For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Install UFW on Linux Server (Step-by-Step Guide 2026)

Prahlad Prajapati 7 min read

To install UFW on a Linux server, update your packages, install the ufw package, set default policies (deny incoming, allow outgoing), allow SSH, and enable the firewall. UFW (Uncomplicated Firewall) is a beginner friendly interface for iptables/nftables that helps you quickly secure open ports while keeping essential services reachable.

Securing a fresh Linux machine should start with a firewall. In this guide, you’ll learn how to install UFW on Linux server environments (Ubuntu/Debian and RHEL-based systems), configure safe defaults, open necessary ports, and apply best practices used in production hosting. I’ll share practical steps, real-world tips, and common pitfalls to avoid.

What is UFW and Why Use it?

How to Install UFW on Linux Server (Step-by-Step Guide 2026)

UFW (Uncomplicated Firewall) is a command-line tool that simplifies Linux firewall management. It provides readable syntax on top of iptables/nftables, making it easier to define rules like “allow SSH” or “allow 443/tcp.” It’s especially popular on Ubuntu servers, but also available on Debian and RHEL derivatives via EPEL.

Why choose UFW?

  • Beginner-friendly syntax and predictable defaults
  • Quick open/close of ports and services
  • Supports IPv4 and IPv6
  • Profiles for common apps (Nginx, Apache, OpenSSH)
  • Works well on VPS, dedicated servers, and on-prem hosts

Prerequisites and Safety Checklist

Before you install UFW on Linux server environments, confirm these prerequisites. This prevents locking yourself out, especially on remote VPS instances.

  • SSH access with sudo privileges
  • Service ports you must keep open (e.g., 22/SSH, 80/HTTP, 443/HTTPS)
  • Cloud firewall/security groups aligned with your plan (AWS, GCP, Azure)
  • Console/serial access as a failsafe (offered by most hosting providers)

Golden rule: Always allow SSH before enabling UFW.

How to Install UFW on Ubuntu and Debian

Ubuntu ships UFW in its main repositories and often has it pre-installed. If not, install it using apt.

sudo apt update
sudo apt install ufw -y

# Check status (should be inactive before you configure it)
sudo ufw status verbose

Set safe defaults, allow SSH, then enable UFW:

# Deny unsolicited inbound, allow all outbound
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use application profile or port)
sudo ufw allow OpenSSH
# or
sudo ufw allow 22/tcp

# Enable the firewall
sudo ufw enable

# Verify
sudo ufw status numbered
sudo ufw status verbose

On Debian, the commands are identical. Ensure your package lists are up to date and that you permit SSH prior to enabling.

How to Install UFW on RHEL, CentOS, AlmaLinux, and Rocky

RHEL-based distributions typically use firewalld by default. You can still use UFW by installing it from the EPEL repository. Decide whether to switch from firewalld to UFW; do not run them simultaneously.

# Enable EPEL
sudo dnf install epel-release -y
# Install UFW
sudo dnf install ufw -y

# Stop and disable firewalld if you intend to use UFW instead
sudo systemctl stop firewalld
sudo systemctl disable firewalld

# Enable UFW service at boot on some RHEL-based systems
sudo systemctl enable ufw

# Configure and enable as usual
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enable
sudo ufw status verbose

If you prefer to keep firewalld (recommended for native RHEL environments), you can skip UFW and configure firewalld directly. The choice is preference; both manage nftables/iptables under the hood.

Essential UFW Configuration Steps

After you install UFW on Linux server systems, apply these core configurations to secure your machine while preserving functionality.

Set Default Policies and Enable

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

Allow Common Services (Web, Mail, Databases)

Open only what you need. For web servers:

# HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Alternatively, use application profiles if present
sudo ufw app list
sudo ufw allow "Nginx Full"   # opens 80 and 443
sudo ufw allow "Apache Full"

For databases (never expose publicly unless required):

# MySQL/MariaDB (3306) - ideally restrict to specific hosts
sudo ufw allow from 203.0.113.10 to any port 3306 proto tcp

# PostgreSQL (5432)
sudo ufw allow from 203.0.113.10 to any port 5432 proto tcp

Allow a Non-Standard SSH Port

If you run SSH on a custom port (e.g., 2222), allow it and remove port 22 access if unused.

sudo ufw allow 2222/tcp
# Optional: deny default 22 if not used
sudo ufw delete allow 22/tcp
sudo ufw reload

Allow Only Specific IPs or Subnets

Limit access to administrative ports by source IP to reduce attack surface.

# Restrict SSH to an office IP
sudo ufw allow from 198.51.100.25 to any port 22 proto tcp

# Allow a whole subnet (CIDR)
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp

Port Ranges and Protocols

# Allow a TCP port range (e.g., passive FTP 40000-40100)
sudo ufw allow 40000:40100/tcp

# Allow UDP (e.g., DNS, WireGuard)
sudo ufw allow 53/udp
sudo ufw allow 51820/udp

Managing and Auditing UFW Rules

Keep your ruleset minimal and auditable. These commands help you maintain order.

# List current rules with numbers
sudo ufw status numbered

# Delete a rule by number
sudo ufw delete 3

# Disable or re-enable UFW
sudo ufw disable
sudo ufw enable

# Reload after changes
sudo ufw reload

# Reset to factory defaults (use with caution)
sudo ufw reset

For backups, copy UFW user rule files:

sudo cp /etc/ufw/user.rules ~/user.rules.backup
sudo cp /etc/ufw/user6.rules ~/user6.rules.backup

Advanced Options and Best Practices

Enable IPv6

If your server has IPv6, ensure UFW manages it. Edit the configuration and restart UFW.

sudo nano /etc/ufw/ufw.conf
# Set:
IPV6=yes

# Apply
sudo ufw disable
sudo ufw enable

Rate Limit SSH and Other Sensitive Services

Rate-limiting reduces brute-force noise by throttling repeated connections.

