LochStudios  /  Help Centre  /  VPS & Linux  /  Set up a UFW firewall on Ubuntu

Set up a UFW firewall on Ubuntu

Enable and configure UFW (Uncomplicated Firewall) to control network access to your VPS.

Updated

UFW (Uncomplicated Firewall) is a user-friendly firewall tool on Ubuntu and Debian. It lets you control which network ports are open to the internet, protecting your VPS from unauthorized access. This guide shows you how to enable it safely without locking yourself out.

Enable UFW

  1. Connect to your VPS via SSH as a user with sudo privileges

2. Check the current status
```bash
sudo ufw status
```
It should say "inactive" on a fresh VPS.

3. Set default policies (deny incoming, allow outgoing)
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
This blocks all incoming traffic by default and allows all outgoing traffic.

4. Allow SSH before enabling UFW (critical!)
```bash
sudo ufw allow 22/tcp
```
If you skip this step and enable UFW, you'll lock yourself out.

5. Enable UFW
```bash
sudo ufw enable
```
Type y when prompted to confirm.

6. Verify it's active
```bash
sudo ufw status
```
It should now show "active" with the SSH rule listed.

Open Ports for Common Services

Once UFW is active, add rules for the services you're running.

Web server (HTTP and HTTPS):
CODE0

Email (SMTP, POP3, IMAP):
CODE1

Database (MySQL/MariaDB):
CODE2
Note: Only open this if your database server is on this machine AND you trust the network. For better security, restrict to a specific IP:
CODE3

DNS:
CODE4

VPN or custom services:
CODE5

View and Delete Rules

List all rules with rule numbers:
CODE6

Delete a rule by number:
CODE7
Replace 5 with the rule number from the list above.

Delete a rule by service name:
CODE8

Allow/Deny Specific IP Addresses

Allow a specific IP to SSH:
CODE9

Block a specific IP:
CODE10

Allow a range of IPs:
CODE11

Disable UFW (if needed)

If you need to troubleshoot or make major changes:
CODE12

Re-enable it when done:
CODE13

Common Scenarios

Simple web server (HTTP + HTTPS + SSH):
CODE14

Web + Database (local only):
CODE15

VPS running multiple applications:
CODE16

Logging and Monitoring

Enable UFW logging:
CODE17

View log entries:
CODE18
Press Ctrl + C to stop.

Check which ports are listening:
CODE19
Or on newer systems:
CODE20

Troubleshooting

Locked out of SSH after enabling UFW
- Use a recovery console or VNC access provided by your hosting company
- Disable UFW: sudo ufw disable
- Re-enable with the SSH rule first: sudo ufw allow 22/tcp && sudo ufw enable

A service isn't reachable even though I opened the port
- Verify the service is running: sudo systemctl status servicename
- Check it's listening on the right port: sudo netstat -tlnp | grep :3306 (replace 3306 with your port)
- Confirm the firewall rule exists: sudo ufw status numbered

UFW won't enable or behaves oddly
- Restart UFW: sudo systemctl restart ufw
- Check for errors: sudo ufw status verbose

What's Next?

  • Set up key-based SSH authentication to further harden SSH
  • Install and configure fail2ban to block brute-force attacks
  • Regularly update your system: sudo apt update && sudo apt upgrade
  • Monitor open ports and services: sudo ss -tlnp

Was this article helpful?

← Back to VPS & Linux