how to configure firewall on raspberry pi

Step-by-Step Guide: Configuring a Firewall on Raspberry Pi

The Raspberry Pi has so many uses, that sometimes it’s important to consider security steps in our projects. One great use is to install a firewall on the Raspberry Pi to protect the hosted services or data. In this article, I will show you how to install and use one easily.

The easiest way to configure the firewall on a Raspberry Pi is to use the tool “UFW” which stands for “Uncomplicated FireWall”. It’s available in the default repository and can be configured with a few commands.

I’ll first talk a bit about the theory, and whether installing a firewall on your Raspberry Pi is a good idea or not. I’ll then explain how to do it effectively in a few minutes.

If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.

Do you need a firewall on Raspberry Pi?

While having a firewall on a Raspberry Pi is not mandatory, it may serve as an effective security mechanism for safeguarding against potential threats. Depending on the security implemented on the network, the installation of a firewall may provide little to no benefit, or even cause complications.

However, it is generally a good idea to install a firewall on guest networks or if your Raspberry Pi is hosting critical applications. This will minimize the risk of unauthorized access and enhance overall security.

In most cases, you already have a firewall configured on your Internet router, protecting you from the most common threats coming from the Internet. You can often configure it to be more or less strict, and also protect traffic on the local network or not.

It looks like the left side of this schema:

The goal of this tutorial is to show you how to add a second layer of security to your Raspberry Pi, to protect it even more. If you have a large local network, it will allow you to control who can access what. If you host services publicly on the Internet and forward ports to it, having the second layer of security is probably a good idea too.

I will show you how to do it easily, whatever your motives are, but make sure it’s really useful in your situation.

If you already have a master firewall on the network that is properly configured to deny everything except the allowed traffic, it’s probably a bad idea to add one on the Raspberry Pi. You’ll have to do the work on the two firewalls when you want to open a new port, for example.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Related: 17 Security Tips To Protect Your Raspberry Pi Like A Pro

Does Raspberry Pi OS have a firewall?

Raspberry Pi OS comes with iptables installed by default, which is often used as a firewall on Linux systems. It can, however, be complicated to configure, so using another tool such as “ufw” is recommended.

As a reminder, UFW stands for Uncomplicated FireWall, and it’s not a firewall app in itself. It relies on iptables in the background. It’s just a different interface to configure iptables.

To give you an example, here is how to open port 80 with both commands:

  • Iptables:
    sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
  • UFW:
    sudo ufw allow 80

So, you can use any of them, but UFW is simpler to use and should be more than enough in most cases.

Join Our Community!

Connect, learn, and grow with other Raspberry Pi enthusiasts. Support RaspberryTips and enjoy an ad-free reading experience. Get exclusive monthly video tutorials and many other benefits.

Learn more

For your information, iptables is installed by default but isn’t enabled on Raspberry Pi OS. So if you haven’t configured anything, there is no firewall on your Raspberry Pi.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Set up and configure a firewall on Raspberry Pi

We’ll now discuss how to install and use UFW on Raspberry Pi, which is a nice interface for iptables, making it easier to configure.

Install UFW on Raspberry Pi

UFW is available in the default repository for most Linux distributions. It will install iptables automatically as a prerequisite if it’s not already present on your system.

I’m testing this tutorial for you on Raspberry Pi OS, but it should work on any distribution, as it’s an essential package they all offer in their default repository.

On Raspberry Pi OS and any Debian-based distribution, you can install UFW with:
sudo apt update
sudo apt install ufw

If you use another distribution, use your usual package manager there, and the next steps should be the same.

Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember and a free downloadable cheat sheet so you can have the commands at your fingertips.

Default UFW configuration

Like most firewalls, the default configuration, once UFW is installed, is to deny all traffic by default. Luckily, UFW isn’t automatically enabled during the installation so you won’t lose access to your Raspberry Pi directly.

If you are new to this, a firewall typically uses a white list mode by default, which means everything is blocked unless there is a rule allowing this type of traffic specifically (protocol, port, source or destination IP).

