Using the UFW Firewall on the Raspberry Pi

In this project, we are going to show you how to set up and use the UFW firewall on the Raspberry Pi.

Raspberry Pi UFW

There are multiple different solutions for adding a firewall to a Linux based operating system.

Most of these solutions make use of the netfilter framework that is available within the Linux kernel.

While the Raspberry Pi OS distribution comes with iptables by default, it can be complicated to set up and use.

To get around this, we will install a simpler firewall interface to our Raspberry Pi called UFW.

UFW stands for uncomplicated firewall and is designed to be incredibly simple to use. It is the same firewall that is made available in all Ubuntu distributions.

Firewalls like UFW are a crucial way of protecting devices such as your Raspberry Pi from port-based network attacks.

Equipment List

Below we have included a list of the equipment we used to set up UFW on the Raspberry Pi.

Recommended

Optional

This tutorial should work on any Debian based operating system. We tested this tutorial using a Raspberry Pi 4 running the latest version of Raspberry Pi OS.

Installing the UFW Firewall on the Raspberry Pi

In this section, we are going to show you how to install UFW on your device. The installation process is rather simple as UFW is available through the default package repositories.

1. Our first task is to update the currently running operating system.

To update this, we need to run the following command on our Raspberry Pi. You can either do this physically on your device using the terminal or by using SSH.

As we are messing with the firewall, we recommend that you at least have the ability to interact with your device physically.

sudo apt update
sudo apt full-upgrade

2. Once our Raspberry Pi’s operating system is up to date, we can now install the firewall we will be using.

To install the UFW software, all we need to do is run the following command.

sudo apt install ufw

You should now have UFW installed to your Raspberry Pi. However, it will not be active yet.

Adding Firewall Rules using UFW on the Raspberry Pi

In this section, we will walk you through some of the basic steps to using the UFW firewall on the Raspberry Pi.

These basics include using UFW to block or limit traffic through specific ports. If you would like to learn more about configuring firewall rules in UFW, you can check our guide.

Before we continue, please note that UFW, by default, will block all incoming traffic and allow all outgoing traffic.

Enabling the firewall before adding allow rules for critical services like SSH can leave you unable to access your Raspberry Pi remotely.

Allowing Access Through a Port using UFW

Probably the most crucial task to learn when dealing with UFW on your Raspberry Pi is how to use it to allow access through a port.

To allow a port while using UFW, all we need to do is type in “ufw allow” followed by the port number.

sudo ufw allow PORT

For example, if we wanted to allow port 22 (The default port used that is for SSH), we would enter the following command.

sudo ufw allow 22

Rate Limiting Connections on a Port

Using UFW, it is possible to impose rate limits on the number of connections through a specific port.

This feature can be handy for limiting the number of connections through to your SSH, making it harder for an outside source to brute force the connection.

Limiting a connection is just like allowing a connection; however, UFW will not allow six or more connections within 30 seconds.

To limit a connection, you need to use “ufw limit” followed by the port number, then optionally, the protocol.

sudo ufw limit PORT

For example, we can use the firewall to limit connections to our Raspberry Pi’s SSH port by running the following command.

sudo ufw limit 22

Enabling the UFW Firewall on the Raspberry Pi

Once you have your firewall rules added using UFW on the Raspberry Pi, we can finally turn it on.

If you are using SSH to connect to your device, you need to make sure that you have port 22 allowed. Otherwise, you will lose connection upon enabling the firewall.

1. Before we enable UFW, we can list out all of the currently added firewall rules.

You can do this by using “ufw” followed by “show added” as we have below.

sudo ufw show added

From this command, you will retrieve a list of the rules that you have added to your firewall.

Added user rules (see 'ufw status' for running firewall):
ufw limit 22
ufw allow 80
ufw allow 443

If you are happy that all the rules are correct, you can now proceed to enable UFW on your Raspberry Pi.

2. To enable UFW, all you need to do is run the following command on your Raspberry Pi.

sudo ufw enable

3. When you enable the firewall, you will get a warning that existing SSH connections may be disrupted.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

To continue, type in Y then press the ENTER key.

4. Once the firewall has been activated, you will see the following message in the command line.

Firewall is active and enabled on system startup

5. You can check the status of UFW by using the following command.

sudo ufw status

This command will return the status of your firewall and list out all of your currently active rules.

For example, you can see that we have ports 80 and 443 allowed and port 22 limited.

Status: active

To                         Action      From
--                         ------      ----
22                         LIMIT       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    LIMIT       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

At this point, you should now have successfully set up UFW on your Raspberry Pi to act as your firewall.

A good firewall is crucial to maintaining your device’s security, and UFW is one of the easiest ways of controlling it.

If you have run into any issues with setting up UFW, feel free to leave a comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 Comments

  1. Avatar for Peter Gräbner
    Peter Gräbner on

    Worked fine on pi5, maybe include a description to find open ports on your machine like:
    sudo netstat -tunpl OR
    sudo nmap -n -PN -sT -sU -p- localhost (nmap is my favorite, needs to be installed)

  2. Avatar for Boca
    Boca on

    ufw status verbose (also possible)

  3. Avatar for Zane
    Zane on

    Hi, thanks for always helping out. i am using teamviewer on rbpi. does it have a port? If it does, what is it and how do i allow it on ufw

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Zane,

      From my quick research there is three ports that Teamviewer can attempt to use, these are “5938”, “443” and “80”.

      These ports are referenced in the order that Teamviewer will attempt to use them so you should be able to get away with just allowing the first port.

      sudo ufw allow 5938

      Cheers,
      Emmet

  4. Avatar for Tobias
    Tobias on

    What if I accidentally did a system reboot before allowing my ssh port?

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Tobias,

      If you have enabled the UFW firewall, you would need to physically interact with the device and allow the port.

      Cheers,
      Emmet

  5. Avatar for Bec Kec
    Bec Kec on

    Thanks for the excellent instruction. The SSH still works but the VNC does not work when ufw is enabled. Is there a port to allow to overcome this?

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Bec,

      From what I understand VNC can use the TCP port 5900 and 5800.

      If you have multiple displays the the ports will be 5901 and increasing by 1 for every additional display.

      Cheers,
      Emmet

  6. Avatar for JiM
    JiM on

    Everything you said above is true.
    However on my system ufw is not activated after reboot.
    So i put in rc.local sudo ufw enable
    But then it want a (y) to go on..
    Hm,.. how to fix that.
    Any suggestions?

    1. Avatar for JiM
      JiM on

      Found it..
      sudo ufw –force enable

  7. Avatar for Endacott
    Endacott on

    The tutorial worked as intended. Thanks for helping.

  8. Avatar for Rob
    Rob on

    Thanks for the simple tutorial, appreciate it!