English
InfrawireInfrawire LogoDocumentation
Appeler

Install and configure UFW on a VPS

Complete guide to install and configure UFW (Uncomplicated Firewall) on your Linux VPS server to secure your services.

~2 min read
securityufwfirewallvps

This guide will teach you how to install and configure UFW (Uncomplicated Firewall), a simple but effective firewall for Linux. UFW makes managing firewall rules on your VPS server easier.

📋 Prerequisites

  • A VPS server with root or sudo access
  • An active SSH connection
  • Ubuntu/Debian (commands are adapted for these distributions)

📥 UFW Installation

Installation on Ubuntu/Debian

Bash
sudo apt update
sudo apt install ufw -y

Verify installation

Bash
# Check UFW status
sudo ufw status

If UFW is not activated, you will see the message: Status: inactive

⚙️ Basic configuration

Important: Before enabling UFW, make sure to allow the SSH port (22), otherwise you will be locked out of your server.

Set default rules

Bash
# Block everything incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow essential connections

Bash
1# Allow SSH (22)
2sudo ufw allow 22/tcp
3
4# Allow HTTP (80)
5sudo ufw allow 80/tcp
6
7# Allow HTTPS (443)
8sudo ufw allow 443/tcp

🔧 Enable UFW

Once you have configured the basic rules, enable UFW:

Bash
1# Enable UFW
2sudo ufw enable
3
4# Verify status
5sudo ufw status verbose

Important: Make sure you have allowed SSH before enabling UFW, or you will be locked out!

📝 Advanced rules

Allow specific IP addresses

Bash
1# Allow a specific IP
2sudo ufw allow from 192.168.1.100
3
4# Allow a specific IP on a specific port
5sudo ufw allow from 192.168.1.100 to any port 22

Allow port ranges

Bash
# Allow port range
sudo ufw allow 8000:9000/tcp

Deny specific connections

Bash
1# Deny a specific port
2sudo ufw deny 8080/tcp
3
4# Deny a specific IP
5sudo ufw deny from 192.168.1.200

🔍 Rule management

List all rules

Bash
1# List numbered rules
2sudo ufw status numbered
3
4# List rules with details
5sudo ufw status verbose

Delete rules

Bash
1# Delete a rule by number
2sudo ufw delete 3
3
4# Delete a rule by content
5sudo ufw delete allow 80/tcp

Reset all rules

Bash
# Reset UFW to default state (disable and remove all rules)
sudo ufw reset

💡 Common examples

Web server configuration

Bash
1sudo ufw default deny incoming
2sudo ufw default allow outgoing
3sudo ufw allow 22/tcp
4sudo ufw allow 80/tcp
5sudo ufw allow 443/tcp
6sudo ufw enable

Mail server configuration

Bash
1sudo ufw allow 25/tcp    # SMTP
2sudo ufw allow 587/tcp   # SMTP submission
3sudo ufw allow 465/tcp   # SMTPS
4sudo ufw allow 993/tcp   # IMAPS
5sudo ufw allow 995/tcp   # POP3S

Database server configuration

Bash
sudo ufw allow from 192.168.1.0/24 to any port 3306  # MySQL from local network
sudo ufw allow from 192.168.1.0/24 to any port 5432  # PostgreSQL from local network

✅ Verification

Verify that UFW is working correctly:

Bash
1# Check status
2sudo ufw status verbose
3
4# Check active rules
5sudo ufw status numbered
6
7# Test connection from another machine
8# (Use telnet or nc to test ports)

🚫 Disable UFW

If you need to temporarily disable UFW:

Bash
1# Disable UFW
2sudo ufw disable
3
4# Re-enable
5sudo ufw enable

📚 Best practices

  1. Always allow SSH before enabling UFW
  2. Test rules before applying them in production
  3. Use specific IP addresses when possible instead of opening ports to all
  4. Review rules regularly to remove unused ones
  5. Document your rules for easier management
  6. Backup your configuration before major changes

🆘 Troubleshooting

Cannot connect via SSH after enabling UFW

Bash
1# Connect to your server via console (if available)
2# Or use your hosting provider's console access
3
4# Reset UFW
5sudo ufw reset
6sudo ufw allow 22/tcp
7sudo ufw enable

UFW rules not applying

Bash
1# Check if UFW is active
2sudo ufw status
3
4# Reload UFW
5sudo ufw reload
6
7# Check iptables (UFW uses iptables under the hood)
8sudo iptables -L -n

Port still blocked after adding rule

Bash
1# Verify the rule exists
2sudo ufw status numbered
3
4# Check if there's a deny rule taking precedence
5sudo ufw status verbose
6
7# Remove and re-add the rule
8sudo ufw delete allow 80/tcp
9sudo ufw allow 80/tcp
10sudo ufw reload

📚 Additional resources

❓ Frequently Asked Questions

Q: Can I use UFW with other firewall tools?
A: No, UFW manages iptables directly. Using UFW with other tools like firewalld can cause conflicts.

Q: How do I allow a port for a specific service?
A: You can allow by port number: sudo ufw allow 3306/tcp or by service name if available: sudo ufw allow mysql.

Q: Does UFW work on CentOS/RHEL?
A: UFW is primarily designed for Debian/Ubuntu. On CentOS/RHEL, you should use firewalld instead.

Q: How do I see what ports are currently open?
A: Use sudo ufw status verbose to see all active rules and open ports.

Q: Can I use UFW in a Docker container?
A: UFW works at the host level. Inside Docker containers, you should use Docker's own networking and security features.

Previous

Install Pterodactyl Panel via Script

Next

Install WireGuard VPN on a VPS

Need help?

Support

Our team is available 24/7 to help you

Discord

Join our community