Raspberry Pi Firewall: How to Install and Manage it by Using UFW

Raspberry Pi Firewall

In this easy-to-follow tutorial we’re going to show you how to install and manage UFW (Uncomplicated Firewall) on Raspberry Pi.

The level of security you need for your Raspberry Pi will strongly depend on how you plan to use it. When your Raspberry Pi is connected to the internet, the minimum security step you should take is to ensure that only ports that you absolutely require to be open are open.

A firewall is a piece of software that monitors incoming and outcoming network traffic. It can then allow, reject or drop traffic. Without a firewall, your Raspberry Pi is functional and connected, but it can be made more secure with firewall which will only allow the types of traffic you permit.

How the Raspberry Pi UFW Firewall Works

Installing a Firewall on the Raspberry Pi

UFW, or Uncomplicated Firewall, is a frontend for managing firewall rules in Linux. It is a firewall configuration tool that runs on top of iptables. Since iptables has a relatively complex syntax, using UFW to perform its configuration is a useful alternative without skimping on security.

Before you begin it’s a good idea to update and upgrade all the existing packages of the Raspberry Pi OS:

sudo apt update
sudo apt full-upgrade

Installing a firewall on the Raspberry Pi is accomplished easily via the terminal and the following line:

sudo apt install ufw

Manage the Raspberry Pi Firewall with UFW

Now UFW is installed but it is not turned on. To check if ufw is enabled, run:

sudo ufw status verbose
Status: inactive

Allow Connections

If you’re connecting to your Raspberry Pi from a remote location, before enabling the UFW firewall, you must explicitly allow incoming SSH connections on port 22 which is default SSH port. If you don’t do this first you will get locked out and will need to physically connect a monitor and keyboard to get terminal access to your Raspberry Pi.

To configure your UFW firewall to allow incoming SSH connections, type the following command:

sudo ufw allow 22

Related: SSH to Port Other Than 22: How to Do It (with Examples)

To allow incoming connections from a specific IP address, you’ll need to include a from directive to define the source of the connection.

For example, to allow access on port 22 from your work machine with IP address of 192.168.1.100, use to any port followed by the port number:

sudo ufw allow from 192.168.1.100 to any port 22

Turning on the Raspberry Pi Firewall

Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y 
Firewall is active and enabled on system startup

You will be warned that enabling the firewall may disrupt existing ssh connections, just type y and hit Enter.

Checking Status and Rules of Raspberry Pi Firewall

The ufw enable command will turn on UFW and applies rules. You can verify that UFW is running by issuing this command:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                     Action      From
--                     ------      ----
22                     ALLOW IN    Anywhere                  
22 (v6)                ALLOW IN    Anywhere (v6)

In addition, the command will show you all currently active firewall rules.

Deny Connections

Just as it is important to allow ports, it is also important to deny ports. The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you specifically open the connection.

Let’s say you opened the port 22 but your Raspberry Pi server is under attack. To deny all connections to port 22 you can use the following command:

sudo ufw deny 22

Deleting Existing Rules

To do this you first need to know its rule number. To get this list run:

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22 (v6)                    ALLOW IN    Anywhere (v6) 

This command shows the list of rules created for your Raspberry Pi firewall, each identified by a unique number.

For example, to delete the rule for SSH communication (number 1), the command to be executed would be the following:

sudo ufw delete 1

You will be requested for confirmation before it is deleted. If certain, type y and then Enter.

This operation will cancel the SSH communication for IPv4, but not the one for IPv6. To delete the rule for IPv6, consult the list of existing rules again, since its identification code will be changed.

Disable the Firewall

If you have a connection problem it’s a good idea to disable the Raspberry Pi firewall and then retest to see if you can connect.

To disable the UFW firewall use the following command:

sudo ufw disable

Be aware that this command will fully disable the UFW firewall service on your Raspberry Pi.

Conclusion

UFW is a powerful tool that can greatly improve the security of your Raspberry Pi when properly configured. By enabling UFW firewall, all communications to and from your Raspberry Pi pass through this tool, which can therefore protect you from unwanted attacks and connection attempts by unauthorized users.

Let us know in the comments below anything you would add to this guide or any other useful command you may know that may help others.

If this guide has helped you, please consider buying us a coffee.

Buy me a coffee!

Your support and encouragement are greatly appreciated!

Leave a Reply

Your email address will not be published.

Latest from Tutorials