To create UFW on a Linux server, install UFW, set default policies (deny incoming, allow outgoing), allow SSH, enable UFW, and then add rules for services. Typical steps: apt install ufw, ufw default deny incoming, ufw default allow outgoing, ufw allow OpenSSH, ufw enable, ufw status verbose. This secures ports while keeping required access open.
In this guide, you’ll learn how to create UFW on a Linux server from scratch. We’ll cover installation, safe activation over SSH, essential rules for web stacks, IPv6, logging, Docker/cloud nuances, troubleshooting, and best practices.
By the end, you’ll have a secure, production-ready UFW firewall using simple, reliable commands.
What is UFW and Why Use it?
UFW (Uncomplicated Firewall) is a user-friendly interface for iptables on Linux. It simplifies firewall management with readable commands like allow, deny, and limit. UFW is widely used on Ubuntu/Debian servers but also available on other distributions. It’s ideal when you want predictable, auditable network rules without digging into raw iptables syntax.
Prerequisites
- Linux server with sudo privileges (Ubuntu/Debian, or compatible)
- Console or SSH access (ensure you know your SSH port)
- List of services and ports to allow (e.g., SSH 22, HTTP 80, HTTPS 443)
- Optional: Public IPs that should be whitelisted
Install and Enable UFW (Safely Over SSH)
1) Install UFW
On Ubuntu and Debian, UFW usually ships preinstalled. If not, install it:
sudo apt update
sudo apt install ufw2) Set Default Policies
Lock down inbound traffic by default and allow all outbound traffic so your server can reach updates and APIs.
sudo ufw default deny incoming
sudo ufw default allow outgoing3) Allow SSH Before Enabling
If you’re connected via SSH, you must allow it first to avoid lockout. If you use the default port:
sudo ufw allow OpenSSH
# or explicitly:
# sudo ufw allow 22/tcpFor a custom SSH port (e.g., 22022/tcp):
sudo ufw allow 22022/tcp4) Enable UFW and Verify
Enable UFW. You’ll be warned that enabling may disrupt existing SSH if not allowed.
sudo ufw enable
sudo ufw status verboseStatus should show that UFW is active with your default policies and SSH rule.
Allow and Deny Common Services
Use Application Profiles (Service Names)
UFW integrates with application profiles in /etc/services and /etc/ufw/applications.d, so you can allow by name. List available profiles:
sudo ufw app listAllow web traffic:
sudo ufw allow "Nginx Full" # 80 and 443
# or for Apache:
# sudo ufw allow "Apache Full"Allow Specific Ports and Ranges
Allow explicit ports by protocol:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 53/udpAllow a port range (e.g., for passive FTP or custom apps):
sudo ufw allow 30000:31000/tcpRestrict Access by IP or Subnet
Expose databases or admin panels only to trusted IPs:
# Allow MySQL only from a single IP
sudo ufw allow from 203.0.113.10 to any port 3306 proto tcp
# Allow PostgreSQL from a subnet
sudo ufw allow from 10.0.0.0/24 to any port 5432 proto tcp
# Allow Redis only from an internal host
sudo ufw allow from 10.1.2.3 to any port 6379 proto tcpLimit SSH to Throttle Brute-Force
Use rate limiting for SSH (and similar services). UFW will rate-limit new connections from the same IP.
sudo ufw limit OpenSSHAlternatively, specify the port explicitly (replace 22 if using nonstandard port):
sudo ufw limit 22/tcpManaging UFW Rules Effectively
View Rules (Human-Friendly and Numbered)
Check current rules in order of evaluation:
sudo ufw status numbered
sudo ufw status verboseDelete, Insert, or Deny Rules
Delete by rule number to avoid typos:
# Example: delete rule #3
sudo ufw delete 3Deny traffic explicitly (useful for blocking attackers):
# Block a single IP on all ports
sudo ufw deny from 198.51.100.77
# Block an IP to a specific port
sudo ufw deny from 198.51.100.77 to any port 22Control Outgoing Traffic (Egress Rules)
If you need to restrict what your server can call out to (compliance, zero trust), set outgoing to deny and then allow selectively:
sudo ufw default deny outgoing
sudo ufw allow out 53/udp # DNS
sudo ufw allow out 80,443/tcp # HTTP/HTTPS
sudo ufw allow out to 203.0.113.20 port 5432 proto tcp # egress to a DBIPv6, Logging, and Advanced Settings
Enable IPv6 Support
Ensure UFW manages IPv6 as well as IPv4. Edit /etc/default/ufw:
sudo nano /etc/default/ufw
# Set:
IPV6=yesThen reload UFW:
sudo ufw reloadAdjust Logging
UFW can log drops and allows. Levels: off, low, medium, high, full. Logs are usually in /var/log/ufw.log (or syslog/journal).
sudo ufw logging mediumPort Forwarding and NAT
For NAT or port forwarding (e.g., forward 80 to 8080), edit /etc/ufw/before.rules (and before6.rules for IPv6) and enable forwarding in /etc/default/ufw:
# Enable forwarding
sudo nano /etc/default/ufw
# Change:
DEFAULT_FORWARD_POLICY="ACCEPT"
# Add NAT rules to /etc/ufw/before.rules under the *nat table:
sudo nano /etc/ufw/before.rules
# Example (IPv4):
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward external :80 to local :8080
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Reload UFW
sudo ufw reloadRemember to allow the final destination port (e.g., 8080) locally if needed.
