ufw - Manage firewall with UFW

New in version 1.6.

Synopsis
Requirements (on host that executes module)
Options
Examples
Notes
This is an Extras Module

Synopsis

Manage firewall with UFW.

Requirements (on host that executes module)

ufw package

Options

parameter	required	default	choices	comments
delete	no		yes no	Delete rule.
direction	no		in out incoming outgoing routed	Select direction for a rule or default policy command.
from_ip	no	any		Source IP address. aliases: from, src
from_port	no			Source port.
insert	no			Insert the corresponding rule as rule number NUM
interface	no			Specify interface for rule. aliases: if
log	no		yes no	Log new connections matched to this rule
logging	no		on off low medium high full	Toggles logging. Logged packets use the LOG_KERN syslog facility.
name	no			Use profile located in `/etc/ufw/applications.d` aliases: app
policy	no		allow deny reject	Change the default policy for incoming or outgoing traffic.
proto	no		any tcp udp ipv6 esp ah	TCP/IP protocol.
route	no		yes no	Apply the rule to routed/forwarded packets.
rule	no		allow deny reject limit	Add firewall rule
state	no		enabled disabled reloaded reset	`enabled` reloads firewall and enables firewall on boot. `disabled` unloads firewall and disables firewall on boot. `reloaded` reloads firewall. `reset` disables and resets firewall to installation defaults.
to_ip	no	any		Destination IP address. aliases: to, dest
to_port	no			Destination port. aliases: port

Examples

# Allow everything and enable UFW
ufw: state=enabled policy=allow

# Set logging
ufw: logging=on

# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
ufw: rule=reject port=auth log=yes

# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See  http://www.debian-administration.org/articles/187
# for details. Typical usage is:
ufw: rule=limit port=ssh proto=tcp

# Allow OpenSSH
ufw: rule=allow name=OpenSSH

# Delete OpenSSH rule
ufw: rule=allow name=OpenSSH delete=yes

# Deny all access to port 53:
ufw: rule=deny port=53

# Allow all access to tcp port 80:
ufw: rule=allow port=80 proto=tcp

# Allow all access from RFC1918 networks to this host:
ufw: rule=allow src={{ item }}
with_items:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

# Deny access to udp port 514 from host 1.2.3.4:
ufw: rule=deny proto=udp src=1.2.3.4 port=514

# Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw: rule=allow interface=eth0 direction=in proto=udp src=1.2.3.5 from_port=5469 dest=1.2.3.4 to_port=5469

# Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host.
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
ufw: rule=deny proto=tcp src=2001:db8::/32 port=25

# Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24.
# Can be used to further restrict a global FORWARD policy set to allow
ufw: rule=deny route=yes src=1.2.3.0/24 dest=4.5.6.0/24

Notes

Note

See man ufw for more examples.

This is an Extras Module

For more information on what this means please read Extras Modules

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.