A firewall is your server's first line of defense. It blocks unwanted connections before they reach your applications. On Ubuntu, UFW (Uncomplicated Firewall) makes configuration simple.
This guide walks you through setting up UFW on a fresh Ubuntu VPS.
What is UFW?
UFW is a front‑end for iptables, the Linux kernel's firewall. It simplifies the complex iptables syntax into easy commands[reference:7]. Most Ubuntu systems include UFW by default.
Step 1: Check UFW Status
sudo ufw status verbose
Initially, UFW is inactive. You'll see "Status: inactive".
Step 2: Set Default Policies
Set default policies before adding rules. This determines what happens to unmatched traffic.
sudo ufw default deny incoming
sudo ufw default allow outgoing
This blocks all incoming connections by default but allows outgoing connections. Your server can reach the internet, but external parties can't initiate connections unless you explicitly allow them.
Step 3: Allow Essential Ports
Allow SSH (change port to your custom SSH port if you changed it), HTTP, and HTTPS:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you changed your SSH port to 2222:
sudo ufw allow 2222/tcp
Step 4: Enable UFW
sudo ufw enable
Important: Before enabling, make sure you've allowed SSH. If you lock yourself out, you'll need to use your VPS provider's console access to disable UFW.
Step 5: Check Your Rules
sudo ufw status numbered
This shows all rules with numbers. Useful for deleting specific rules later.
Step 6: Add Rate Limiting
Rate limiting protects against brute force attacks:
sudo ufw limit ssh/tcp
This allows 6 connections per 30 seconds from the same IP.
Common Additional Rules
Allow a specific IP for all ports:
sudo ufw allow from 192.168.1.100
Allow a port range:
sudo ufw allow 1000:2000/tcp
Allow a specific service:
sudo ufw allow 'OpenSSH'
Managing Rules
Delete by number:
sudo ufw delete 3
Delete by rule:
sudo ufw delete allow 80/tcp
Disable UFW (troubleshooting only):
sudo ufw disable
Complete Setup Example
Here's a complete setup for a typical web server:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw limit ssh/tcp
sudo ufw enable
After running these commands, your web server is protected. Only SSH, HTTP, and HTTPS are open to the internet. SSH has rate limiting enabled.
Troubleshooting
SSH connection lost after enabling UFW – You didn't allow SSH before enabling. Reboot your server from your VPS dashboard to disable UFW temporarily, or use your VPS provider's console access to fix the rules.
Docker and UFW – Docker bypasses UFW rules. If you use Docker, consider using Docker's own firewall features or research UFW + Docker workarounds.
Next Steps
With UFW set up, consider additional security measures: install Fail2ban to block brute force attacks, set up automatic security updates, and configure regular backups.
Need a VPS to practice on? Check our recommended VPS providers.