UFW Firewall Errors — Rules Not Working and Port Configuration Guide
About UFW Firewall Errors
Fix UFW (Uncomplicated Firewall) errors on Ubuntu including rules not applying, Docker bypassing UFW, and proper port configuration for services. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: UFW is the default firewall interface on Ubuntu and Debian, wrapping iptables/nftables. UFW must be explicitly enabled: sudo ufw enable (disabled by default on many installations). Default policy: deny incoming, allow outgoing — must explicitly allow needed ports. Docker modifies iptables directly, bypassing UFW rules — a major security concern. UFW application profiles in /etc/ufw/applications.d/ define named service rules. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: UFW not enabled (disabled by default on fresh Ubuntu installations). Rule order: UFW processes rules top-to-bottom, first match wins. Docker inserting iptables rules that bypass UFW's deny rules. IPv6 not configured: UFW defaults to IPv4 only unless IPV6=yes in /etc/default/ufw. Application profile not matching the actual port the service is using. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Enable UFW: sudo ufw enable (will not disconnect SSH if you allow it first). Allow SSH first: sudo ufw allow ssh (or sudo ufw allow 22/tcp) before enabling. Allow a port: sudo ufw allow 80/tcp and sudo ufw allow 443/tcp for web. Check status: sudo ufw status verbose to see all rules and default policies. Fix Docker bypass: edit /etc/docker/daemon.json: {"iptables": false} (then manage Docker ports manually). Delete a rule: sudo ufw delete allow 80/tcp or sudo ufw delete <rule-number> (from ufw status numbered). If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Will enabling UFW lock me out of SSH?
Yes, if you do not allow SSH first. Always run sudo ufw allow ssh BEFORE sudo ufw enable. If locked out, access via console and run sudo ufw disable.
Overview
Fix UFW (Uncomplicated Firewall) errors on Ubuntu including rules not applying, Docker bypassing UFW, and proper port configuration for services.
Key Details
- UFW is the default firewall interface on Ubuntu and Debian, wrapping iptables/nftables
- UFW must be explicitly enabled: sudo ufw enable (disabled by default on many installations)
- Default policy: deny incoming, allow outgoing — must explicitly allow needed ports
- Docker modifies iptables directly, bypassing UFW rules — a major security concern
- UFW application profiles in /etc/ufw/applications.d/ define named service rules
Common Causes
- UFW not enabled (disabled by default on fresh Ubuntu installations)
- Rule order: UFW processes rules top-to-bottom, first match wins
- Docker inserting iptables rules that bypass UFW's deny rules
- IPv6 not configured: UFW defaults to IPv4 only unless IPV6=yes in /etc/default/ufw
- Application profile not matching the actual port the service is using
Steps
- 1Enable UFW: sudo ufw enable (will not disconnect SSH if you allow it first)
- 2Allow SSH first: sudo ufw allow ssh (or sudo ufw allow 22/tcp) before enabling
- 3Allow a port: sudo ufw allow 80/tcp and sudo ufw allow 443/tcp for web
- 4Check status: sudo ufw status verbose to see all rules and default policies
- 5Fix Docker bypass: edit /etc/docker/daemon.json: {"iptables": false} (then manage Docker ports manually)
- 6Delete a rule: sudo ufw delete allow 80/tcp or sudo ufw delete <rule-number> (from ufw status numbered)