For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Use UFW on Linux Server in 2026? – Easy Guide

Sanjeet Chauhan 6 min read

UFW (Uncomplicated Firewall) is a user friendly interface to iptables that helps you manage Linux firewall rules quickly. To use UFW: set default policies, allow essential ports (e.g., SSH), enable the firewall, and verify.

Typical steps are: apt install ufw, ufw default deny incoming, ufw allow OpenSSH, ufw enable, and ufw status. If you’re running a Linux server, knowing how to use UFW on Linux server is a must have skill.

It lets you control inbound and outbound network traffic with simple commands while maintaining robust security. This guide shows you how to install, configure, and operate UFW safely with real world examples and best practices from production hosting environments.

What is UFW and Why it Matters?

UFW (Uncomplicated Firewall) is a command line tool that simplifies managing iptables, the powerful packet filtering system in Linux. Instead of writing complex iptables chains, you use human readable commands like ufw allow 22/tcp.

UFW is ideal for Ubuntu/Debian servers and works perfectly for common hosting stacks (Nginx, Apache, MySQL/MariaDB, Redis, Docker, and more).

Primary benefits include:-

  • Simple syntax for common firewall tasks
  • Safe defaults (deny incoming, allow outgoing)
  • Application profiles for popular services (Nginx, OpenSSH, etc.)
  • Easy logging and rule auditing
  • IPv6 support

Prerequisites and Safety Checklist

  • Root or sudo access to the server
  • Console/serial access or a cloud provider console in case SSH is blocked
  • Knowledge of required service ports (SSH 22, HTTP 80, HTTPS 443, etc.)
  • Cloud firewall/security groups aligned with UFW rules (AWS, Azure, GCP, DigitalOcean)
  • Confirm whether IPv6 is enabled on your server/network

Expert Tip: Always allow SSH before enabling UFW to avoid locking yourself out.

Quick Start: Secure UFW in 60 Seconds

# Install (Ubuntu/Debian)
sudo apt update && sudo apt install -y ufw

# Set safe defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use OpenSSH profile or 22/tcp)
sudo ufw allow OpenSSH
# or: sudo ufw allow 22/tcp

# Enable firewall
sudo ufw enable

# Verify
sudo ufw status verbose

How to Use UFW on Linux Server – (Step by Step Guide)

Step 1. Install and Check Status

# Install (Ubuntu/Debian)
sudo apt update && sudo apt install -y ufw

# Check if active
sudo ufw status
sudo ufw status verbose

If UFW is “inactive,” you’ll configure rules first, then enable.

Step 2. Set Default Policies

Best practice is to deny incoming by default and allow outgoing. This blocks unsolicited inbound connections but lets your server reach external services.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 3. Allow SSH Securely

Without this, you may lose remote access.

# Allow standard SSH
sudo ufw allow OpenSSH
# or explicitly by port
sudo ufw allow 22/tcp

# Restrict SSH to your IP or office subnet (recommended)
sudo ufw allow from 203.0.113.10 to any port 22 proto tcp
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp

Step 4. Allow Common Services

Open only what you need. Use service names when available or specific ports.

# Web
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# or via profiles if available:
sudo ufw app list
sudo ufw allow "Nginx Full"
# Email (example)
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp
# Databases (restrict to private IPs/subnets)
sudo ufw allow from 10.0.0.0/24 to any port 3306 proto tcp
sudo ufw allow from 10.0.0.5 to any port 5432 proto tcp

Step 5. Enable UFW and Verify

# Enable
sudo ufw enable

# Check human-readable and numbered rules
sudo ufw status verbose
sudo ufw status numbered

UFW rules persist across reboots by default.

Step 6. Manage, Edit, and Delete Rules

# Deny or reject traffic
sudo ufw deny 23/tcp
sudo ufw reject 113/tcp

# Delete by reusing the rule spec
sudo ufw delete allow 80/tcp

# Or delete by number (from `ufw status numbered`)
sudo ufw status numbered
sudo ufw delete 3

# Insert rule at a specific position
sudo ufw insert 1 allow 443/tcp

Step 7. Port Ranges, Protocols, and Interfaces

# Ranges
sudo ufw allow 3000:3010/tcp
sudo ufw allow 60000:61000/udp

# Specific interface (example: public interface is eth0)
sudo ufw allow in on eth0 to any port 443 proto tcp

# Limit by source network
sudo ufw allow from 192.0.2.0/24 to any port 8443 proto tcp

Step 8. Rate Limiting (Brute-Force Throttling)

Limit SSH or API ports to slow down brute-force attempts without blocking legitimate users.

# Allow with rate limiting
sudo ufw limit 22/tcp
# Typical use: protect SSH or custom admin/API ports

Step 9. Logging and Monitoring

Enable logging to audit traffic decisions. Logs usually write to /var/log/ufw.log or syslog depending on your distro.