In this case, incoming traffic is denied, and outgoing traffic is allowed. If you enable UFW now, you’ll lose access to SSH, VNC and any service hosted on it. So, we first need to list the ports to open.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Allow port on a firewall

As UFW is configured to deny all incoming traffic by default, the main thing you’ll need to configure is to open the ports required for your services.

If you hose a website, you’ll allow HTTP (port 80). If you use SSH, allow port 22 (at least for your computer), etc.

The basic syntax to do this is:
ufw allow [PORT]
So, for example:
sudo ufw allow 80

Note: Remember that administrator privileges are required for all firewall commands, so make sure to prefix all commands with “sudo” (more details here).

When you need something more specific, a few additional options are available with the “allow” command:

  • Specify the protocol for the port (TCP or UDP):
    ufw allow [PORT]/[PROTOCOL]
    sudo ufw allow 80/TCP
  • Specify the IP addresses allowed (source and destination):
    ufw allow from [IP OR SUBNET] to [IP] port [PORT]
    sudo ufw allow from to port 80
    sudo ufw allow from to port 80

    In these examples, would be the Raspberry Pi IP address.
    1.10 can be your computer, and 1.0/24 is to allow the whole LAN.
  • Combine all options:
    ufw allow from [IP or SUBNET] proto [UDP/TCP] to [IP] port [PORT]

Here are some additional resources that might be useful at this point:

Block port on a firewall

You can configure UFW to block specific ports by using almost the same command used to allow them:
sudo ufw deny [PORT]
And all the same additional options.

As a reminder, the default policy for UFW is to block all incoming connections, unless you explicitly allow it. So you most likely won’t need this command, unless you change the default policy.

By the way, you can change the default rule with:
sudo ufw default allow incoming
In this example, I revert to a blacklist mode, where everything is allowed unless explicitly blocked.

Enable/disable the firewall

Once your configuration is done, you can try to enable the firewall with:
sudo ufw enable

All your rules will be applied directly, and it will be enabled on boot automatically. You may lose the connection temporarily with your Pi during this process:

If anything is going wrong, you can disable UFW at any time with:
sudo ufw disable
Adjust your rules to make sure you didn’t forget anything or mistyped something, and try again.

Firewall status: list current rules

At this point, another command that can be really useful is to show the firewall status. Not only will you see the current status (active or inactive) but you’ll also see all of the rules you created, listed in an easy-to-read format.

To get the same kind of screen on your Raspberry Pi, use:
sudo ufw status

If needed, the verbose mode will also give you the default policies:
sudo ufw status verbose

Remove existing rules

We have seen how to add new rules with UFW (allow, deny), but how do you remove some?

The first step is to show the previous status screen, but add the rules ID in the list, with:
sudo ufw status numbered

As you’ll see in the screenshot below, each rule has a number associated. So, you can now delete them, with:
sudo ufw delete [ID]

After using iptables directly for years, I can’t tell you enough how useful these kinds of shortcuts are when you configure and monitor Linux firewalls :-).

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

🛠 This tutorial doesn't work anymore? Report the issue here, so that I can update it!

Want to chat with other Raspberry Pi enthusiasts? Join the community, share your current projects and ask for help directly in the forums.

Related questions

Is there a way to manage firewall rules with a graphic interface?

On Raspberry Pi OS, there is a tool named “GUFW” available in the default repository. It allows seeing, adding or modifying rules from UFW via a desktop application. It’s also possible to enable or disable rules directly from the interface.

It looks like this:

Overall, I don’t think this is really useful, as the commands are not that complicated, and you basically do the same thing via the interface. It might be useful if you often enable/disable rules or the firewall entirely, but if you do everything once, I would use the terminal.

What is the best firewall for Raspberry Pi?

Many firewall solutions are available on Raspberry Pi, but they are all based on iptables. So, in terms of security, it doesn’t really matter which one you use, it’s just different interfaces to the same base layer.

I have several articles on the website that you might be interested in if you want to implement a firewall on your network:

If you have any additional questions, feel free to ask them in the community.

Whenever you’re ready, here are other ways I can help you:

The RaspberryTips Community: If you want to hang out with me and other Raspberry Pi fans, you can join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.

Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.

The Raspberry Pi Bootcamp: Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.

Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.

You can also find all my recommendations for tools and hardware on this page.

Similar Posts