UFW basics

UFW (Uncomplicated Firewall) is the default host firewall helper on Ubuntu: it wraps lower-level packet filtering so you can allow or deny traffic with simple commands. This page covers the usual defaults, SSH, and how to inspect or remove rules.

Caution

If you administer the machine over SSH, allow SSH before you apply default deny incoming and ufw enable, or you risk locking yourself out.

Defaults and enable

Typical baseline: block unsolicited inbound traffic, allow outbound, allow SSH, then activate the firewall:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

Many installs also ship an OpenSSH application profile (ports and protocols from /etc/ufw/applications.d). Prefer it when it exists:

sudo ufw app list
sudo ufw allow OpenSSH

You can still allow the port explicitly if SSH listens on the default port:

sudo ufw allow 22/tcp

Inspect rules

sudo ufw status verbose

Numbered list (needed for deleting by index):

sudo ufw status numbered

Delete a rule

By number after ufw status numbered (usually the least error-prone):

sudo ufw delete 3

By rule text (must match how the rule was added):

sudo ufw delete allow 3002/tcp

Disable UFW

sudo ufw disable

Sources

• Firewall (Ubuntu Server) — enable/disable, ports, numbered rules, application profiles (accessed 2026-04-06)
• UFW — Ubuntu community documentation — overview and usage notes