Find us on social media

Client area
UFWFirewallPorts4 min read

Configure firewall with UFW

Basic UFW rules to protect your server: allow only necessary ports and block the rest.

What is UFW

UFW (Uncomplicated Firewall) is a user-friendly frontend for iptables. It simplifies firewall management while providing robust protection.

Step 1: Install UFW

bash
sudo apt install -y ufw

Step 2: Set default policies

Block all incoming traffic and allow all outgoing:

bash
sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 3: Allow essential services

bash
# SSH (change port if you use a custom one)
sudo ufw allow 22/tcp comment 'SSH'

# HTTP and HTTPS
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

Common service ports

bash
# Database (only if remote access needed)
sudo ufw allow from 10.0.0.0/8 to any port 3306 comment 'MySQL internal'
sudo ufw allow from 10.0.0.0/8 to any port 5432 comment 'PostgreSQL internal'

# Mail
sudo ufw allow 25/tcp comment 'SMTP'
sudo ufw allow 587/tcp comment 'SMTP submission'
sudo ufw allow 993/tcp comment 'IMAPS'

# Game servers
sudo ufw allow 25565/tcp comment 'Minecraft'
sudo ufw allow 30120/tcp comment 'FiveM TCP'
sudo ufw allow 30120/udp comment 'FiveM UDP'

Step 4: Enable UFW

bash
sudo ufw enable

Confirm with y. Your SSH connection will remain active.

Step 5: Verify rules

bash
sudo ufw status verbose
sudo ufw status numbered

Rate limiting

Protect against brute-force attacks with rate limiting:

bash
# Limit SSH connections (6 attempts per 30 seconds)
sudo ufw limit 22/tcp comment 'SSH rate limit'

For custom rate limiting, use iptables rules through UFW:

bash
sudo nano /etc/ufw/before.rules

Add before the COMMIT line:

terminal
# Rate limit HTTP connections
-A ufw-before-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set --name HTTP
-A ufw-before-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 100 --name HTTP -j DROP

Allow specific IPs only

Restrict access to sensitive services:

bash
# Allow admin panel only from your IP
sudo ufw allow from YOUR_HOME_IP to any port 8080 comment 'Admin panel'

# Allow database only from app server
sudo ufw allow from APP_SERVER_IP to any port 5432 comment 'PostgreSQL from app'

Delete rules

bash
# List numbered rules
sudo ufw status numbered

# Delete by number
sudo ufw delete 3

# Delete by specification
sudo ufw delete allow 8080/tcp

Enable logging

bash
sudo ufw logging on
sudo ufw logging medium

View firewall logs:

bash
sudo tail -f /var/log/ufw.log

# Count blocked attempts by IP
sudo grep 'BLOCK' /var/log/ufw.log | awk '{print $NF}' | sort | uniq -c | sort -rn | head -20

IPv6 support

Ensure IPv6 is enabled in UFW:

bash
sudo nano /etc/default/ufw
terminal
IPV6=yes

Reload:

bash
sudo ufw reload

Application profiles

UFW supports application profiles:

bash
# List available profiles
sudo ufw app list

# Allow by profile
sudo ufw allow 'Nginx Full'
sudo ufw allow 'OpenSSH'

Troubleshooting

  • Locked out: Use IPMI/KVM console access to disable UFW
  • Service not accessible: Check sudo ufw status for missing rules
  • Rules not applying: Run sudo ufw reload
  • Check if UFW is blocking: sudo ufw status verbose shows default policies
Was this guide helpful?
← Back to Security