In this easy-to-follow tutorial we’re going to show you how to install and manage UFW (Uncomplicated Firewall) on Raspberry Pi.
The level of security you need for your Raspberry Pi will strongly depend on how you plan to use it. When your Raspberry Pi is connected to the internet, the minimum security step you should take is to ensure that only ports that you absolutely require to be open are open.
A firewall is a piece of software that monitors incoming and outcoming network traffic. It can then allow, reject or drop traffic. Without a firewall, your Raspberry Pi is functional and connected, but it can be made more secure with firewall which will only allow the types of traffic you permit.
Installing a Firewall on the Raspberry Pi
UFW, or Uncomplicated Firewall, is a frontend for managing firewall rules in Linux. It is a firewall configuration tool that runs on top of
iptables has a relatively complex syntax, using UFW to perform its configuration is a useful alternative without skimping on security.
Before you begin it’s a good idea to update and upgrade all the existing packages of the Raspberry Pi OS:
sudo apt update sudo apt full-upgrade
Installing a firewall on the Raspberry Pi is accomplished easily via the terminal and the following line:
sudo apt install ufw
Manage the Raspberry Pi Firewall with UFW
Now UFW is installed but it is not turned on. To check if
ufw is enabled, run:
sudo ufw status verbose
If you’re connecting to your Raspberry Pi from a remote location, before enabling the UFW firewall, you must explicitly allow incoming SSH connections on port 22 which is default SSH port. If you don’t do this first you will get locked out and will need to physically connect a monitor and keyboard to get terminal access to your Raspberry Pi.
To configure your UFW firewall to allow incoming SSH connections, type the following command:
sudo ufw allow 22
To allow incoming connections from a specific IP address, you’ll need to include a
from directive to define the source of the connection.
For example, to allow access on port
22 from your work machine with IP address of
to any port followed by the port number:
sudo ufw allow from 192.168.1.100 to any port 22
Turning on the Raspberry Pi Firewall
Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You will be warned that enabling the firewall may disrupt existing ssh connections, just type
y and hit
Checking Status and Rules of Raspberry Pi Firewall
ufw enable command will turn on UFW and applies rules. You can verify that UFW is running by issuing this command:
sudo ufw status verbose
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 22 (v6) ALLOW IN Anywhere (v6)
In addition, the command will show you all currently active firewall rules.
Just as it is important to allow ports, it is also important to deny ports. The default policy for all incoming connections is set to
deny and if you haven’t changed it, UFW will block all incoming connection unless you specifically open the connection.
Let’s say you opened the port
22 but your Raspberry Pi server is under attack. To deny all connections to port
22 you can use the following command:
sudo ufw deny 22
Deleting Existing Rules
To do this you first need to know its rule number. To get this list run:
sudo ufw status numbered
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 22 (v6) ALLOW IN Anywhere (v6)
This command shows the list of rules created for your Raspberry Pi firewall, each identified by a unique number.
For example, to delete the rule for SSH communication (number 1), the command to be executed would be the following:
sudo ufw delete 1
You will be requested for confirmation before it is deleted. If certain, type
y and then
This operation will cancel the SSH communication for IPv4, but not the one for IPv6. To delete the rule for IPv6, consult the list of existing rules again, since its identification code will be changed.
Disable the Firewall
If you have a connection problem it’s a good idea to disable the Raspberry Pi firewall and then retest to see if you can connect.
To disable the UFW firewall use the following command:
sudo ufw disable
Be aware that this command will fully disable the UFW firewall service on your Raspberry Pi.
UFW is a powerful tool that can greatly improve the security of your Raspberry Pi when properly configured. By enabling UFW firewall, all communications to and from your Raspberry Pi pass through this tool, which can therefore protect you from unwanted attacks and connection attempts by unauthorized users.
Let us know in the comments below anything you would add to this guide or any other useful command you may know that may help others.