1. Install the UFW Firewall:
The first step is to install the UFW firewall on your Raspberry Pi. To do this, open a terminal window and type the following command:
sudo apt-get install ufw
2. Enable the Firewall:
Once the UFW firewall is installed, you can enable it by typing the following command:
sudo ufw enable
3. Configure the Firewall Rules:
Now that the firewall is enabled, you can configure the firewall rules. To do this, type the following command:
sudo ufw allow Replace sudo ufw allow 22/tcp 4. Check the Firewall Status: Once you have configured the firewall rules, you can check the status of the firewall by typing the following command: sudo ufw status This will show you a list of the rules that are currently enabled. 5. Disable the Firewall: If you ever need to disable the firewall, you can do so by typing the following command: sudo ufw disable This will disable the firewall and all of the rules that you have configured. The Raspberry Pi has so many uses, that sometimes it’s important to consider security steps in our projects. One great use is to install a firewall on the Raspberry Pi to protect the hosted services or data. In this article, I will show you how to install and use one easily. The easiest way to configure the firewall on a Raspberry Pi is to use the tool “UFW” which stands for “Uncomplicated FireWall”. It’s available in the default repository and can be configured with a few commands. I’ll first talk a bit about the theory, and whether installing a firewall on your Raspberry Pi is a good idea or not. I’ll then explain how to do it effectively in a few minutes. If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own. While having a firewall on a Raspberry Pi is not mandatory, it may serve as an effective security mechanism for safeguarding against potential threats. Depending on the security implemented on the network, the installation of a firewall may provide little to no benefit, or even cause complications. However, it is generally a good idea to install a firewall on guest networks or if your Raspberry Pi is hosting critical applications. This will minimize the risk of unauthorized access and enhance overall security. In most cases, you already have a firewall configured on your Internet router, protecting you from the most common threats coming from the Internet. You can often configure it to be more or less strict, and also protect traffic on the local network or not. It looks like the left side of this schema: The goal of this tutorial is to show you how to add a second layer of security to your Raspberry Pi, to protect it even more. If you have a large local network, it will allow you to control who can access what. If you host services publicly on the Internet and forward ports to it, having the second layer of security is probably a good idea too. I will show you how to do it easily, whatever your motives are, but make sure it’s really useful in your situation. If you already have a master firewall on the network that is properly configured to deny everything except the allowed traffic, it’s probably a bad idea to add one on the Raspberry Pi. You’ll have to do the work on the two firewalls when you want to open a new port, for example. Related: 17 Security Tips To Protect Your Raspberry Pi Like A Pro Raspberry Pi OS comes with iptables installed by default, which is often used as a firewall on Linux systems. It can, however, be complicated to configure, so using another tool such as “ufw” is recommended. As a reminder, UFW stands for Uncomplicated FireWall, and it’s not a firewall app in itself. It relies on iptables in the background. It’s just a different interface to configure iptables. To give you an example, here is how to open port 80 with both commands: So, you can use any of them, but UFW is simpler to use and should be more than enough in most cases. For your information, iptables is installed by default but isn’t enabled on Raspberry Pi OS. So if you haven’t configured anything, there is no firewall on your Raspberry Pi. We’ll now discuss how to install and use UFW on Raspberry Pi, which is a nice interface for iptables, making it easier to configure. UFW is available in the default repository for most Linux distributions. It will install iptables automatically as a prerequisite if it’s not already present on your system. I’m testing this tutorial for you on Raspberry Pi OS, but it should work on any distribution, as it’s an essential package they all offer in their default repository. On Raspberry Pi OS and any Debian-based distribution, you can install UFW with: If you use another distribution, use your usual package manager there, and the next steps should be the same. Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember, and a free downloadable cheat sheet so you can have the commands at your fingertips. Like most firewalls, the default configuration, once UFW is installed, is to deny all traffic by default. Luckily, UFW isn’t automatically enabled during the installation so you won’t lose access to your Raspberry Pi directly. If you are new to this, a firewall typically uses a white list mode by default, which means everything is blocked unless there is a rule allowing this type of traffic specifically (protocol, port, source or destination IP). In this case, incoming traffic is denied, and outgoing traffic is allowed. If you enable UFW now, you’ll lose access to SSH, VNC and any service hosted on it. So, we first need to list the ports to open. As UFW is configured to deny all incoming traffic by default, the main thing you’ll need to configure is to open the ports required for your services. If you hose a website, you’ll allow HTTP (port 80). If you use SSH, allow port 22 (at least for your computer), etc. The basic syntax to do this is: Note: Remember that administrator privileges are required for all firewall commands, so make sure to prefix all commands with “sudo” (more details here). When you need something more specific, a few additional options are available with the “allow” command: Here are some additional resources that might be useful at this point: You can configure UFW to block specific ports by using almost the same command used to allow them: As a reminder, the default policy for UFW is to block all incoming connections, unless you explicitly allow it. So you most likely won’t need this command, unless you change the default policy. By the way, you can change the default rule with: Once your configuration is done, you can try to enable the firewall with: All your rules will be applied directly, and it will be enabled on boot automatically. You may lose the connection temporarily with your Pi during this process: If anything is going wrong, you can disable UFW at any time with: At this point, another command that can be really useful is to show the firewall status. Not only will you see the current status (active or inactive) but you’ll also see all of the rules you created, listed in an easy-to-read format. To get the same kind of screen on your Raspberry Pi, use: If needed, the verbose mode will also give you the default policies: We have seen how to add new rules with UFW (allow, deny), but how do you remove some? The first step is to show the previous status screen, but add the rules ID in the list, with: As you’ll see in the screenshot below, each rule has a number associated. So, you can now delete them, with: After using iptables directly for years, I can’t tell you enough how useful these kinds of shortcuts are when you configure and monitor Linux firewalls :-). Reminder: Remember that all the members of my community get access to this website without ads, exclusive courses and much more. You can become part of this community for as little as $5 per month & get all the benefits immediately. On Raspberry Pi OS, there is a tool named “GUFW” available in the default repository. It allows seeing, adding or modifying rules from UFW via a desktop application. It’s also possible to enable or disable rules directly from the interface. It looks like this: Overall, I don’t think this is really useful, as the commands are not that complicated, and you basically do the same thing via the interface. It might be useful if you often enable/disable rules or the firewall entirely, but if you do everything once, I would use the terminal. Many firewall solutions are available on Raspberry Pi, but they are all based on iptables. So, in terms of security, it doesn’t really matter which one you use, it’s just different interfaces to the same base layer. I have several articles on the website that you might be interested in if you want to implement a firewall on your network: If you have any additional questions, feel free to ask them in the community. Not sure where to start? Master your Raspberry Pi in 30 days VIP Community Need help building something with Python? You can also find all my recommendations for tools and hardware on this page.
