UFW is known as Uncomplicated Firewall . According to Ubuntu, Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.

In this tutorial, we are going to install and setup UFW on CentOS 8. All commands will work for RHEL 8.

Table of Contents

1. Install and Enable UFW
2. UFW Default Policy
3. Add Firewall Rules
4. Delete Firewall Rules
5. Advanced UFW Rules
6. Tip – UFW NOT blocking IP
7. More Info

Step 1 : Install and Enable UFW

UFW isn’t available on the CentOS repository. We need to install the EPEL repository on our server.

sudo dnf install epel-release -y

Now install and enable UFW:

# install
sudo dnf install ufw -y

# enable
sudo ufw enable

Check the status of UFW:

sudo ufw status

To disable UFW, you’ve to run this command:

sudo ufw disable

Step 2 : UFW Default Policy

By default, the UFW block all incoming traffic and allow all outgoing traffic. You can run the below commands to set the default policy:

sudo ufw default allow outgoing
sudo ufw default deny incoming

Step 3 : Add Firewall Rules

We can easily add rules in UFW firewall. Let’s open HTTP (80) port:

sudo ufw allow http
# or
sudo ufw allow 80

To filter packets based on TCP or UDP, we need to run the following command:

sudo ufw allow 80/tcp
sudo ufw allow 21/udp

We can deny any incoming and outgoing traffic to any port:

sudo ufw deny 8081

We can check the running ports easily:

# method 1
sudo ufw status
# method 2
sudo ufw status numbered
# method 3
sudo ufw status verbose

Step 4 : Delete Firewall Rules

Like addition, we can easily remove rules too. Here’s the example:

sudo ufw delete allow http
sudo ufw delete deny 8081

We can also delete a rule by its number. Run sudo ufw status numbered and you’ll see the number beside the rules. Then you can delete like this:

sudo ufw delete 5

To remove all rules:

sudo ufw reset

Step 5 : Advanced UFW Rules

Allow or deny a specific IP to access all services:

# allow
sudo ufw allow from 192.168.2.57
# deny
sudo ufw deny from 192.168.2.57

To allow a specific IP address/port combination:

sudo ufw allow proto tcp from 192.168.2.57 to any port 22

Allow or deny a specific IP range ( 192.168.1.1 to 192.168.1.254) to access all services:

# allow
sudo ufw allow from 192.168.1.0/24
# deny
sudo ufw deny from 192.168.1.0/24

Block subnet on port:

sudo ufw deny proto tcp from 192.168.2.0/24 to any port 22

To allow access to TCP and UDP port range from 1000 to 1500:

sudo ufw allow 1000:1500/tcp
sudo ufw allow 1000:1500/udp

To allow HTTP traffic on network interface eth0:

sudo ufw allow in on eth0 to any port 80

Step 6 : Tip – UFW NOT Blocking IP

After adding rules, if UFW not blocking IP, open UFW config file:

sudo nano /etc/ufw/before.rules

Find this line # End required lines and after this line, add rule like this:

# block single IP
-A ufw-before-input -s 192.168.2.57 -j DROP
# block subnet
-A ufw-before-input -s 192.168.2.0/24 -j DROP

You can also try this:

sudo ufw insert 1 deny from 192.168.2.57 comment 'Block spammer'
sudo ufw insert 1 deny from 192.168.2.0/24 comment 'Block XSS attack subnet'

Step 7 : More Info

Here are the config files of UFW:

/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/after.rules
/etc/ufw/after6.rules

To enable/disable logging, use the following command:

# on
sudo ufw logging on
# off
sudo ufw logging off

Check logs:

sudo tail -f /var/log/ufw.log

See recently added rules:

sudo ufw show added

That’s all. Thanks for reading.