Learn UFW: Secure Your Linux Server with a Robust and Reliable Firewall
Securing your Linux server starts with a strong firewall. UFW (Uncomplicated Firewall) simplifies this process by giving you clear, easy control over which network traffic is allowed or blocked.
This guide will show you how to use UFW to protect your server quickly and confidently. Get ready to take full control of your server’s security with a powerful tool.
What It Is #
UFW is a user-friendly firewall management tool for Linux. It removes the complexity of configuring network security, enabling you to set up effective protection with just a few commands.
Why Use It #
Here are some reasons to use UFW:
- Simple Setup: Get your firewall up and running in just a few commands.
- Easy Control: Quickly allow or block services without complicated rules.
- Default on Ubuntu: No need for extra installations, it's ready to use.
- Boosted Security: Safeguard your system from unwanted connections.
- Traffic Insights: Monitor network activity with built-in logging.
Installation #
Ubuntu Linux:
sudo apt install ufw -yEssential Commands #
1. Basics #
Enable UFW:
Result: Firewall is activated and rules are enforced.
sudo ufw enableDisable UFW:
Use for testing.
sudo ufw disableCheck status:
sudo ufw statusWith detailed output:
sudo ufw status verboseReload UFW:
Reload firewall rules without restarting the service (useful after making changes).
sudo ufw reloadReset UFW:
Resets all rules to default state (deny all incoming connections and allow all outgoing connections) and disables UFW.
sudo ufw reset2. Default Rules #
Set default incoming policy:
sudo ufw default deny incomingThis blocks all incoming connections by default, unless explicitly allowed.
Set default outgoing policy:
sudo ufw default allow outgoingThis allows all outgoing connections by default, unless explicitly denied.
3. Allowing/Denying Traffic #
Allow incoming traffic on specific port:
sudo ufw allow <port>/tcpDeny traffic on specific port:
sudo ufw deny <port>/tcpAllow traffic from specific IP:
sudo ufw allow from xxx.xxx.x.xxDeny traffic from specific IP:
sudo ufw deny from xxx.xxx.x.xx4. Limiting Traffic #
This allows a maximum number of connections within a specific time frame. Can be used as a protection against brute-force attacks.
Limit connections:
sudo ufw limit <port>/tcp5. Deleting Rules #
Delete rule:
sudo ufw delete allow <port>/tcpDelete rule (by number):
Simplify rule management by using rule numbers.
Show numbered rules:
sudo ufw status numberedDelete:
sudo ufw delete <rule_number>6. Logging #
Use logs to troubleshoot issues and monitor suspicious activity.
Enable logging:
Default location: /var/log/ufw.log
sudo ufw logging onDisable logging:
sudo ufw logging offSet verbosity of logs:
sudo ufw logging <level> # Level: low, medium or highWorkflow: Set Up Firewall #
Use case: basic web server setup.
Step 1: Set Default Rules
Pro tip: Deny all traffic by default to create a secure baseline. Then allow only what is needed.
sudo ufw default deny incoming
sudo ufw default deny outgoingStep 2: Allow Services
Always specify the protocol (tcp or udp) unless you have a reason to allow both.
sudo ufw limit 22/tcp # SSH (Limit connections to prevent brute-force attacks)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPSStep 3: Enable UFW
sudo ufw enableAuto start at boot:
sudo systemctl enable ufwEnfore rules:
sudo ufw reloadVerify:
sudo ufw status verboseOutput:
- Status: active
- Default: deny (incoming), deny (outgoing), disabled (routed)
| To | Action | From |
|---|---|---|
| 22/tcp | LIMIT | Anywhere |
| 80/tcp | ALLOW | Anywhere |
| 443/tcp | ALLOW | Anywhere |
| 22/tcp (v6) | LIMIT | Anywhere (v6) |
| 80/tcp (v6) | ALLOW | Anywhere (v6) |
| 443/tcp (v6) | ALLOW | Anywhere (v6) |
Most Common Ports #
When setting up UFW, it's helpful to know which ports are commonly used by essential services. Below is a list of ports you may need to allow or block based on your setup.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 22 | TCP | SSH | Secure remote shell access |
| 25 | TCP | SMTP | Sends email between mail servers (no authentication) |
| 53 | TCP/UDP | DNS | Resolves domain names to IP addresses |
| 80 | TCP | HTTP | Standard unencrypted web traffic |
| 443 | TCP | HTTPS | Encrypted web traffic using TLS/SSL |
| 587 | TCP | SMTP (Submission) | Sends email from clients (requires authentication) |
| 993 | TCP | IMAPS | Encrypted email retrieval via IMAP (with authentication) |
| 995 | TCP | POP3S | Encrypted email retrieval via POP3 (with authentication) |
Frequently Asked Questions #
Why Use UFW If My Hosting Provider Has a Firewall?
Using UFW on your server adds an extra layer of protection. While your hosting provider's firewall (e.g. Linode, AWS, Azure, GCP) filters traffic at the network level, UFW controls access at the server level. If the provider’s firewall is misconfigured or bypassed, UFW still enforces local rules. This defence-in-depth approach helps reduce the risk of unauthorised access.
Does the Order of UFW Rules Matter?
Yes. UFW applies rules in the order you add them. Earlier rules take priority, so the sequence of commands affects which rules are enforced.
What is TCP/UDP?
TCP and UDP are two different ways computers send data over a network:
- TCP (Transmission Control Protocol)
Sends data reliably and in order. It checks for errors and makes sure all data arrives correctly.
Used for: websites (HTTP/HTTPS), email, SSH. - UDP (User Datagram Protocol)
Sends data faster but without checking if it all arrives or is in the right order.
Used for: video streaming, DNS, online games.
When you see TCP/UDP, it means the service can work with either protocol.
Troubleshooting #
SSH Lockout (Unable to Access via SSH)
Symptoms:
- Cannot connect to the server using SSH.
- SSH connection attempts time out or are refused.
Cause:
- SSH port (default 22 or custom) was not explicitly allowed in UFW rules before enabling the firewall.
- UFW defaults to a "deny all" policy, blocking all incoming connections, including SSH.
Solution:
Before enabling UFW, always ensure that SSH port is allowed.
Access the server directly using LISH Console (Linode).
- Log in to the Linode Cloud Manager
- Select the affected Linode instance
- Click Launch LISH Console to access the system directly via Linode Shell
Allow SSH traffic through UFW:
sudo ufw allow <port>/tcpVerify SSH access:
ssh <user>@<remote>