How to Open and Block Ports in Ubuntu Firewall

The default firewall installed on Ubuntu systems is called UFW (Uncomplicated Firewall). UFW provides an easy interface to manage iptables rules and control access to ports on your Ubuntu machine.

In this comprehensive guide, I will show you multiple methods to open, close, and manage ports in the UFW firewall on Ubuntu.

An Overview of UFW Firewall

UFW aims to make firewall configuration uncomplicated. According to the official Ubuntu documentation:

"The program is very easy to set up because it has sensible defaults, making it easy for most home users to get the protection they need. The program comes turned off by default, so you will have to enable it first before you can start configuring it."

So in summary, here are some key things to know about UFW:

• UFW is installed by default on all Ubuntu versions but is disabled/inactive.
• It sets up rules in iptables to control network connections.
• The main goal is ease of use for basic home and office firewall settings.
• Advanced firewall configuration still requires direct iptables modification.

With an understanding of UFW‘s purpose and capabilities, let‘s move on to hands-on management.

Enabling and Disabling UFW

Before modifying any UFW firewall rules, you first need to ensure the service is enabled and running.

To check the status of UFW:

sudo ufw status

If UFW is disabled, you will see:

Status: inactive

To enable UFW:

sudo ufw enable

Enabling UFW will start the service and apply any existing rules you have configured.

To disable the firewall completely:

sudo ufw disable

I recommend leaving UFW enabled at all times except when troubleshooting issues related to network connectivity.

Now let‘s get into managing firewall rules.

Adding Rules to Open or Block Ports

Opening and closing ports with UFW involves adding or removing firewall rules.

Let‘s look at a few important concepts first:

• Inbound vs outbound: Controlling inbound traffic means regulating access to network services on the localhost from external clients. Outbound rules specify what remote services the localhost can connect to.
• TCP vs UDP: Rules can specify TCP ports, UDP ports, or both. Specify tcp or udp if you only want to apply the rule to one protocol.
• Port numbers: Common application ports you may want to open include TCP 80 (HTTP web), TCP 443 (HTTPS web), TCP 25 (SMTP mail), TCP 22 (SSH remote access).

Opening Ports

To open a port use ufw allow followed by the port number and protocol:

sudo ufw allow 22/tcp

This allows TCP traffic on port 22 so SSH will work.

To demonstrate, let‘s add a web server listening on port 5000. First open the port:

sudo ufw allow 5000/tcp

Then run a simple Python web server:

python3 -m http.server 5000

Visiting the public server IP on port 5000 now displays the directory listing. So UFW allowed external connections on the new port.

Closing Ports

To block access to a port, use ufw deny instead:

sudo ufw deny 135/udp

Now UDP traffic on port 135 is blocked. Attempting connections to closed ports results in connection timeouts.

Checking UFW Rules

To print all configured firewall rules:

sudo ufw status verbose

The output includes:

• Added rules with port numbers and protocols
• List of applications profiles
• Default deny policies
• IPv6 configuration

Use this to audit your current UFW configuration.

Creating Firewall Profiles Based on Applications

Instead of defining firewall rules based purely on port numbers, UFW supports templates that match common applications.

For example there are profiles for:

• HTTP and HTTPS
• DNS traffic
• Postgres databases
• Samba file shares

And many more popular apps.

View all available application profiles:

sudo ufw app list

The main benefit of application profiles is readability. If you want to allow MySQL database access, ufw allow mysql is more understandable than opening port 3306.

Let‘s walk through an example starting with Apache web server.

First check that the Apache profile is available:

sudo ufw app list

The output includes:

Available applications:
  Apache
  Apache Secure
  ...

So the Apache profiles are present.

Next allow HTTP connections with:

sudo ufw allow ‘Apache‘

And repeat for HTTPS:

sudo ufw allow ‘Apache Secure‘ 

Opening ports based on service names using UFW application profiles makes the firewall rules easier to read and modify.

Getting Details on App Profiles

Application profiles abstract away the ports and protocols.

To find out what is actually allowed for a profile, use:

sudo ufw app info ‘Apache‘

Which prints:

Profile: Apache
  Title: Web Server (HTTP)
  Description: Apache web server

Ports:
  80,443/tcp 

So the Apache profile maps to TCP ports 80 and 443.

Creating Custom App Profiles

If you have an application that does not come with a default UFW profile, you can create your own:

1. Create an XML profile file in /etc/ufw/applications.d/
2. Specify the application name, description, ports and protocols
3. Reload UFW to pick up the new profile

Refer to the default application profiles for examples of the XML syntax.

Then manage as you would an existing profile. Custom app profiles are very useful for documenting self-hosted web apps and databases.

Important Default UFW Rules

By default, UFW is set to deny all inbound connections. This means new ports you open only apply to outbound connections from the localhost.

To allow outside systems to connect inbound, you need to modify the default policy:

sudo ufw default allow incoming
sudo ufw default allow outgoing

Now incoming traffic is allowed by default, subject to any rules you add to close specific ports. This configuration reflects a more open yet controlled firewall.

I also strongly recommend enabling:

sudo ufw enable logging

Firewall logs should always be enabled for security monitoring and troubleshooting.

Review the logs in /var/log/ufw.log.

Deploying UFW Rules Across Servers

When you have UFW configured on one Ubuntu server, it can be helpful to export the rules to easily implement the same firewall settings on other servers.

To view the raw set of rules evaluated by iptables, use:

sudo iptables -S

This verbose output can be saved to a shell script that can recreate the rules.

An alternative is using UFW itself to generate a config file for your ruleset:

sudo ufw export /tmp/myfirewall.rules

Then transfer this myfirewall.rules file to another server and run:

sudo ufw import /tmp/myfirewall.rules

Which will implement matching firewall policies on that host.

Disabling ipv6 with UFW (optional)

Some users may wish to disable ipv6 support within UFW. That can be accomplished by editing /etc/default/ufw…

sudo nano /etc/default/ufw

Then update the value of IPV6 to ‘no‘:

IPV6=no

Save changes and reboot to apply the ipv6 setting. You can validate it has been disabled using:

sudo ufw status verbose

Conclusion

UFW brings simplified host firewall management to Ubuntu servers and desktops. This detailed reference guide covered key topics like:

• Enabling and disabling the UFW service
• Opening and closing network ports for tcp/udp traffic
• Using application profiles for readability
• Setting default policies
• Exporting and reusing rulesets
• Optional ipv6 configuration

The goal was to provide a comprehensive resource to help you gain expertise with UFW configurations for your Ubuntu systems.

There is still more complexity that can be built on top with direct iptables rules and routing policies. But starting with UFW best practices provides a solid network security foundation.

Let me know in the comments if you have any other UFW questions!