, user-friendly, GUI-based approach.

  • Nftables

    The nftables firewall utility offers a simpler and more consistent approach for managing firewalls in Linux.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More