In this project, we are going to show you how to set up and use the UFW firewall on the Raspberry Pi.
There are multiple different solutions for adding a firewall to a Linux based operating system.
Most of these solutions make use of the netfilter framework that is available within the Linux kernel.
While the Raspberry Pi OS distribution comes with iptables by default, it can be complicated to set up and use.
To get around this, we will install a simpler firewall interface to our Raspberry Pi called UFW.
UFW stands for uncomplicated firewall and is designed to be incredibly simple to use. It is the same firewall that is made available in all Ubuntu distributions.
Firewalls like UFW are a crucial way of protecting devices such as your Raspberry Pi from port-based network attacks.
Below we have included a list of the equipment we used to set up UFW on the Raspberry Pi.
This tutorial should work on any Debian based operating system. We tested this tutorial using a Raspberry Pi 4 running the latest version of Raspberry Pi OS.
Installing the UFW Firewall on the Raspberry Pi
In this section, we are going to show you how to install UFW on your device. The installation process is rather simple as UFW is available through the default package repositories.
1. Our first task is to update the currently running operating system.
To update this, we need to run the following command on our Raspberry Pi. You can either do this physically on your device using the terminal or by using SSH.
As we are messing with the firewall, we recommend that you at least have the ability to interact with your device physically.
sudo apt update sudo apt full-upgrade
2. Once our Raspberry Pi’s operating system is up to date, we can now install the firewall we will be using.
To install the UFW software, all we need to do is run the following command.
sudo apt install ufw
You should now have UFW installed to your Raspberry Pi. However, it will not be active yet.
Adding Firewall Rules using UFW on the Raspberry Pi
In this section, we will walk you through some of the basic steps to using the UFW firewall on the Raspberry Pi.
These basics include using UFW to block or limit traffic through specific ports. If you would like to learn more about configuring firewall rules in UFW, you can check our guide.
Before we continue, please note that UFW, by default, will block all incoming traffic and allow all outgoing traffic.
Enabling the firewall before adding allow rules for critical services like SSH can leave you unable to access your Raspberry Pi remotely.
Allowing Access Through a Port using UFW
Probably the most crucial task to learn when dealing with UFW on your Raspberry Pi is how to use it to allow access through a port.
To allow a port while using UFW, all we need to do is type in “
ufw allow” followed by the port number.
sudo ufw allow PORT
For example, if we wanted to allow port 22 (The default port used that is for SSH), we would enter the following command.
sudo ufw allow 22
Rate Limiting Connections on a Port
Using UFW, it is possible to impose rate limits on the number of connections through a specific port.
This feature can be handy for limiting the number of connections through to your SSH, making it harder for an outside source to brute force the connection.
Limiting a connection is just like allowing a connection; however, UFW will not allow six or more connections within 30 seconds.
To limit a connection, you need to use “
ufw limit” followed by the port number, then optionally, the protocol.
sudo ufw limit PORT
For example, we can use the firewall to limit connections to our Raspberry Pi’s SSH port by running the following command.
sudo ufw limit 22
Enabling the UFW Firewall on the Raspberry Pi
Once you have your firewall rules added using UFW on the Raspberry Pi, we can finally turn it on.
If you are using SSH to connect to your device, you need to make sure that you have port 22 allowed. Otherwise, you will lose connection upon enabling the firewall.
1. Before we enable UFW, we can list out all of the currently added firewall rules.
You can do this by using “
ufw” followed by “
show added” as we have below.
sudo ufw show added
From this command, you will retrieve a list of the rules that you have added to your firewall.
Added user rules (see 'ufw status' for running firewall): ufw limit 22 ufw allow 80 ufw allow 443
If you are happy that all the rules are correct, you can now proceed to enable UFW on your Raspberry Pi.
2. To enable UFW, all you need to do is run the following command on your Raspberry Pi.
sudo ufw enable
3. When you enable the firewall, you will get a warning that existing SSH connections may be disrupted.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
To continue, type in Y then press the ENTER key.
4. Once the firewall has been activated, you will see the following message in the command line.
Firewall is active and enabled on system startup
5. You can check the status of UFW by using the following command.
sudo ufw status
This command will return the status of your firewall and list out all of your currently active rules.
For example, you can see that we have ports 80 and 443 allowed and port 22 limited.
Status: active To Action From -- ------ ---- 22 LIMIT Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) LIMIT Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
At this point, you should now have successfully set up UFW on your Raspberry Pi to act as your firewall.
A good firewall is crucial to maintaining your device’s security, and UFW is one of the easiest ways of controlling it.
If you have run into any issues with setting up UFW, feel free to leave a comment below.
Hi, thanks for always helping out. i am using teamviewer on rbpi. does it have a port? If it does, what is it and how do i allow it on ufw
From my quick research there is three ports that Teamviewer can attempt to use, these are “5938”, “443” and “80”.
These ports are referenced in the order that Teamviewer will attempt to use them so you should be able to get away with just allowing the first port.
What if I accidentally did a system reboot before allowing my ssh port?
If you have enabled the UFW firewall, you would need to physically interact with the device and allow the port.
Thanks for the excellent instruction. The SSH still works but the VNC does not work when ufw is enabled. Is there a port to allow to overcome this?
From what I understand VNC can use the TCP port
If you have multiple displays the the ports will be
5901and increasing by
1for every additional display.
Everything you said above is true.
However on my system ufw is not activated after reboot.
So i put in rc.local sudo ufw enable
But then it want a (y) to go on..
Hm,.. how to fix that.
sudo ufw –force enable
The tutorial worked as intended. Thanks for helping.
Thanks for the simple tutorial, appreciate it!