UFW with Docker and Cloud Firewalls
Docker Considerations
Docker manipulates iptables directly and can bypass UFW if not configured. Best practices:
- Expose only needed container ports with
-pand rely on UFW to allow/deny them. - Use the DOCKER-USER chain to apply global rules. Example: restrict container access to a subnet.
- Avoid
--iptables=falseunless you fully manage chains yourself.
# Example: allow only 10.0.0.0/24 to any published Docker ports
sudo iptables -I DOCKER-USER -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A DOCKER-USER -j DROPRecheck after Docker updates, as iptables rules may be altered on restarts.
Cloud Providers (AWS, GCP, Azure)
Cloud firewall layers (Security Groups, VPC firewall rules) apply before traffic reaches your VM. Ensure both cloud and UFW allow the same ports. For example, opening 443 in UFW won’t help if AWS Security Groups still block it.
Testing and Troubleshooting
Test Open Ports
From a remote machine, use nmap to verify exposure:
nmap -Pn -p 22,80,443 your.server.ipOn the server, confirm listeners:
ss -tulpn | grep -E ':22|:80|:443'Avoiding Lockouts and Common Errors
- Always allow SSH first, then enable UFW.
- Use a console or out-of-band access (VPS panel, IPMI) for recovery.
- Enable IPv6 if your server has an IPv6 address; otherwise IPv6 traffic may bypass intended rules.
- Check order of rules; earlier matches take precedence. Use
ufw status numbered. - If something breaks, check
/var/log/ufw.logandjournalctl -u ufw.
Reset and Start Over (If Needed)
You can reset UFW to defaults and reapply rules cleanly:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enableBest-Practice Rule Set for Web Servers
- Deny all incoming, allow all outgoing.
- Allow SSH (rate-limited), restrict by source IP if possible.
- Allow HTTP/HTTPS for web traffic.
- Restrict databases, admin panels, and internal services to known IPs or private subnets.
- Enable logging at medium level and audit monthly.
- Document each rule with its purpose and ticket/reference.
- Back up UFW rules:
sudo cp -a /etc/ufw /root/backup-ufw-$(date +%F).
UFW vs. firewalld vs. raw iptables: When to Choose What
- Choose UFW when you want simplicity, readable commands, and quick setup on Ubuntu/Debian.
- Choose firewalld if you’re on RHEL/CentOS/Alma/Rocky and prefer zone-based management and native tooling.
- Choose raw iptables/nftables for complex, large-scale, or performance-sensitive policies with custom chains and hooks.
Real World Example: Minimal Hardened UFW for LEMP/LEMP
# Defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# SSH (custom port example)
sudo ufw allow 22022/tcp
sudo ufw limit 22022/tcp
# Web
sudo ufw allow "Nginx Full"
# DB restricted to app server
sudo ufw allow from 10.0.1.50 to any port 3306 proto tcp
# Cache restricted to internal subnet
sudo ufw allow from 10.0.2.0/24 to any port 6379 proto tcp
# IPv6 on and logging
sudo sed -i 's/^IPV6=.*/IPV6=yes/' /etc/default/ufw
sudo ufw logging medium
# Enable and verify
sudo ufw enable
sudo ufw status verboseWhy This Matters for Hosting (and How YouStable Helps)
Firewall hygiene is a foundational control for uptime and security. At YouStable, our managed VPS and dedicated servers ship with secure defaults, and our team can pre-configure UFW for your stack (web, database, cache, container orchestration) so you start production-ready. Need custom egress whitelists, IPv6 hardening, or Docker-aware policies? We’ll apply and test them for you.
FAQ’s
1. Do I need UFW if I already use a cloud firewall?
Yes. Cloud firewalls filter traffic before it reaches the instance, while UFW protects the server locally. Using both provides defense-in-depth and lets you isolate internal services by IP even within your VM.
2. How do I open multiple ports at once in UFW?
You can specify multiple ports separated by commas for the same protocol: sudo ufw allow 80,443/tcp. For mixed protocols, create separate rules. For ranges, use 10000:10100/tcp.
3. What’s the difference between allow and limit in UFW?
allow simply permits traffic. limit allows traffic but rate-limits repeated connection attempts, which helps mitigate brute-force attacks on services like SSH by temporarily blocking abusive IPs.
4. How can I see which application profiles are available?
Run sudo ufw app list. You’ll see profiles like OpenSSH, Nginx Full, Apache Full, etc., defined in /etc/ufw/applications.d. Use them to allow the correct ports without memorizing numbers.
5. Will enabling UFW interrupt my SSH session?
It can if SSH isn’t allowed first. Always run sudo ufw allow OpenSSH (or your custom port) before sudo ufw enable. If you do get locked out, use your provider’s console to revert or reset UFW.
By following this step-by-step guide, you’ve learned how to create UFW on a Linux server with production-grade settings. Keep rules minimal, log and review regularly, and coordinate with your cloud firewall.
If you want expert help and hardened defaults out of the box, YouStable can configure and monitor UFW for your exact workload.
