UFW (Uncomplicated Firewall) is a user-friendly firewall tool on Ubuntu and Debian. It lets you control which network ports are open to the internet, protecting your VPS from unauthorized access. This guide shows you how to enable it safely without locking yourself out.
Enable UFW
- Connect to your VPS via SSH as a user with sudo privileges
2. Check the current status
```bash
sudo ufw status
```
It should say "inactive" on a fresh VPS.
3. Set default policies (deny incoming, allow outgoing)
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
This blocks all incoming traffic by default and allows all outgoing traffic.
4. Allow SSH before enabling UFW (critical!)
```bash
sudo ufw allow 22/tcp
```
If you skip this step and enable UFW, you'll lock yourself out.
5. Enable UFW
```bash
sudo ufw enable
```
Type y when prompted to confirm.
6. Verify it's active
```bash
sudo ufw status
```
It should now show "active" with the SSH rule listed.
Open Ports for Common Services
Once UFW is active, add rules for the services you're running.
Web server (HTTP and HTTPS):
CODE0
Email (SMTP, POP3, IMAP):
CODE1
Database (MySQL/MariaDB):
CODE2
Note: Only open this if your database server is on this machine AND you trust the network. For better security, restrict to a specific IP:
CODE3
DNS:
CODE4
VPN or custom services:
CODE5
View and Delete Rules
List all rules with rule numbers:
CODE6
Delete a rule by number:
CODE7
Replace 5 with the rule number from the list above.
Delete a rule by service name:
CODE8
Allow/Deny Specific IP Addresses
Allow a specific IP to SSH:
CODE9
Block a specific IP:
CODE10
Allow a range of IPs:
CODE11
Disable UFW (if needed)
If you need to troubleshoot or make major changes:
CODE12
Re-enable it when done:
CODE13
Common Scenarios
Simple web server (HTTP + HTTPS + SSH):
CODE14
Web + Database (local only):
CODE15
VPS running multiple applications:
CODE16
Logging and Monitoring
Enable UFW logging:
CODE17
View log entries:
CODE18
Press Ctrl + C to stop.
Check which ports are listening:
CODE19
Or on newer systems:
CODE20
Troubleshooting
Locked out of SSH after enabling UFW
- Use a recovery console or VNC access provided by your hosting company
- Disable UFW: sudo ufw disable
- Re-enable with the SSH rule first: sudo ufw allow 22/tcp && sudo ufw enable
A service isn't reachable even though I opened the port
- Verify the service is running: sudo systemctl status servicename
- Check it's listening on the right port: sudo netstat -tlnp | grep :3306 (replace 3306 with your port)
- Confirm the firewall rule exists: sudo ufw status numbered
UFW won't enable or behaves oddly
- Restart UFW: sudo systemctl restart ufw
- Check for errors: sudo ufw status verbose
What's Next?
- Set up key-based SSH authentication to further harden SSH
- Install and configure fail2ban to block brute-force attacks
- Regularly update your system:
sudo apt update && sudo apt upgrade - Monitor open ports and services:
sudo ss -tlnp