A firewall is the first line of defense for your server. UFW (Uncomplicated Firewall) makes configuring iptables easy, even for beginners. At Theory7, we recommend UFW for all VPS servers due to its user-friendly syntax and reliability. In this guide, you will learn everything about UFW configuration.

What does a firewall do?

A firewall controls all network traffic that enters and exits your server. You can set rules to:

  • Open specific ports for services
  • Block unwanted traffic
  • Allow only certain IP addresses
  • Apply rate limiting

Without a firewall, anyone can try to connect to any service on your server.

Installing UFW

On most Debian and Ubuntu systems, UFW is already installed. If not:

sudo apt update
sudo apt install ufw

Check if UFW is installed:

sudo ufw version

Basic Configuration

Setting Default Policies

Start by setting the default policies. This determines what happens to traffic that is not explicitly allowed or blocked:

# Block all incoming traffic
sudo ufw default deny incoming

# Allow all outgoing traffic
sudo ufw default allow outgoing

This is the safest base: nothing comes in unless you explicitly allow it.

Opening Essential Ports

Open the ports you need before activating UFW:

# SSH access (critical - don't forget this!)
sudo ufw allow ssh

# Or with specific port
sudo ufw allow 22/tcp

# Web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Activating UFW

After setting the basic rules:

sudo ufw enable

You will receive a warning that existing SSH connections may be interrupted. If you have allowed SSH, this is not a problem.

Advanced UFW Commands

Opening and Closing Ports

# Open specific port
sudo ufw allow 8080/tcp

# Open port range
sudo ufw allow 6000:6007/tcp

# Open UDP port
sudo ufw allow 53/udp

# Close port
sudo ufw deny 3306/tcp

Using Service Names

UFW recognizes common services:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ftp

View available services:

less /etc/services

IP-Specific Rules

Allow only specific IPs:

# Allow specific IP
sudo ufw allow from 192.168.1.100

# Allow IP on specific port
sudo ufw allow from 192.168.1.100 to any port 22

# Allow IP range
sudo ufw allow from 192.168.1.0/24

# Block specific IP
sudo ufw deny from 203.0.113.100

Rate Limiting

Protect against brute force attacks:

sudo ufw limit ssh

This limits the number of connections per time unit.

UFW Status and Management

Viewing Status

# Basic status
sudo ufw status

# Detailed status with rule numbers
sudo ufw status numbered

# Verbose output
sudo ufw status verbose

Removing Rules

# By rule number
sudo ufw status numbered
sudo ufw delete 3

# By rule specification
sudo ufw delete allow 80/tcp

Disabling UFW

# Temporarily disable
sudo ufw disable

# Reset to default (removes all rules)
sudo ufw reset

Application Profiles

UFW supports application profiles for more complex configurations:

# View available profiles
sudo ufw app list

# Profile information
sudo ufw app info "OpenSSH"

# Allow profile
sudo ufw allow "OpenSSH"

UFW Logging

Activate logging to monitor suspicious traffic:

# Set logging level
sudo ufw logging on
sudo ufw logging medium

Logging levels: off, low, medium, high, full

View logs:

sudo tail -f /var/log/ufw.log

Example Configuration for Web Server

A complete configuration for a typical web server:

# Reset any existing rules
sudo ufw reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# SSH (with custom port)
sudo ufw limit 2222/tcp

# Web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# DirectAdmin
sudo ufw allow 2222/tcp

# Mail (optional)
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp

# Activate
sudo ufw enable

Troubleshooting

Locked Out of SSH

If you lock yourself out, use your hosting provider's console access to disable UFW.

Rule Not Working

Check the order of rules. UFW processes rules from top to bottom.

Service Accessible Despite Deny

Check if there is an allow rule above the deny.

Need Help?

We are here for you! Are you facing any issues or have questions? Our support team is happy to assist you personally. Send us a message via the ticket system - we usually respond within a few hours and are happy to help you.