Short definition
UFW is a simplified interface for managing Linux firewall rules on Ubuntu and Debian systems, designed to make iptables configuration accessible without deep networking knowledge.
Extended definition
UFW sits on top of iptables, Linux’s native packet filtering framework, and provides a straightforward command-line interface for defining which network traffic is allowed or blocked. On a production server, UFW is typically one of the first things configured after provisioning, closing all ports by default, and opening only what is explicitly needed. For a web server, this usually means SSH (port 22), HTTP (port 80), and HTTPS (port 443), with everything else dropped. UFW also supports application profiles, rate limiting, and IPv6 out of the box.
Deep technical explanation
Default deny policy: UFW’s most important setting is its default policy: deny all incoming, allow all outgoing. This means any port not explicitly opened is automatically blocked, without needing a rule for every possible port number.
Rule ordering: UFW processes rules in order. The first matching rule wins. When troubleshooting unexpected behaviour, reviewing the rule order with ufw status numbered is the starting point.
Application profiles: UFW ships with profiles for common services (OpenSSH, Nginx, Apache). These profiles define the ports associated with each service by name, so you can write ufw allow Nginx Full instead of ufw allow 80 and ufw allow 443 separately.
Rate limiting: UFW supports basic rate limiting with ufw limit ssh, which blocks IP addresses that attempt more than 6 connections in 30 seconds. This provides lightweight brute-force protection without a separate tool.
Relation to iptables and nftables: UFW generates iptables rules under the hood. On Ubuntu 22.04 and later, iptables itself is a compatibility layer over nftables. UFW abstracts all of this, so the same UFW commands work regardless of which backend is active.
Logging: UFW can log blocked and allowed connections at varying verbosity levels. These logs are written to /var/log/ufw.log and are useful for diagnosing blocked traffic or detecting port scanning activity.
Practical examples
- A freshly provisioned EC2 instance has UFW enabled with only ports 22, 80, and 443 open before any application is installed
- Port 22 is restricted to a specific IP range corresponding to the VPN subnet, so SSH is unreachable from the public internet
- Rate limiting on SSH blocks an automated brute-force attempt after six failed connection attempts
Why it matters
A server without a firewall is exposed to every port scanner, brute-force bot, and exploit attempt on the internet from the moment it boots. UFW Ubuntu Firewall is the baseline control that defines the server’s network surface and should be configured before anything else is installed or exposed.