A firewall is your server's first line of defense. It blocks unwanted connections before they reach your applications.
On Ubuntu, UFW (Uncomplicated Firewall) makes firewall configuration simple. This guide walks you through setting it up.
What is UFW?
UFW stands for Uncomplicated Firewall. It's a front‑end for iptables, the Linux kernel's firewall. UFW simplifies the complex iptables syntax into easy commands.
UFW is pre‑installed on most Ubuntu systems. If not, install it with sudo apt install ufw -y.
Basic UFW Commands
Check the current status: sudo ufw status verbose. Initially, UFW is inactive.
To enable UFW: sudo ufw enable. This activates your firewall with default rules.
To disable UFW (only for troubleshooting): sudo ufw disable.
Reset to defaults: sudo ufw reset. This removes all rules.
Default Policies
Set default policies before adding rules. These determine what happens to unmatched traffic.
sudo ufw default deny incoming
sudo ufw default allow outgoing
This blocks all incoming connections by default but allows outgoing connections. Your server can reach the internet, but external parties can't initiate connections to your server unless you explicitly allow them.
Essential Rules for a Web Server
To allow SSH traffic (change port to your SSH port): sudo ufw allow 22/tcp.
To allow HTTP traffic: sudo ufw allow 80/tcp.
To allow HTTPS traffic: sudo ufw allow 443/tcp.
You can add rules by port number or service name. For example, sudo ufw allow ssh does the same as allowing port 22.
Common Rules for Other Services
To allow MySQL from specific IP: sudo ufw allow from 192.168.1.100 to any port 3306.
To allow FTP: sudo ufw allow 21/tcp.
To allow email (SMTP, IMAP): sudo ufw allow 25/tcp and sudo ufw allow 143/tcp.
To allow specific IP for all ports: sudo ufw allow from 192.168.1.100.
To allow a port range: sudo ufw allow 1000:2000/tcp.
Managing Rules
List rules with numbers: sudo ufw status numbered.
Delete by number: sudo ufw delete 3.
Delete by rule: sudo ufw delete allow 80/tcp.
Advanced UFW Features
**Rate limiting** protects against brute force attacks: sudo ufw limit ssh/tcp. This allows 6 connections per 30 seconds from the same IP.
**Application profiles** use predefined rules for common applications: sudo ufw app list shows available profiles, and sudo ufw allow 'OpenSSH' allows the OpenSSH profile.
**IPv6 support** works automatically if enabled on your system.
Complete Setup Example for a Web Server
Here's a complete setup for a typical web server running a WordPress site.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw limit ssh/tcp
sudo ufw enable
After running these commands, your web server is protected. Only SSH, HTTP, and HTTPS are open to the internet. SSH has rate limiting enabled.
Testing Your Firewall
Before closing your SSH session, test that you can still connect. Open a second terminal window and try logging in. If you're locked out, you can disable UFW from the original terminal.
After confirming SSH works, use an online port scanner or nmap to verify only your allowed ports are open.
Troubleshooting Common Issues
"Problem running ufw" error usually indicates iptables issues. Try sudo apt install iptables to reinstall.
SSH connection lost after enabling UFW may mean you didn't allow SSH before enabling. Reboot your server from your VPS dashboard to disable UFW temporarily, or use your VPS provider's console access to fix the rules.
Docker and UFW can have conflicts because Docker bypasses UFW rules. If you use Docker, consider using Docker's own firewall features or research UFW + Docker workarounds.
Next Steps
Now that UFW is set up, consider additional security measures: install Fail2ban to block brute force attacks, set up automatic security updates, and configure regular backups.
Need a VPS to practice on? Check our recommended VPS providers.