Advertisement
linuxserver Learn how to secure your Linux server using UFW firewall. This beginner-friendly guide explains how to allow ports, block traffic, enable logging, and protect SSH safely.

How to Set Up a Firewall on a Linux Server Using UFW (Beginner-Friendly Guide)

5 Min Read Verified Content

When you put a Linux server online, it becomes part of the wild internet — and the internet is… let’s just say… not always friendly.

Bots scan IP addresses all day long trying random ports, hoping to find something open. That’s why having a firewall is one of the simplest but most important layers of protection you can add.

On Ubuntu and many Debian-based systems, the easiest firewall tool is UFW (Uncomplicated Firewall). And honestly, the name fits — it is uncomplicated.

Here’s how I normally set it up on a fresh server.

🔹 Step 1 — Check if UFW Is Installed

Most Ubuntu servers already have it. Run:

sudo ufw status

If you see something like:

Status: inactive

that means it’s installed — just not enabled yet.

If you get a “command not found”, install it:

sudo apt install ufw

Done 👍

🔐 Step 2 — Make Sure You Won’t Lock Yourself Out of SSH

This step is VERY important.

Before enabling the firewall, allow SSH. Otherwise, once UFW activates, you might lose connection — and trust me, that’s not a fun experience 😅

If your SSH runs on port 22:

sudo ufw allow 22/tcp

If you changed SSH to another port, for example 2222:

sudo ufw allow 2222/tcp

Double-check the rule:

sudo ufw status numbered

Good. Now it’s safe to continue.

🚀 Step 3 — Enable UFW

Turn it on:

sudo ufw enable

You’ll see:

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Type:

y

Boom. Your server now has a firewall 🎉

🌐 Step 4 — Allow Web Traffic (If You Run a Website)

For HTTP:

sudo ufw allow 80/tcp

For HTTPS:

sudo ufw allow 443/tcp

Or simply:

sudo ufw allow "Nginx Full"

or:

sudo ufw allow "Apache Full"

(depending on your web server)

These presets open both 80 and 443 automatically.

🚫 Step 5 — Deny Everything Else (Default Policy)

By default, UFW blocks incoming connections and allows outgoing.
You can confirm with:

sudo ufw status verbose

You should see something like:

Default: deny (incoming), allow (outgoing)

Which means:

✔ Your apps can connect out
❌ Random strangers cannot connect in

Exactly what we want.

👁 Step 6 — View and Manage Rules

To see current rules:

sudo ufw status numbered

You might see:

[ 1] 22/tcp ALLOW Anywhere
[ 2] 80/tcp ALLOW Anywhere
[ 3] 443/tcp ALLOW Anywhere

To delete a rule, use the number:

sudo ufw delete 2

Simple and clean.

🔍 Step 7 — Enable Logging (Optional but Useful)

Logging helps when troubleshooting.

sudo ufw logging on

Logs go here:

/var/log/ufw.log

Just don’t forget to rotate logs if needed.

🛡 Bonus: Allow Specific IPs Only

Let’s say you only want your office IP to access SSH.

sudo ufw allow from 123.123.123.123 to any port 22

Or allow a subnet:

sudo ufw allow from 192.168.1.0/24

⚠ Common Mistakes to Avoid

Here are mistakes I’ve personally seen (or made 😅):

❌ Enabling UFW before allowing SSH
❌ Blocking SSH accidentally
❌ Forgetting HTTPS for websites
❌ Opening ports “just in case”

So always think:

👉 “Do I really need this port open?”

If not — keep it closed.

🎯 Final Thoughts

Setting up UFW is one of the simplest upgrades you can make to server security. It takes maybe 5–10 minutes, but it protects you 24/7.

With UFW you get:

✅ A clean, simple firewall
✅ SSH protection
✅ Controlled access
✅ Peace of mind

And best of all — you don’t need to be a Linux guru to use it.

Small effort. Big benefit.

Advertisement
Back to Linuxserver