Why Configure UFW
UFW (Uncomplicated Firewall) is a user-friendly frontend for iptables/nftables that simplifies complex firewall configuration into a few intuitive commands. By default, most Linux distributions leave all ports open, making the system a prime target for automated scanners and brute-force attacks. By following this guide, you will establish a basic yet robust security perimeter that only allows necessary traffic and hides unused services.
Preparation and Installation
Before you begin, ensure you have terminal access with sudo privileges. On Ubuntu and its derivatives, UFW is usually pre-installed. If you are working with a minimal Debian image or another server distribution, install the package:
sudo apt update && sudo apt install ufw -y
Check the utility version to ensure your security packages are up to date:
ufw version
⚠️ Important: All commands below require superuser privileges. Run them via
sudoor switch to therootuser beforehand.
Step 1: Reset Configuration and Default Policies
If you have previously experimented with firewalls, start with a clean slate. This will prevent rule conflicts and unpredictable behavior.
sudo ufw --force reset
Set a strict default policy: block all incoming traffic and allow all outgoing traffic. This is a standard security practice for servers.
sudo ufw default deny incoming
sudo ufw default allow outgoing
💡 Tip: Keep outgoing traffic open; otherwise, the server won't be able to download updates, send system notifications, or reach external APIs.
Step 2: Allowing Basic Connections
Critical: Before activating the firewall, open the port for remote management. Otherwise, you will instantly lose connection to the server.
# Allow SSH (port 22)
sudo ufw allow ssh
# If you are using a non-standard port, specify it explicitly:
sudo ufw allow 2222/tcp
If a web application or control panel is running on the machine:
sudo ufw allow http
sudo ufw allow https
# Or use an application profile (e.g., for Nginx):
sudo ufw allow "Nginx Full"
To restrict access to administrative ports to trusted IPs only:
sudo ufw allow from 203.0.113.10 to any port 22
Step 3: Enabling and Verifying the Firewall
Once the rules are configured, activate the protection. The system will prompt for confirmation, as active SSH sessions may drop when kernel modules are reloaded.
sudo ufw enable
After successful activation, check the current status and the list of applied rules:
sudo ufw status verbose
You will see a table with directions (Direction), actions (Action), and sources (From). Ensure that SSH (or your custom port) is listed with ALLOW IN. For detailed diagnostics, enable logging:
sudo ufw logging medium
Logs will be saved to /var/log/ufw.log. You can conveniently monitor them in real time using the following command:
sudo tail -f /var/log/ufw.log | grep BLOCKED
Troubleshooting Common Issues
- Loss of access after enabling. If you accidentally block SSH, connect to the server via your hosting provider's console or VPS control panel. Run
sudo ufw disable, add theallow sshrule, and re-enable the firewall. - Rules not applying or conflicting. UFW processes rules sequentially from top to bottom. If you added a
denyrule for an entire subnet and then anallowrule for a specific IP within it, the first rule will override the second. Delete the incorrect rule by its number:sudo ufw delete <number>and re-add it with the correct priority. - Service inaccessible from outside despite a rule. Check whether the application is listening on the correct interface. The command
sudo ss -tulpn | grep :<port>will show whether the process is bound to0.0.0.0(all interfaces) or only127.0.0.1(localhost). In the latter case, external access is impossible even if UFW allows the traffic—you will need to adjust the service's configuration itself.