Home | Miscellaneous | Pi | Firewall
Charles Varvayanis
Computer and Communication Systems
Since 1990
(209) 586-3782
charles@varvayanis.com
Raspberry Pi Firewall Setup
Step-by-step instructions for setting up a Firewall using iptables with UFW (Uncomplicated FireWall).
These procedures apply to Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit).
General Notes
1. General:
The procedures below are optimized for setting up a firewall on a Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit) connected via Ethernet.
Raspberry Pi OS includes iptables, an IP packet filter, however it is disabled by default.
UFW (Uncomplicated FireWall) is a firewall user interface for use with iptables.
UFW together with iptables provide basic firewall features, but lack more sophisticated firewall features and protections.
2. Internet access during setup:
Many of the steps below assume and require the target Raspberry Pi is connected to a network with access to the Internet and a DHCP server is on the network configured for DHCP clients to access the Internet.
This is the standard and/or default configuration for most networks, so in most cases nothing additional will need to be done.
Notice about updates, upgrades and installations failing due to repository or network congestion or outages
Occasionally updates, upgrades and installations fail due to repository or network congestion or outages.
Sometimes there is an appropriate message saying as such, sometimes a missing file is reported, and sometimes there is just a failure message without an explanation.
When this occurs, simply run the command again.
If that does not solve the issues immediately, try again later.
Install and configure a firewall - UFW
Install UFW
Download latest package lists
sudo apt-get update -y
Download and install updated listed packages
sudo apt-get upgrade -y
Download and install UFW
sudo apt install ufw
Once installed, UFW is disabled by default.
The default configuration blocks all incoming traffic (denied), and allows all outgoing traffic (allowed).
Therefore incoming SSH, FTP HTTP, HTTPS and VNC traffic would be denied, however TeamViewer would continue functioning.
It is important to allow necessary management traffic such as SSH and/or VNC prior to enabling the firewall. Not doing so will require management via TeamViewer or a directly attached Display, Keyboard and Mouse.
Note: The Subnetwork Mask is expressed in Slash Notation along with an IP Address in certain areas of the next sections.
Network Subnetwork Mask and Slash Notation Relationships:
| Class | Mask | Slash | Nodes |
| A | 255.000.000.000 | /8 | 16777214 |
| B | 255.255.000.000 | /16 | 65534 |
| B | 255.255.128.000 | /17 | 32766 |
| B | 255.255.192.000 | /18 | 16382 |
| B | 255.255.224.000 | /19 | 8190 |
| B | 255.255.240.000 | /20 | 4094 |
| B | 255.255.248.000 | /21 | 2046 |
| B | 255.255.252.000 | /22 | 1022 |
| B | 255.255.254.000 | /23 | 510 |
| C | 255.255.255.000 | /24 | 254 |
| C | 255.255.255.128 | /25 | 126 |
| C | 255.255.255.192 | /26 | 62 |
| C | 255.255.255.224 | /27 | 30 |
| C | 255.255.255.240 | /28 | 14 |
| C | 255.255.255.248 | /29 | 6 |
| C | 255.255.255.252 | /30 | 2 |
| C | 255.255.255.254 | /31 | 0 |
| C | 255.255.255.255 | /32 | 0 |
Configure UFW
Set the firewall rules as appropriate for the installation.
Multiple rules can be applied to each service type.
Source Addresses and Source Subnets can be either internal or external of the network the Raspberry Pi is connected to.
If any of the services below have not been installed, do not set a rule for that service.
DHCP
Allow: sudo ufw allow bootps - Example: sudo ufw allow bootps
FTP
Allow from anywhere: sudo ufw allow 21/TCP - Example: sudo ufw allow 21/TCP
Allow from a specific Subnet: sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 21 - Example: ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 21
Allow from a specific IP Address: sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 21 - Example: ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 21
SSH
Allow from anywhere: sudo ufw allow 22/TCP - Example: sudo ufw allow 22/TCP
Allow from a specific Subnet: sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 22 - Example: ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 22
Allow from a specific IP Address: sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 22 - Example: ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 22
HTTP
Allow from anywhere: sudo ufw allow 80/TCP - Example: sudo ufw allow 80/TCP
Allow from a specific Subnet: sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 80 - Example: ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 80
Allow from a specific IP Address: sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 80 - Example: ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 80
HTTPS
Allow from anywhere: sudo ufw allow 433/TCP - Example: sudo ufw allow 433/TCP
Allow from a specific Subnet: sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 433 - Example: ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 433
Allow from a specific IP Address: sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 433 - Example: ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 433
VNC Server
Allow from anywhere: sudo ufw allow 5900/TCP - Example: sudo ufw allow 5900/TCP
Allow from a specific Subnet: sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 5900 - Example: ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 5900
Allow from a specific IP Address: sudo ufw allow from <SourceSubnetAddress> proto TCP to <YourRaspberryPiIPAddress> port 5900 - Example: ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 5900
Enable the firewall
sudo ufw enable
Note: This also enables iptables
If it is ever desirable to disable the firewall for testing or other reasons
sudo ufw disable
Note: This also disables iptables
To list current rules
sudo ufw status
- or -
sudo ufw status verbose
To remove a rule
Identify the rule ID number to be removed
sudo ufw status numbered
Remove the rule by ID number
sudo ufw delete <ID> - Example: sudo ufw delete 2
Remove packages that were automatically installed and are no longer required
Occasionally excess update, upgrade and installation packages install automatically, but are no longer required and can be removed automatically.
Automatically detect and remove packages no longer required
sudo apt autoremove -y
Charles Varvayanis
Sonora, CA 95370
e-mail: charles@varvayanis.com
Phone: (209) 586-3782
Fax: (209) 586-3761
Business Card (PDF 153 KB) 
www.varvayanis.com
© 2025 Charles Varvayanis
All rights reserved