Step-by-Step Guide: Configuring a Firewall on Raspberry Pi
The Raspberry Pi has so many uses, that sometimes it’s important to consider security steps in our projects. One great use is to install a firewall on the Raspberry Pi to protect the hosted services or data. In this article, I will show you how to install and use one easily.
The easiest way to configure the firewall on a Raspberry Pi is to use the tool “UFW” which stands for “Uncomplicated FireWall”. It’s available in the default repository and can be configured with a few commands.
I’ll first talk a bit about the theory, and whether installing a firewall on your Raspberry Pi is a good idea or not. I’ll then explain how to do it effectively in a few minutes.
If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.
Do you need a firewall on Raspberry Pi?
While having a firewall on a Raspberry Pi is not mandatory, it may serve as an effective security mechanism for safeguarding against potential threats. Depending on the security implemented on the network, the installation of a firewall may provide little to no benefit, or even cause complications.
However, it is generally a good idea to install a firewall on guest networks or if your Raspberry Pi is hosting critical applications. This will minimize the risk of unauthorized access and enhance overall security.
In most cases, you already have a firewall configured on your Internet router, protecting you from the most common threats coming from the Internet. You can often configure it to be more or less strict, and also protect traffic on the local network or not.
It looks like the left side of this schema:
The goal of this tutorial is to show you how to add a second layer of security to your Raspberry Pi, to protect it even more. If you have a large local network, it will allow you to control who can access what. If you host services publicly on the Internet and forward ports to it, having the second layer of security is probably a good idea too.
Join Our Community!
Connect, learn, and grow with other Raspberry Pi enthusiasts. Support RaspberryTips and enjoy an ad-free reading experience. Get exclusive monthly video tutorials and many other benefits.
Learn moreI will show you how to do it easily, whatever your motives are, but make sure it’s really useful in your situation.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
If you already have a master firewall on the network that is properly configured to deny everything except the allowed traffic, it’s probably a bad idea to add one on the Raspberry Pi. You’ll have to do the work on the two firewalls when you want to open a new port, for example.
Related: 17 Security Tips To Protect Your Raspberry Pi Like A Pro
Does Raspberry Pi OS have a firewall?
Raspberry Pi OS comes with iptables installed by default, which is often used as a firewall on Linux systems. It can, however, be complicated to configure, so using another tool such as “ufw” is recommended.
As a reminder, UFW stands for Uncomplicated FireWall, and it’s not a firewall app in itself. It relies on iptables in the background. It’s just a different interface to configure iptables.
To give you an example, here is how to open port 80 with both commands:
- Iptables:
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT - UFW:
sudo ufw allow 80
So, you can use any of them, but UFW is simpler to use and should be more than enough in most cases.
For your information, iptables is installed by default but isn’t enabled on Raspberry Pi OS. So if you haven’t configured anything, there is no firewall on your Raspberry Pi.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
Set up and configure a firewall on Raspberry Pi
We’ll now discuss how to install and use UFW on Raspberry Pi, which is a nice interface for iptables, making it easier to configure.
Install UFW on Raspberry Pi
UFW is available in the default repository for most Linux distributions. It will install iptables automatically as a prerequisite if it’s not already present on your system.
I’m testing this tutorial for you on Raspberry Pi OS, but it should work on any distribution, as it’s an essential package they all offer in their default repository.
On Raspberry Pi OS and any Debian-based distribution, you can install UFW with:sudo apt update
sudo apt install ufw
If you use another distribution, use your usual package manager there, and the next steps should be the same.
Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember and a free downloadable cheat sheet so you can have the commands at your fingertips.
Default UFW configuration
Like most firewalls, the default configuration, once UFW is installed, is to deny all traffic by default. Luckily, UFW isn’t automatically enabled during the installation so you won’t lose access to your Raspberry Pi directly.
If you are new to this, a firewall typically uses a white list mode by default, which means everything is blocked unless there is a rule allowing this type of traffic specifically (protocol, port, source or destination IP).
In this case, incoming traffic is denied, and outgoing traffic is allowed. If you enable UFW now, you’ll lose access to SSH, VNC and any service hosted on it. So, we first need to list the ports to open.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
Allow port on a firewall
As UFW is configured to deny all incoming traffic by default, the main thing you’ll need to configure is to open the ports required for your services.
If you hose a website, you’ll allow HTTP (port 80). If you use SSH, allow port 22 (at least for your computer), etc.
