Setup UFW Firewall on Raspberry Pi

  1. UFW - Uncomplicated Firewall Basics and Installation
  2. UFW - Allow SSH Traffic to Raspberry Pi Rule
  3. UFW - Delete Existing Rules
  4. UFW - Blocking Rules Based on IP Addresses or Ranges

This article will introduce several scenarios of setting up the UFW firewall on Raspberry Pi.

UFW - Uncomplicated Firewall Basics and Installation

UFW (Uncomplicated FireWall) is a front-end program to manipulate the rules of the Linux kernel packet filtering subsystem called NetFilter. Since the latter is a Linux kernel module, it requires a user-space application to provide configuration and management tools for end-users.

It is mostly done by the iptables and ip6tables utility programs, which can be used to set up and inspect the tables of IPv4/IPv6 packet filter rules in the Linux kernel. Although the iptables configuration can be cumbersome for new Linux users and administrators, another layer of front-end firewall programs (e.g., UFW) exists to simplify configuration management and provide an easier interface to iptables.

UFW is a part of the default Ubuntu packages and is also available in Raspberry Pi OS to be installed from the official repositories. You can install UFW with the following command:

sudo apt install ufw

Once the UFW package is installed, we can enable it on system startup and configure the rules as needed. The next command can be used to enable the firewall to run on boot as well as start the process immediately:

sudo ufw enable

Note that the previous command displays the warning that the existing SSH connections may be disrupted, so you might want to run these commands without a remote connection not to get locked out of the machine.

At this point, UFW sets some default rules for the incoming and outgoing traffic, the former being denied and the latter - allowed. The current status of the firewall can be inspected using the command:

sudo ufw status

Alternatively, you may want to add verbose or numbered options to the previous command to display the current rules with extra information:

sudo ufw status verbose
sudo ufw status numbered

UFW - Allow SSH Traffic to Raspberry Pi Rule

Generally, SSH uses the port number - 22, so we will include it in the following commands, but you can have SSH listening on a different port. The latter can be achieved by modifying the SSH config file sshd_config, located at the /etc/ssh/sshd_config path. If you want to allow any SSH connections to Pi, run the following command.

sudo ufw allow 22

On the other hand, you may want to restrict SSH connections so that only the specific IP addresses are allowed to access the host. You can rerun the following command for different IP addresses to add all exceptions allowed to connect to the given service.

sudo ufw allow proto tcp from 10.10.10.1 to any port 22

UFW - Delete Existing Rules

Existing rules in UFW can be removed using the ufw delete command. You should specify the number of the rule to remove it. Notice that numbered rules can be listed using the sudo ufw status number command. In this case, we will remove the rule set by the previous example command, which happens to be numbered as the third.

sudo ufw delete 3

UFW - Blocking Rules Based on IP Addresses or Ranges

Certain IP addresses and ranges can be blocked from establishing network connections to the Raspberry Pi. Namely, the specific IP address (e.g. 10.10.10.1) will be blocked with the following command.

sudo ufw deny from 10.10.10.1

Alternatively, the whole subnet can be blocked if you run the following command.

sudo ufw deny from 10.10.10.0/24
Write for us
DelftStack articles are written by software geeks like you. If you also would like to contribute to DelftStack by writing paid articles, you can check the write for us page.

Related Article - Raspberry Pi

  • Raspberry Pi OS 64 Bits
  • Login as Root User on Raspberry Pi
  • Related Article - Raspberry Pi Firewall

  • Login to Raspberry Pi Using SSH