What I wanted to do

After spinning up a VPS, I wanted to close unnecessary ports and harden security. UFW (Uncomplicated Firewall) turned out to have very intuitive commands.

Installing and enabling UFW

# Ubuntu usually has it pre-installed
sudo apt install ufw

# Check status
sudo ufw status

Always allow SSH before enabling UFW. Skip this and you’ll lose access to your VPS.

sudo ufw allow ssh      # Allow port 22
sudo ufw enable         # Enable UFW

Allowing and denying ports

# Specify by port number
sudo ufw allow 80
sudo ufw allow 443
sudo ufw deny 8080

# Specify by service name
sudo ufw allow http
sudo ufw allow https

# Allow only from a specific IP address
sudo ufw allow from 192.168.1.100 to any port 22

Checking and deleting rules

# List rules with numbers
sudo ufw status numbered

# Delete by number
sudo ufw delete 3

# Delete by specifying the rule directly
sudo ufw delete allow 8080

Resetting UFW

When you want to start over.

sudo ufw reset

After a reset, you need to re-configure starting from SSH allow rules.

Setting up common ports together

# Web server
sudo ufw allow 80
sudo ufw allow 443

# SSH (if you changed the default port)
sudo ufw allow 2222

# nginx + Node.js setup (keep 3000 local only)
sudo ufw allow 80
sudo ufw allow 443
sudo ufw deny 3000

Checking the current configuration

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere

Gotchas

  • Always run ufw allow ssh before ufw enable — forget this and you’ll lock yourself out
  • Port number and service name are equivalent (allow 22 and allow ssh do the same thing)
  • ufw reset wipes SSH rules too, so be careful
  • When using Docker, UFW rules can be bypassed by Docker (you may need to configure the DOCKER-USER chain)
  • The default policy is to deny all incoming traffic, so explicitly allow only the ports you need

Looking for reliable cloud infrastructure? Check out these developer-friendly services.