# Limit SSH
sudo ufw limit 22/tcp

# Limit custom SSH port
sudo ufw limit 2222/tcp

Turn On Logging (With Care)

UFW can log dropped packets for diagnostics. Use “low” for general use and “medium/high” temporarily for debugging.

# Enable logging
sudo ufw logging low

# Check logs
sudo tail -f /var/log/ufw.log  # on some systems: /var/log/syslog

Use Application Profiles

Many packages install UFW profiles in /etc/ufw/applications.d. They simplify opening multiple ports at once.

sudo ufw app list
sudo ufw app info "Nginx Full"
sudo ufw allow "Nginx Full"

Combine UFW With Fail2ban

Fail2ban blocks abusive IPs dynamically based on log patterns. It integrates well with UFW, adding temporary bans without replacing firewall rules.

# Ubuntu/Debian
sudo apt install fail2ban -y

# RHEL-based
sudo dnf install fail2ban -y

# Basic enable
sudo systemctl enable --now fail2ban

Cloud Firewalls, Containers, and UFW

At YouStable, we recommend layering controls: use cloud security groups to restrict broad access, then UFW on each VM for host-level filtering. Make sure both layers allow your desired ports; mismatches cause “it works on the server” confusion.

Using Docker? Docker manipulates iptables directly and may bypass UFW rules for container traffic. Consider:

  • Publishing only necessary ports with -p
  • Using a reverse proxy container and exposing just 80/443
  • Exploring Docker daemon options and user-defined networks
  • Testing container reachability after firewall changes

For Kubernetes and advanced container setups, host firewalls coexist with CNI plugins. Validate policies end-to-end before going live.

Troubleshooting UFW

If something breaks after enabling UFW, work methodically.

  • Check port listeners: sudo ss -tulpen | grep LISTEN
  • Verify rules: sudo ufw status numbered
  • Inspect logs: sudo tail -f /var/log/ufw.log (or /var/log/syslog)
  • Temporarily allow all outgoing and the specific incoming service
  • Check cloud provider firewall/security group rules
  • For remote lockouts, use your provider’s console to disable UFW: sudo ufw disable

Real-World Example: Secure LEMP Stack

Here’s a minimal ruleset for a production LEMP server with SSH on port 22, Nginx on 80/443, and MySQL restricted to a trusted app server.

sudo ufw default deny incoming
sudo ufw default allow outgoing

sudo ufw allow 22/tcp
sudo ufw allow "Nginx Full"
sudo ufw allow from 203.0.113.10 to any port 3306 proto tcp

sudo ufw limit 22/tcp
sudo ufw logging low

sudo ufw enable
sudo ufw status verbose

Why UFW Matters for Hosting and How YouStable Helps

Firewalls reduce exposure and buy time against automated scans and opportunistic attacks. UFW’s clarity means fewer mistakes and faster remediation. If you host with YouStable, our experts can pre-harden your VPS or dedicated servers, set correct UFW rules for your stack, and align them with cloud firewall policies to prevent downtime.

FAQ’s: Install UFW on Linux Server

Is UFW better than iptables or firewalld?

UFW isn’t “better,” it’s simpler. It’s a front end for iptables/nftables focused on ease of use. firewalld is native on RHEL-based systems and integrates with system tools. Choose UFW for readability and quick setup, firewalld for native RHEL workflows, or raw iptables/nftables for granular control.

Will enabling UFW lock me out of SSH?

It can, if you enable it without allowing SSH first. Always run sudo ufw allow OpenSSH (or the correct port) before sudo ufw enable. If you get locked out, use your hosting provider’s console to disable UFW and fix the rule.

How do I open a port with UFW?

Use sudo ufw allow PORT/PROTO, for example sudo ufw allow 443/tcp. To restrict by source IP: sudo ufw allow from 203.0.113.5 to any port 443 proto tcp. Verify with sudo ufw status.

Does UFW support IPv6?

Yes. Set IPV6=yes in /etc/ufw/ufw.conf and re-enable UFW. Then manage both IPv4 and IPv6 rules, ensuring parity so you don’t unintentionally expose services over IPv6.

How do I allow a port range or specific protocol?

For ranges: sudo ufw allow 10000:10100/tcp. For UDP: sudo ufw allow 53/udp. Always specify tcp or udp for clarity and least privilege.

How do I reset UFW to defaults?

Run sudo ufw reset. This disables UFW and removes all rules. Reapply your intended rules, allow SSH, then enable UFW again. Consider backing up /etc/ufw/user.rules first.

Does UFW work with Docker?

Docker modifies iptables directly and may bypass UFW chains for container traffic. Keep published ports minimal, prefer reverse proxies, and test connectivity after changes. For complex setups, consider dedicated network policies or firewalld with Docker-aware rules.

Conclusion

Installing UFW on a Linux server takes minutes and dramatically improves baseline security. Set conservative defaults, open only what you need, and audit regularly. If you want a production-ready firewall tailored to your stack, YouStable can preconfigure UFW alongside server hardening so you launch fast and stay secure.

Prahlad Prajapati

Prahlad is a web hosting specialist and SEO-focused organic growth expert from India. Active in the digital space since 2019, he helps people grow their websites through clean, sustainable strategies. Passionate about learning and adapting fast, he believes small details create big success. Discover his insights on web hosting and SEO to elevate your online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top