- UFW - Uncomplicated Firewall Basics and Installation
- UFW - Allow SSH Traffic to Raspberry Pi Rule
- UFW - Delete Existing Rules
- UFW - Blocking Rules Based on IP Addresses or Ranges
This article will introduce several scenarios of setting up the UFW firewall on Raspberry Pi.
UFW - Uncomplicated Firewall Basics and Installation
UFW (Uncomplicated FireWall) is a front-end program to manipulate the rules of the Linux kernel packet filtering subsystem called NetFilter. Since the latter is a Linux kernel module, it requires a user-space application to provide configuration and management tools for end-users.
It is mostly done by the
ip6tables utility programs, which can be used to set up and inspect the tables of IPv4/IPv6 packet filter rules in the Linux kernel. Although the
iptables configuration can be cumbersome for new Linux users and administrators, another layer of front-end firewall programs (e.g., UFW) exists to simplify configuration management and provide an easier interface to
UFW is a part of the default Ubuntu packages and is also available in Raspberry Pi OS to be installed from the official repositories. You can install UFW with the following command:
sudo apt install ufw
Once the UFW package is installed, we can enable it on system startup and configure the rules as needed. The next command can be used to enable the firewall to run on boot as well as start the process immediately:
sudo ufw enable
Note that the previous command displays the warning that the existing SSH connections may be disrupted, so you might want to run these commands without a remote connection not to get locked out of the machine.
At this point, UFW sets some default rules for the incoming and outgoing traffic, the former being denied and the latter - allowed. The current status of the firewall can be inspected using the command:
sudo ufw status
Alternatively, you may want to add
numbered options to the previous command to display the current rules with extra information:
sudo ufw status verbose sudo ufw status numbered
UFW - Allow SSH Traffic to Raspberry Pi Rule
Generally, SSH uses the port number - 22, so we will include it in the following commands, but you can have SSH listening on a different port. The latter can be achieved by modifying the SSH config file
sshd_config, located at the
/etc/ssh/sshd_config path. If you want to allow any SSH connections to Pi, run the following command.
sudo ufw allow 22
On the other hand, you may want to restrict SSH connections so that only the specific IP addresses are allowed to access the host. You can rerun the following command for different IP addresses to add all exceptions allowed to connect to the given service.
sudo ufw allow proto tcp from 10.10.10.1 to any port 22
UFW - Delete Existing Rules
Existing rules in UFW can be removed using the
ufw delete command. You should specify the number of the rule to remove it. Notice that numbered rules can be listed using the
sudo ufw status number command. In this case, we will remove the rule set by the previous example command, which happens to be numbered as the third.
sudo ufw delete 3
UFW - Blocking Rules Based on IP Addresses or Ranges
Certain IP addresses and ranges can be blocked from establishing network connections to the Raspberry Pi. Namely, the specific IP address (e.g.
10.10.10.1) will be blocked with the following command.
sudo ufw deny from 10.10.10.1
Alternatively, the whole subnet can be blocked if you run the following command.
sudo ufw deny from 10.10.10.0/24