ufw (Uncomplicated FireWall) is an open source software package used on linux. It provides a 'simpler' means of controlling one of the standard linux firewall packages, iptables. The latter performs the actual firewalling; ufw just exists to allow humans a better chance of comprehending what they're asking the firewall to do and how. In addition to offering a simplified language, ufw contains some optional default rulesets which implement widely-used behaviors for you.

As an example, here is a ufw command:

ufw allow from to any 53

in iptables, this would look like:

iptables -A INPUT -p tcp --dport 53 -s -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s -j ACCEPT

Either of these will allow Google's DNS servers to reach the DNS port on your server via TCP or UDP. It's spurious - I dunno if Google's public DNS servers ever do direct recursion and I doubt it.

I know, neither of them is really *clear*, but ufw is a bit easier. Generally, Ops sneer at ufw (and at iptables, in many cases) and do their own thing, but many novice users find it easy to say

sudo ufw default deny incoming; sudo ufw default allow outgoing
than to get down into iptables rules.

With all firewalls, your mileage may vary. If you are going to make changes to your firewall configuration remotely, I strongly recommend placing a cron job on the box that every 10 minutes or so just disables the firewall. That way, when (and it is when, not if) you accidentally cut off your own access, you just have to wait a few minutes before resuming work, as opposed to having to, say, drive to another state to fix the server or ask your cloud provider to replace the entire instance.

Log in or register to write something here or to contact authors.