Raspberry Pi is a small, low-cost computer that can be used for a variety of projects. It is a great tool for learning about computer networking and security. One of the most important security measures you can take with your Raspberry Pi is to configure a firewall. This guide will walk you through the steps of setting up a firewall on your Raspberry Pi. The first step is to install the firewall software on your Raspberry Pi. The most popular firewall software for Raspberry Pi is UFW (Uncomplicated Firewall). To install UFW, open a terminal window and type the following command: Once the installation is complete, you can check the status of the firewall by typing the following command: Now that the firewall software is installed, you need to configure the firewall rules. UFW uses a set of predefined rules to control incoming and outgoing traffic. To view the default rules, type the following command: You can also add your own rules to the firewall. For example, to allow incoming SSH connections, type the following command: To deny incoming connections from a specific IP address, type the following command: Once you have configured the firewall rules, you need to enable the firewall. To do this, type the following command: You can also check the status of the firewall by typing the following command: The last step is to test the firewall to make sure it is working properly. To do this, you can use a tool such as Nmap to scan your Raspberry Pi for open ports. If the firewall is working properly, the scan should only show the ports that you have explicitly allowed. Configuring a firewall on your Raspberry Pi is an important step in securing your device. This guide has walked you through the steps of installing and configuring a firewall on your Raspberry Pi. With a properly configured firewall, you can rest assured that your Raspberry Pi is safe from malicious attacks.
Do you need a firewall on Raspberry Pi?
Does Raspberry Pi OS have a firewall?
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPTsudo ufw allow 80Set up and configure a firewall on Raspberry Pi
Install UFW on Raspberry Pi
sudo apt update
sudo apt install ufw
Default UFW configuration
Allow port on a firewall
ufw allow [PORT]So, for example:sudo ufw allow 80
ufw allow [PORT]/[PROTOCOL]
Example:sudo ufw allow 80/TCPufw allow from [IP OR SUBNET] to [IP] port [PORT]
Examples:sudo ufw allow from 192.168.1.10 to 192.168.1.20 port 80
sudo ufw allow from 192.168.1.0/24 to 192.168.1.20 port 80
In these examples, 192.168.1.20 would be the Raspberry Pi IP address.
1.10 can be your computer, and 1.0/24 is to allow the whole LAN.ufw allow from [IP or SUBNET] proto [UDP/TCP] to [IP] port [PORT]
Block port on a firewall
sudo ufw deny [PORT]And all the same additional options.sudo ufw default allow incoming
In this example, I revert to a blacklist mode, where everything is allowed unless explicitly blocked.Enable/disable the firewall
sudo ufw enable
sudo ufw disableAdjust your rules to make sure you didn’t forget anything or mistyped something, and try again.Firewall status: list current rules
sudo ufw statussudo ufw status verboseRemove existing rules
sudo ufw status numberedsudo ufw delete [ID]
Related questions
Is there a way to manage firewall rules with a graphic interface?
What is the best firewall for Raspberry Pi?
Additional Resources
Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.
Watch the Raspberry Pi Bootcamp course now.
Don’t want the basic stuff only? If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.
Download the e-book.
If you just want to hang out with me and other Raspberry Pi fans, you can also join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.
More details here.
Create, understand, and improve any Python script for your Raspberry Pi.
Learn the essentials step-by-step without losing time understanding useless concepts.
Get the e-book now.Step-by-Step Guide: Configuring a Firewall on Raspberry Pi
Step 1: Install the Firewall Software
sudo apt-get install ufw
sudo ufw status
Step 2: Configure the Firewall Rules
sudo ufw show raw
sudo ufw allow ssh
sudo ufw deny from 192.168.1.1
Step 3: Enable the Firewall
sudo ufw enable
sudo ufw status
Step 4: Test the Firewall
Conclusion
