To configure UFW on a Linux server, install UFW, set default policies (deny incoming, allow outgoing), allow SSH, then enable the firewall. Add service rules (e.g., HTTP/HTTPS), verify with ufw status and external scans, and adjust advanced options like rate limiting and IPv6 as needed. This step-by-step 2026 guide shows you how.
If you want a simple, secure way to protect your server, learning how to configure UFW on a Linux server is a smart first step. UFW (Uncomplicated Firewall) is a user-friendly interface for iptables/nftables that lets you define allow/deny rules quickly without complex syntax—ideal for Ubuntu, Debian, and many cloud images.
In this expert, beginner-friendly walkthrough, I’ll cover installation, safe activation (so you don’t lock yourself out), common service rules, advanced hardening, backups, automation, and troubleshooting—plus real-world tips from managing production servers at scale.
What Is UFW and Why Use It?
UFW (Uncomplicated Firewall) is a command-line firewall manager for Linux that simplifies iptables/nftables. It’s the default on Ubuntu and widely available on Debian and other distros. UFW makes it easy to open ports, restrict IPs, apply rate limiting, and manage IPv6 with human-readable commands.
Primary keyword focus: configure UFW on Linux server. Secondary keywords used naturally: UFW firewall, Ubuntu firewall, Debian firewall, ufw allow port, iptables vs UFW.
Prerequisites and Safety Checklist
Before You Begin
- SSH access with sudo privileges
- Console/serial access via your cloud provider in case of lockout
- Server OS: Ubuntu 20.04/22.04/24.04 LTS, Debian 11/12, or compatible
- Confirm whether IPv6 is enabled on your host/network
- Know your critical services and ports (e.g., SSH 22, HTTP 80, HTTPS 443)
Check Current Firewall Status
sudo ufw status verbose
sudo iptables -S
sudo nft list ruleset 2>/dev/nullOn modern Ubuntu/Debian, UFW often manages nftables under the hood. Don’t mix multiple firewalls at once unless you know what you’re doing.
Install and Enable UFW (Without Locking Yourself Out)
1) Install UFW
sudo apt update
sudo apt install ufw2) Set Default Policies
Default policies define what happens when no explicit rule matches.
sudo ufw default deny incoming
sudo ufw default allow outgoing3) Allow SSH Before Enabling
Always allow SSH first to avoid being locked out. If your SSH runs on a custom port, change 22 to that port.
sudo ufw allow 22/tcp
# Example for a custom port
# sudo ufw allow 2222/tcp4) Enable UFW and Verify
sudo ufw enable
sudo ufw status numbered
sudo ufw status verboseUFW persists across reboots automatically once enabled.
Essential UFW Commands and Concepts
Allow or Deny Ports and Services
# Allow common web services
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Deny a specific port explicitly
sudo ufw deny 25/tcpMany distros ship with UFW application profiles for quick rules.
sudo ufw app list
sudo ufw allow "Nginx Full" # usually allows 80 and 443
sudo ufw allow "OpenSSH"Delete or Reset Rules
# List with numbers
sudo ufw status numbered
# Delete by number
sudo ufw delete 3
# Reset to defaults (removes all rules)
sudo ufw resetEnable Logging (for Auditing)
sudo ufw logging on
sudo ufw logging medium # low|medium|high
# Logs: /var/log/ufw.log or journalctl -u ufwConfigure Common Services (Real-World Examples)
Web Server (HTTP/HTTPS)
# Generic:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Profile-based (if available):
sudo ufw allow "Nginx Full"
# or
sudo ufw allow "Apache Full"DNS, Mail, and FTP
# DNS server (UDP 53, TCP 53)
sudo ufw allow 53
# SMTP (25), Submission (587), SMTPS (465), IMAPS (993), POP3S (995)
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 465/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcp
# FTP (21) and passive range example
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcpLimit Access to Specific IPs/Subnets
Restrict sensitive services (e.g., databases, admin panels) to trusted IPs only.
# Allow MySQL only from an office IP
sudo ufw allow from 203.0.113.10 to any port 3306 proto tcp
# Allow Postgres from a private subnet
sudo ufw allow from 10.0.0.0/24 to any port 5432 proto tcpPer-Interface Rules (Multi-NIC Hosts)
# Allow service only on a specific interface
sudo ufw allow in on eth1 to any port 9200 proto tcpPort Ranges and Protocols
# Port range
sudo ufw allow 2000:2100/tcp
# UDP example (VoIP, gaming, etc.)
sudo ufw allow 3478/udpAdvanced Hardening
Rate Limit Brute-Force Attempts
Rate limiting throttles repeated connection attempts. It’s ideal for SSH and APIs, but not a replacement for strong auth.
sudo ufw limit 22/tcp comment 'Rate-limit SSH'
# For a custom API port:
sudo ufw limit 8443/tcpEnable and Verify IPv6
If your server has IPv6, ensure UFW manages it; otherwise you’ll leave IPv6 wide open.
