Install and Setup UFW Firewall on CentOS 8 / RHEL 8
UFW is known as Uncomplicated Firewall . According to Ubuntu, Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.
In this tutorial, we are going to install and setup UFW on CentOS 8. All commands will work for RHEL 8.
Table of Contents
- Install and Enable UFW
- UFW Default Policy
- Add Firewall Rules
- Delete Firewall Rules
- Advanced UFW Rules
- Tip – UFW NOT blocking IP
- More Info
Step 1 : Install and Enable UFW
UFW isn’t available on the CentOS repository. We need to install the EPEL repository on our server.
sudo dnf install epel-release -y
Now install and enable UFW:
# install
sudo dnf install ufw -y
# enable
sudo ufw enable
Check the status of UFW:
sudo ufw status
To disable UFW, you’ve to run this command:
sudo ufw disable
Step 2 : UFW Default Policy
By default, the UFW block all incoming traffic and allow all outgoing traffic. You can run the below commands to set the default policy:
sudo ufw default allow outgoing
sudo ufw default deny incoming
Step 3 : Add Firewall Rules
We can easily add rules in UFW firewall. Let’s open HTTP (80) port:
sudo ufw allow http
# or
sudo ufw allow 80
To filter packets based on TCP or UDP, we need to run the following command:
sudo ufw allow 80/tcp
sudo ufw allow 21/udp
We can deny any incoming and outgoing traffic to any port:
sudo ufw deny 8081
We can check the running ports easily:
# method 1
sudo ufw status
# method 2
sudo ufw status numbered
# method 3
sudo ufw status verbose
Step 4 : Delete Firewall Rules
Like addition, we can easily remove rules too. Here’s the example:
sudo ufw delete allow http
sudo ufw delete deny 8081
We can also delete a rule by its number. Run sudo ufw status numbered
and you’ll see the number beside the rules. Then you can delete like this:
sudo ufw delete 5
To remove all rules:
sudo ufw reset
Step 5 : Advanced UFW Rules
Allow or deny a specific IP to access all services:
# allow
sudo ufw allow from 192.168.2.57
# deny
sudo ufw deny from 192.168.2.57
To allow a specific IP address/port combination:
sudo ufw allow proto tcp from 192.168.2.57 to any port 22
Allow or deny a specific IP range ( 192.168.1.1 to 192.168.1.254) to access all services:
# allow
sudo ufw allow from 192.168.1.0/24
# deny
sudo ufw deny from 192.168.1.0/24
Block subnet on port:
sudo ufw deny proto tcp from 192.168.2.0/24 to any port 22
To allow access to TCP and UDP port range from 1000 to 1500:
sudo ufw allow 1000:1500/tcp
sudo ufw allow 1000:1500/udp
To allow HTTP traffic on network interface eth0:
sudo ufw allow in on eth0 to any port 80
Step 6 : Tip – UFW NOT Blocking IP
After adding rules, if UFW not blocking IP, open UFW config file:
sudo nano /etc/ufw/before.rules
Find this line # End required lines
and after this line, add rule like this:
# block single IP
-A ufw-before-input -s 192.168.2.57 -j DROP
# block subnet
-A ufw-before-input -s 192.168.2.0/24 -j DROP
You can also try this:
sudo ufw insert 1 deny from 192.168.2.57 comment 'Block spammer'
sudo ufw insert 1 deny from 192.168.2.0/24 comment 'Block XSS attack subnet'
Step 7 : More Info
Here are the config files of UFW:
/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/after.rules
/etc/ufw/after6.rules
To enable/disable logging, use the following command:
# on
sudo ufw logging on
# off
sudo ufw logging off
Check logs:
sudo tail -f /var/log/ufw.log
See recently added rules:
sudo ufw show added
That’s all. Thanks for reading.

Comments
No comments yet…