The basic syntax to do this is:ufw allow [PORT]So, for example:sudo ufw allow 80
Note: Remember that administrator privileges are required for all firewall commands, so make sure to prefix all commands with “sudo” (more details here).
When you need something more specific, a few additional options are available with the “allow” command:
- Specify the protocol for the port (TCP or UDP):
ufw allow [PORT]/[PROTOCOL]
Example:sudo ufw allow 80/TCP - Specify the IP addresses allowed (source and destination):
ufw allow from [IP OR SUBNET] to [IP] port [PORT]
Examples:sudo ufw allow from 192.168.1.10 to 192.168.1.20 port 80
sudo ufw allow from 192.168.1.0/24 to 192.168.1.20 port 80
In these examples, 192.168.1.20 would be the Raspberry Pi IP address.
1.10 can be your computer, and 1.0/24 is to allow the whole LAN. - Combine all options:
ufw allow from [IP or SUBNET] proto [UDP/TCP] to [IP] port [PORT]
Here are some additional resources that might be useful at this point:
- How to Find the Current IP Address of a Raspberry Pi?
- How To Quickly Find the Current IP Address In Linux / Ubuntu
- List of main TCP and UDP ports numbers (Wikipedia)
Block port on a firewall
You can configure UFW to block specific ports by using almost the same command used to allow them:sudo ufw deny [PORT]And all the same additional options.
As a reminder, the default policy for UFW is to block all incoming connections, unless you explicitly allow it. So you most likely won’t need this command, unless you change the default policy.
By the way, you can change the default rule with:sudo ufw default allow incoming
In this example, I revert to a blacklist mode, where everything is allowed unless explicitly blocked.
Enable/disable the firewall
Once your configuration is done, you can try to enable the firewall with:sudo ufw enable
All your rules will be applied directly, and it will be enabled on boot automatically. You may lose the connection temporarily with your Pi during this process:
If anything is going wrong, you can disable UFW at any time with:sudo ufw disableAdjust your rules to make sure you didn’t forget anything or mistyped something, and try again.
Firewall status: list current rules
At this point, another command that can be really useful is to show the firewall status. Not only will you see the current status (active or inactive) but you’ll also see all of the rules you created, listed in an easy-to-read format.
To get the same kind of screen on your Raspberry Pi, use:sudo ufw status
If needed, the verbose mode will also give you the default policies:sudo ufw status verbose
Remove existing rules
We have seen how to add new rules with UFW (allow, deny), but how do you remove some?
The first step is to show the previous status screen, but add the rules ID in the list, with:sudo ufw status numbered
As you’ll see in the screenshot below, each rule has a number associated. So, you can now delete them, with:sudo ufw delete [ID]
After using iptables directly for years, I can’t tell you enough how useful these kinds of shortcuts are when you configure and monitor Linux firewalls :-).
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
Reminder: Remember that all the members of my community get access to this website without ads, exclusive courses and much more. You can become part of this community for as little as $5 per month & get all the benefits immediately.
Related questions
Is there a way to manage firewall rules with a graphic interface?
On Raspberry Pi OS, there is a tool named “GUFW” available in the default repository. It allows seeing, adding or modifying rules from UFW via a desktop application. It’s also possible to enable or disable rules directly from the interface.
It looks like this:
Overall, I don’t think this is really useful, as the commands are not that complicated, and you basically do the same thing via the interface. It might be useful if you often enable/disable rules or the firewall entirely, but if you do everything once, I would use the terminal.
What is the best firewall for Raspberry Pi?
Many firewall solutions are available on Raspberry Pi, but they are all based on iptables. So, in terms of security, it doesn’t really matter which one you use, it’s just different interfaces to the same base layer.
I have several articles on the website that you might be interested in if you want to implement a firewall on your network:
- Can pfSense run on Raspberry Pi? (and better alternatives)
- OpenWrt on Raspberry Pi: Use your Pi as a router (Tutorial)
- How to use Raspberry Pi as a Wireless Router with Firewall?
If you have any additional questions, feel free to ask them in the community.
Whenever you’re ready, here are other ways I can help you:
The RaspberryTips Community: If you want to hang out with me and other Raspberry Pi fans, you can join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.
Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.
The Raspberry Pi Bootcamp: Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.
Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.
You can also find all my recommendations for tools and hardware on this page.
