How to Configure a Firewall with `ufw` on Arch Linux

This article explains how to configure a firewall with ufw on Arch Linux.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Firewalls are essential components of a secure operating system, responsible for regulating inbound and outbound network traffic. On Arch Linux, users typically rely on powerful tools like iptables or nftables, but these can be complex for those who prefer simplicity and ease of use. Fortunately, there’s ufw — the Uncomplicated Firewall — which provides a user-friendly interface to manage firewall rules.

Although ufw is not installed by default on Arch Linux, it is readily available from the Arch User Repository (AUR) or the official community repository. In this article, we’ll walk through the steps to install, configure, and manage ufw on Arch Linux, covering both basic and advanced usage scenarios.

What is ufw?

ufw stands for Uncomplicated Firewall. Developed primarily for Ubuntu, it is a command-line interface for configuring firewall rules using iptables or nftables (depending on your system). The idea behind ufw is to simplify the process of creating and managing firewall rules without requiring deep knowledge of packet filtering syntax.

Key features of ufw include:

  • Simple command syntax for rule management
  • Default policies for incoming and outgoing traffic
  • Easy integration with systemd
  • Application profiles support
  • IPv6 support

Prerequisites

Before proceeding, ensure the following:

  • You are using Arch Linux or a compatible Arch-based distribution
  • You have root or sudo privileges
  • Your system is connected to the internet

Let’s begin with the installation.

Step 1: Installing ufw on Arch Linux

To install ufw, you can use the package from the official community repository. Run the following command:

sudo pacman -S ufw

This will install ufw and its dependencies.

Step 2: Enabling and Starting the UFW Service

Once installed, you need to enable and start the ufw service using systemd. This ensures that the firewall rules are applied at boot time.

sudo systemctl enable ufw
sudo systemctl start ufw

You can check the status of the firewall using:

sudo ufw status

By default, the firewall is inactive, so let’s configure it.

Step 3: Setting Default Policies

Before adding rules, it’s good practice to define default policies. ufw allows you to set default behavior for incoming and outgoing connections.

  • Deny all incoming traffic by default:
sudo ufw default deny incoming
  • Allow all outgoing traffic by default:
sudo ufw default allow outgoing

This setup ensures that no unauthorized connection can access your system, while allowing you to initiate connections freely.

Step 4: Allowing SSH (Optional but Important)

If you’re managing the system remotely over SSH, you must allow SSH access before enabling the firewall. Otherwise, you’ll be locked out.

To allow SSH (default port 22):

sudo ufw allow ssh

Or, explicitly:

sudo ufw allow 22/tcp

If you use a custom SSH port (say 2222), allow it accordingly:

sudo ufw allow 2222/tcp

Step 5: Enabling the Firewall

After setting default policies and allowing critical services like SSH, you can safely enable the firewall:

sudo ufw enable

You’ll see confirmation like:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Step 6: Managing Firewall Rules

ufw offers a straightforward syntax to manage firewall rules. Here are some common examples:

Allow Specific Services or Ports

  • Allow HTTP (port 80):
sudo ufw allow 80/tcp
  • Allow HTTPS (port 443):
sudo ufw allow 443/tcp
  • Allow a range of ports:
sudo ufw allow 10000:20000/tcp
  • Allow a specific IP address:
sudo ufw allow from 192.168.1.100
  • Allow a specific IP to a specific port:
sudo ufw allow from 192.168.1.100 to any port 22

Deny Traffic

  • Deny a specific port:
sudo ufw deny 23
  • Deny a specific IP address:
sudo ufw deny from 203.0.113.5

Delete Rules

  • To remove a rule, use:
sudo ufw delete allow 80/tcp

Or find the rule number and delete by number:

sudo ufw status numbered
sudo ufw delete [number]

Step 7: Viewing the Firewall Status

You can view the status and active rules using:

sudo ufw status verbose

This command gives detailed information, including logging status, default policies, and currently allowed or denied rules.

Step 8: Enabling Logging (Optional)

Firewall logging helps track blocked or allowed connections. To enable logging:

sudo ufw logging on

To disable logging:

sudo ufw logging off

Logging levels available:

  • off
  • low
  • medium
  • high
  • full

Example:

sudo ufw logging medium

Logs are typically written to /var/log/ufw.log.

Step 9: Using UFW with IPv6

If your system uses IPv6, you can enable ufw support by editing the configuration file:

sudo nano /etc/ufw/ufw.conf

Set:

IPV6=yes

Save and exit. This ensures ufw manages both IPv4 and IPv6 rules.

Step 10: Application Profiles (Advanced Feature)

Although more prominent on Ubuntu, application profiles can still be used with custom configurations on Arch Linux. These profiles reside in /etc/ufw/applications.d/.

To list available application profiles:

sudo ufw app list

To view the details of a profile:

sudo ufw app info [profile-name]

To allow a service using a profile:

sudo ufw allow [profile-name]

You can create your own profile by placing a .profile file in /etc/ufw/applications.d/.

Step 11: Resetting the Firewall

If you want to start fresh:

sudo ufw reset

This disables the firewall and deletes all existing rules. After resetting, you’ll need to reconfigure your rules and enable ufw again.

Troubleshooting Tips

Here are some common issues and solutions:

  • SSH Lockout: Always test firewall rules with a secondary SSH session before closing the primary one. Allow SSH explicitly before enabling the firewall.
  • Firewall Not Starting at Boot: Ensure that ufw is enabled via systemctl enable ufw.
  • Conflicts with Other Firewalls: Disable or uninstall other firewalls like firewalld or direct iptables scripts to avoid conflicts.

Conclusion

ufw is a powerful yet simple tool for managing firewall rules on Arch Linux. While it may have been originally designed for Ubuntu, it integrates well into Arch systems, especially for users who prefer readability and ease of configuration over more complex alternatives.

By setting sensible default policies, enabling necessary services, and regularly reviewing rules, you can significantly improve your system’s security posture. Whether you’re a desktop user, a sysadmin, or managing a server, ufw gives you a reliable layer of protection without the steep learning curve of raw iptables or nftables.

For those needing even more control or automation, ufw can be scripted and combined with other security tools, making it a versatile choice for most Arch Linux users.

Further Reading:


< How to Set Up a VPN (OpenVPN/WireGuard) on Arch LinuxHow to Configure a Firewall with `nftables` on Arch Linux >