Server Management

Setting Up a Firewall for Your Linux Server (UFW Tutorial)

Setting Up a Firewall for Your Linux Server (UFW Tutorial)

Introduction

When it comes to server security, a firewall is your first line of defense. Whether you’re running a personal blog or managing multiple cloud servers, an unprotected server is an open invitation to cyber threats.

In this tutorial, we’ll walk you through everything you need to know about setting up and configuring a firewall on Linux using UFW (Uncomplicated Firewall). UFW is one of the easiest tools to use for managing firewall rules on Ubuntu and other Debian-based distributions.

By the end of this guide, you’ll be able to:

  • Understand how UFW works
  • Configure basic and advanced firewall rules
  • Secure SSH access
  • Open/close specific ports
  • Create reusable profiles
  • Set up logging and monitoring

Let’s get started.

What Is a Firewall?

A firewall is a system that filters incoming and outgoing traffic to or from your server based on a defined set of rules. It allows trusted traffic (like your website or SSH access) and blocks potentially malicious or unauthorized connections.

In Linux, tools like iptables and nftables offer powerful control, but they can be complex. That’s why UFW exists—to make managing firewall rules more accessible and human-readable.

 Why Use UFW?

UFW stands for Uncomplicated Firewall, and it’s designed to simplify firewall management. Here’s why it’s a great choice:

  • Pre-installed on Ubuntu and many Debian-based systems
  • Simple syntax for adding/removing rules
  • IPv4 and IPv6 support
  • Integrates with app profiles (like OpenSSH, NGINX, Apache)
  • Works well on VPS and cloud servers from Vicservers

 Prerequisites

Before proceeding, ensure:

✅ You’re running a Linux server (Ubuntu/Debian)
✅ You have sudo/root access
✅ You’re connected via SSH

If you’re using a Vicservers VPS, you’re already equipped with these essentials.

Step 1:  Check if UFW Is Installed

Most Ubuntu systems come with UFW pre-installed. To check:

sudo ufw status

If it’s not installed:

sudo apt install ufw

Step 2:  Enable UFW (Safely)

 Warning: If you’re connected via SSH, you must allow SSH before enabling UFW, or you’ll lock yourself out.

Allow SSH:

sudo ufw allow ssh

This automatically allows traffic on port 22.

Then enable the firewall:

sudo ufw enable

You’ll see:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Congratulations—your firewall is now active!

Step 3:  Understanding UFW Rules

View current rules:

sudo ufw status numbered

Allow traffic on a specific port:

sudo ufw allow 80

(For HTTP traffic)

Allow a service by name:

sudo ufw allow "Nginx Full"

This opens both ports 80 (HTTP) and 443 (HTTPS).

Deny traffic on a port:

sudo ufw deny 23

(This blocks Telnet)

Step 4:  Basic Configuration Examples

Common Services

Service Command
SSH sudo ufw allow ssh
HTTP sudo ufw allow http
HTTPS sudo ufw allow https
NGINX sudo ufw allow 'Nginx Full'
Apache sudo ufw allow 'Apache Full'
MySQL sudo ufw allow 3306

Step 5:  Restricting SSH Access (Optional)

By default, SSH runs on port 22 and is open to all IPs. For tighter security:

Option 1: Allow from a specific IP only

sudo ufw allow from 203.0.113.4 to any port 22

Option 2: Use a custom SSH port

If you’ve changed your SSH port (e.g., to 2222), allow that instead:

sudo ufw allow 2222/tcp

And disable port 22 if no longer used:

sudo ufw delete allow 22

Step 6:  Resetting and Reconfiguring UFW

To reset all firewall rules:

sudo ufw reset

Then re-allow essential services (like SSH) before re-enabling:

sudo ufw allow ssh
sudo ufw enable

Step 7:  Logging and Monitoring

UFW offers basic logging to help you track connections.

Enable logging:

sudo ufw logging on

To check logs:

sudo less /var/log/ufw.log

Look for dropped or denied packets to identify suspicious activity.

Step 8:  Checking Application Profiles

UFW supports predefined app profiles, which simplify rule management.

List available profiles:

sudo ufw app list

Example output:

Available applications:
  OpenSSH
  Apache
  Nginx Full

Show details of a profile:

sudo ufw app info "Nginx Full"

This reveals which ports the profile includes.

Step 9:  Advanced Rules

Allow specific IP on a specific port:

sudo ufw allow from 192.168.1.10 to any port 22

Allow subnet range:

sudo ufw allow from 192.168.0.0/24

Rate-limit SSH to prevent brute-force attacks:

sudo ufw limit ssh

This rate-limits connections to port 22 (SSH) after a threshold of attempts.

Step 10:  Protecting Common Web Services

For NGINX:

sudo ufw allow 'Nginx Full'

For Apache:

sudo ufw allow 'Apache Full'

For HTTPS only (API servers):

sudo ufw allow 443

Add rules only for the ports/services your application actually needs.

Step 11:  Disabling or Deleting Rules

Disable UFW completely (not recommended):

sudo ufw disable

Delete a specific rule:

Find the rule number:

sudo ufw status numbered

Then delete:

sudo ufw delete [number]

Test Your Configuration

After setting everything up, test open ports from another server:

nc -zv your_server_ip 80

Or use an external tool like https://www.yougetsignal.com/tools/open-ports/

✅ Best Practices for UFW on Production Servers

  • Always allow SSH first before enabling UFW
  • Limit access to non-essential ports
  • Enable rate limiting for login services
  • Use logging to monitor unusual access patterns
  • Combine UFW with Fail2Ban for added brute-force protection
  • Backup your firewall rules regularly

Final Thoughts

A properly configured firewall is one of the most important steps you can take to protect your Linux server from unauthorized access, brute-force attacks, and vulnerabilities. Thankfully, UFW makes this process simple, powerful, and flexible.

With Vicservers, you get full root access and the ability to customize firewall rules from day one—whether you’re deploying a simple website or managing a fleet of VPS instances.

 Ready to Get Started?

Launch your secure VPS at VicServers.com
Fully customizable firewall settings
Free SSL, DDoS protection, and more included
Need help setting up UFW? Contact our 24/7 support

By Vicservers – Your Partner in Secure, High-Performance Hosting

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button