# Check /etc/ufw/ufw.conf
sudo sed -n '1,120p' /etc/ufw/ufw.conf | sed -n '/^#/!p' | sed -n '1,10p'
# Set: IPV6=yes
# Then reload:
sudo ufw disable && sudo ufw enable
sudo ufw status verboseDocker Considerations
Docker manipulates iptables directly and can bypass UFW rules by default. Prefer publishing only required ports and consider Docker’s user-defined networks. If you need stricter control, explore DOCKER-USER chain policies or run a reverse proxy on the host and open only that port in UFW.
Outbound (Egress) Rules
Default outbound is allow. For locked-down environments, deny by default and allow specific destinations/ports.
# Restrictive egress model
sudo ufw default deny outgoing
sudo ufw allow out 53 # DNS
sudo ufw allow out 80/tcp # HTTP
sudo ufw allow out 443/tcp # HTTPS
# Allow outbound to a repository mirror only
sudo ufw allow out to 198.51.100.20 port 443 proto tcpBack Up, Restore, and Automate
Backup and Restore UFW Rules
# Export active rules
sudo ufw status numbered > ufw.rules.txt
sudo cp -a /etc/ufw/ /root/backup-ufw-$(date +%F)
# Restore (method: reapply commands or restore config dir)
# After restoring /etc/ufw/, reload:
sudo ufw disable && sudo ufw enableReset and Rebuild Safely
# Will remove existing rules; be sure you have console access
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enableAutomate with Cloud-Init or Ansible
For consistency across fleets, codify UFW in provisioning scripts (cloud-init) or Ansible roles. Pre-bake images with locked defaults and least-privilege rules. If you host with YouStable, our managed server team can provision hardened images with UFW, fail2ban, and DDoS filtering tailored to your stack.
Testing and Troubleshooting
Test from a Remote Client
# From your workstation
nc -vz your.server.ip 22
nc -vz your.server.ip 80
# or use nmap
nmap -Pn -p 22,80,443 your.server.ip
# HTTP check
curl -I http://your.server.ipRead Logs and System Journal
sudo tail -f /var/log/ufw.log
sudo journalctl -u ufw -n 200 --no-pagerCommon Mistakes
- Forgetting to allow SSH before enabling UFW
- Leaving IPv6 unmanaged while IPv6 is active
- Allowing services on the wrong interface or IP
- Conflicts with cloud security groups or host-based firewalls
- Docker-published ports bypassing expected policy
Rollback Plan
# Temporarily disable if you lock yourself out (via console)
sudo ufw disable
# Or remove a bad rule by number
sudo ufw status numbered
sudo ufw delete <number>UFW vs. iptables/nftables (Pros and Cons)
- Pros of UFW: Simple syntax, safer defaults, IPv6 support, profiles for common apps, quick auditing.
- Cons of UFW: Less granular than raw nftables/iptables for complex NAT/forwarding; Docker interactions need care.
- Tip: Use UFW for host firewalls; consider raw nftables/iptables only for complex networking, routers, or advanced containers.
Best Practices and Real-World Tips
- Define your intended exposure first: only open what the application strictly needs.
- Pin admin services to office IPs or VPN subnets; never expose databases publicly.
- Enable IPv6 management and mirror your IPv4 rules in IPv6.
- Use ufw limit for SSH and API endpoints to slow brute-force attempts.
- Review ufw status and logs regularly; integrate with monitoring/alerts.
- Document your ruleset and automate it with config management.
- If using Docker, prefer a reverse proxy (Nginx/Traefik) and open only 80/443 on the host.
- Coordinate UFW with cloud security groups to avoid confusion.
FAQs: Configure UFW on Linux Server
Is UFW better than iptables or nftables?
UFW is not “better” but easier. It’s a front-end that abstracts iptables/nftables into simple commands. For most hosts, UFW is sufficient and safer. For complex routing, NAT, or container networks, raw nftables/iptables may be preferable.
How do I allow only my IP to access a port?
Use a source restriction. Example: sudo ufw allow from 203.0.113.10 to any port 5432 proto tcp. Replace the IP and port with your own values. This is ideal for admin panels and databases.
How can I reset UFW to factory defaults?
Run sudo ufw reset, then re-apply defaults and required rules: sudo ufw default deny incoming, sudo ufw default allow outgoing, sudo ufw allow 22/tcp, and sudo ufw enable. Use console access to avoid lockouts.
Does UFW work with Docker?
Yes, but Docker manages iptables rules directly. Published container ports can bypass expected host rules. Limit published ports, use reverse proxies, and, if needed, enforce policies via the DOCKER-USER chain or dedicated firewall rules.
How do I check if IPv6 is protected by UFW?
Open /etc/ufw/ufw.conf and ensure IPV6=yes. Then sudo ufw disable and sudo ufw enable. Verify with sudo ufw status verbose. Mirror your IPv4 rules in IPv6 if your server uses IPv6 addresses.
