Setting Up a Firewall for Your Linux Server (UFW Tutorial)

Setting Up a Firewall for Your Linux Server (UFW Tutorial)
Introduction
When it comes to server security, a firewall is your first line of defense. Whether you’re running a personal blog or managing multiple cloud servers, an unprotected server is an open invitation to cyber threats.
In this tutorial, we’ll walk you through everything you need to know about setting up and configuring a firewall on Linux using UFW (Uncomplicated Firewall). UFW is one of the easiest tools to use for managing firewall rules on Ubuntu and other Debian-based distributions.
By the end of this guide, you’ll be able to:
- Understand how UFW works
- Configure basic and advanced firewall rules
- Secure SSH access
- Open/close specific ports
- Create reusable profiles
- Set up logging and monitoring
Let’s get started.
What Is a Firewall?
A firewall is a system that filters incoming and outgoing traffic to or from your server based on a defined set of rules. It allows trusted traffic (like your website or SSH access) and blocks potentially malicious or unauthorized connections.
In Linux, tools like iptables and nftables offer powerful control, but they can be complex. That’s why UFW exists—to make managing firewall rules more accessible and human-readable.
Why Use UFW?
UFW stands for Uncomplicated Firewall, and it’s designed to simplify firewall management. Here’s why it’s a great choice:
- Pre-installed on Ubuntu and many Debian-based systems
- Simple syntax for adding/removing rules
- IPv4 and IPv6 support
- Integrates with app profiles (like OpenSSH, NGINX, Apache)
- Works well on VPS and cloud servers from Vicservers
Prerequisites
Before proceeding, ensure:
✅ You’re running a Linux server (Ubuntu/Debian)
✅ You have sudo/root access
✅ You’re connected via SSH
If you’re using a Vicservers VPS, you’re already equipped with these essentials.
Step 1: Check if UFW Is Installed
Most Ubuntu systems come with UFW pre-installed. To check:
sudo ufw status
If it’s not installed:
sudo apt install ufw
Step 2: Enable UFW (Safely)
Warning: If you’re connected via SSH, you must allow SSH before enabling UFW, or you’ll lock yourself out.
Allow SSH:
sudo ufw allow ssh
This automatically allows traffic on port 22.
Then enable the firewall:
sudo ufw enable
You’ll see:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Congratulations—your firewall is now active!
Step 3: Understanding UFW Rules
View current rules:
sudo ufw status numbered
Allow traffic on a specific port:
sudo ufw allow 80
(For HTTP traffic)
Allow a service by name:
sudo ufw allow "Nginx Full"
This opens both ports 80 (HTTP) and 443 (HTTPS).
Deny traffic on a port:
sudo ufw deny 23
(This blocks Telnet)
Step 4: Basic Configuration Examples
Common Services
Service | Command |
---|---|
SSH | sudo ufw allow ssh |
HTTP | sudo ufw allow http |
HTTPS | sudo ufw allow https |
NGINX | sudo ufw allow 'Nginx Full' |
Apache | sudo ufw allow 'Apache Full' |
MySQL | sudo ufw allow 3306 |
Step 5: Restricting SSH Access (Optional)
By default, SSH runs on port 22 and is open to all IPs. For tighter security:
Option 1: Allow from a specific IP only
sudo ufw allow from 203.0.113.4 to any port 22
Option 2: Use a custom SSH port
If you’ve changed your SSH port (e.g., to 2222), allow that instead:
sudo ufw allow 2222/tcp
And disable port 22 if no longer used:
sudo ufw delete allow 22
Step 6: Resetting and Reconfiguring UFW
To reset all firewall rules:
sudo ufw reset
Then re-allow essential services (like SSH) before re-enabling:
sudo ufw allow ssh
sudo ufw enable
Step 7: Logging and Monitoring
UFW offers basic logging to help you track connections.
Enable logging:
sudo ufw logging on
To check logs:
sudo less /var/log/ufw.log
Look for dropped or denied packets to identify suspicious activity.
Step 8: Checking Application Profiles
UFW supports predefined app profiles, which simplify rule management.
List available profiles:
sudo ufw app list
Example output:
Available applications:
OpenSSH
Apache
Nginx Full
Show details of a profile:
sudo ufw app info "Nginx Full"
This reveals which ports the profile includes.
Step 9: Advanced Rules
Allow specific IP on a specific port:
sudo ufw allow from 192.168.1.10 to any port 22
Allow subnet range:
sudo ufw allow from 192.168.0.0/24
Rate-limit SSH to prevent brute-force attacks:
sudo ufw limit ssh
This rate-limits connections to port 22 (SSH) after a threshold of attempts.
Step 10: Protecting Common Web Services
For NGINX:
sudo ufw allow 'Nginx Full'
For Apache:
sudo ufw allow 'Apache Full'
For HTTPS only (API servers):
sudo ufw allow 443
Add rules only for the ports/services your application actually needs.
Step 11: Disabling or Deleting Rules
Disable UFW completely (not recommended):
sudo ufw disable
Delete a specific rule:
Find the rule number:
sudo ufw status numbered
Then delete:
sudo ufw delete [number]
Test Your Configuration
After setting everything up, test open ports from another server:
nc -zv your_server_ip 80
Or use an external tool like https://www.yougetsignal.com/tools/open-ports/
✅ Best Practices for UFW on Production Servers
- Always allow SSH first before enabling UFW
- Limit access to non-essential ports
- Enable rate limiting for login services
- Use logging to monitor unusual access patterns
- Combine UFW with Fail2Ban for added brute-force protection
- Backup your firewall rules regularly
Final Thoughts
A properly configured firewall is one of the most important steps you can take to protect your Linux server from unauthorized access, brute-force attacks, and vulnerabilities. Thankfully, UFW makes this process simple, powerful, and flexible.
With Vicservers, you get full root access and the ability to customize firewall rules from day one—whether you’re deploying a simple website or managing a fleet of VPS instances.
Ready to Get Started?
Launch your secure VPS at VicServers.com
Fully customizable firewall settings
Free SSL, DDoS protection, and more included
Need help setting up UFW? Contact our 24/7 support
By Vicservers – Your Partner in Secure, High-Performance Hosting