# Turn on logging (low|medium|high|full)
sudo ufw logging on
sudo ufw logging medium

# Tail logs
sudo tail -f /var/log/ufw.log

Step 10. IPv6 Support

If your server has IPv6, ensure UFW handles it. Edit the UFW defaults and enable IPv6.

sudo nano /etc/default/ufw
# Set:
IPV6=yes

# Then reload
sudo ufw reload

Step 11. Reset, Disable, and Recovery

# Disable temporarily
sudo ufw disable

# Reset to factory defaults (removes rules)
sudo ufw reset

# Reload after changes
sudo ufw reload

If you get locked out, use your cloud provider’s console or KVM to adjust rules or disable UFW.

Real World Server Scenarios

Web Server (LAMP/LEMP)

  • Allow 80/tcp and 443/tcp
  • Restrict SSH to your IP/subnet
  • Optionally allow 8080/8443 for admin panels if needed
sudo ufw allow "Nginx Full"
sudo ufw allow from 203.0.113.10 to any port 22 proto tcp

Database Server (Private Only)

  • Deny public access to 3306/5432
  • Allow only from app servers’ private IPs
sudo ufw deny 3306/tcp
sudo ufw allow from 10.0.0.10 to any port 3306 proto tcp

Mail Server (Secure Protocols Only)

  • Allow 25, 587, 993 (and 465 if used)
  • Block legacy insecure ports where possible
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp

UFW vs. iptables vs. firewalld

  • UFW: Easiest syntax on Ubuntu/Debian, perfect for most VPS and dedicated servers.
  • iptables: Granular control, steep learning curve. UFW writes iptables rules under the hood.
  • firewalld: Dynamic firewall (popular on RHEL/CentOS/Rocky/Alma). Zone-based, comparable features with different workflow.

If you prefer simplicity and run Ubuntu/Debian, UFW is a safe, efficient choice.

Common Pitfalls and Troubleshooting

  • Locking yourself out: Always allow SSH before enabling UFW. Consider whitelisting your IP.
  • Cloud firewalls: AWS Security Groups, Azure NSGs, GCP Firewall Rules, or provider-level firewalls can override/block traffic. Align them with UFW.
  • Docker interaction: Docker modifies iptables directly and can bypass UFW. Add rules to the DOCKER-USER chain or use a host-level firewall strategy that accounts for container networks. Test thoroughly.
  • Service not listening: Even if a port is allowed, the service must listen on the right interface (0.0.0.0 or specific IP).
  • IPv6 gaps: If you only configure IPv4 but IPv6 is active, services may remain exposed. Enable IPv6 in UFW and mirror rules.

Security Best Practices from the Trenches

  • Default deny incoming; allow only what you need.
  • Restrict SSH by source IP and consider key-based auth with fail2ban.
  • Limit admin panels (e.g., 8443, 8080) to office IPs or VPN only.
  • Use rate limiting on SSH and exposed APIs.
  • Enable logging and review regularly; integrate with centralized logging.
  • Document every allowed port and why it’s needed.
  • Review rules quarterly; remove legacy allowances.

When to Choose Managed Firewall and Hosting

If you’d rather not manage firewall rules or risk misconfiguration, consider a managed server or cloud instance. At YouStable, our hosting experts harden servers with sensible UFW defaults, restrict administrative ports, and continuously monitor your stack so your applications stay available and secure without extra operational overhead.

FAQ’s

Is UFW better than iptables for beginners?

Yes. UFW is a friendly wrapper over iptables with simpler commands, making it ideal for beginners and efficient for experienced admins. For specialized, low-level tuning, iptables is still available under the hood.

How do I allow a port range in UFW?

Use a colon-separated range and specify TCP/UDP, for example: sudo ufw allow 3000:3010/tcp or sudo ufw allow 60000:61000/udp. Only open ranges you truly need.

How can I block or ban an IP with UFW?

Use a deny rule from the source: sudo ufw deny from 203.0.113.20. To block a subnet: sudo ufw deny from 203.0.113.0/24. Combine with fail2ban for automated blocking of abusive hosts.

Does UFW work with Docker?

Docker modifies iptables directly and can bypass UFW rules. Use the DOCKER-USER chain to enforce host-level policies and ensure forwarding/bridge settings are correct. Always test container exposure with UFW enabled before production.

How do I check which services UFW can allow by name?

Run sudo ufw app list to see available application profiles (e.g., OpenSSH, Nginx Full). Then allow by name: sudo ufw allow “Nginx Full”. Profiles are defined by packages you install and simplify common configurations.

Mastering how to use UFW on Linux server helps you enforce the principle of least privilege, reduce attack surface, and keep your stack resilient. Follow the steps above, audit regularly, and you’ll have a clean, maintainable firewall posture for production workloads.

Sanjeet Chauhan

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top