UFW Setup
Overview
UFW (Uncomplicated Firewall) is a frontend for iptables that controls which ports are accessible from the internet. By default, a VPS has all ports open. UFW lets you block everything except the services you explicitly allow.
Think of it as a gatekeeper: all incoming traffic is denied unless you create a rule to allow it.
How It Works
Internet Traffic
│
▼
┌─────────────────┐
│ UFW Firewall │
│ │
│ Port 22 ✓ ───────► SSH
│ Port 80 ✓ ───────► nginx (HTTP)
│ Port 443 ✓ ───────► nginx (HTTPS)
│ Port 3000 ✗ (blocked)
│ Port 5432 ✗ (blocked)
│ │
└─────────────────┘
Only ports with explicit “allow” rules pass through. Everything else is blocked.
Prerequisites
- VPS setup completed (see VPS Setup)
Installation
sudo apt install -y ufw
Basic Setup
Before enabling UFW, you must allow SSH. Otherwise you will lock yourself out of the server.
sudo ufw allow OpenSSH
This creates a rule allowing incoming connections on port 22 (SSH).
Now enable the firewall:
sudo ufw enable
UFW is now active. All incoming traffic is blocked except SSH.
Verify with:
sudo ufw status
Reading Status Output
To see all rules with numbers (useful for deleting rules later):
sudo ufw status numbered
Understanding the Output
Columns:
- To: Where the traffic is going (destination)
- Action: What UFW does (ALLOW IN/OUT/FWD)
- From: Where the traffic comes from (source)
Actions:
- ALLOW IN: Incoming connections to your server (e.g., SSH, web traffic)
- ALLOW OUT: Outgoing connections from your server (e.g., downloading updates)
- ALLOW FWD: Traffic routing/forwarding through your server (e.g., VPN traffic)
Example Breakdown
[ 1] OpenSSH ALLOW IN Anywhere
→ Allow SSH connections from anywhere to your server (port 22)
[ 2] Nginx Full ALLOW IN Anywhere
→ Allow HTTP/HTTPS connections from anywhere to your server (ports 80 and 443)
[ 3] Anywhere on tailscale0 ALLOW IN Anywhere
→ Allow any incoming traffic on the Tailscale interface (VPN traffic)
[ 4] Anywhere ALLOW FWD Anywhere on tailscale0
→ Allow forwarding traffic FROM Tailscale interface to anywhere (VPN routing)
[ 5] Anywhere ALLOW OUT Anywhere on tailscale0 (out)
→ Allow outgoing traffic TO the Tailscale interface
[ 6] Anywhere on eth0 ALLOW FWD Anywhere on tailscale0
→ Allow forwarding FROM Tailscale TO eth0 (VPN to internet)
[ 7] Anywhere on tailscale0 ALLOW FWD Anywhere on eth0
→ Allow forwarding FROM eth0 TO Tailscale (internet to VPN)
IPv6 Rules:
Rules with (v6) are the same rules but for IPv6 traffic. If you see a rule numbered [1] and [8], they’re the same rule for different IP versions.
Adding Rules
There are several ways to allow traffic through the firewall.
By service name (UFW knows common services):
sudo ufw allow OpenSSH # Port 22
sudo ufw allow 'Nginx Full' # Ports 80 and 443
By port number (when you need a specific port):
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
The /tcp suffix specifies the protocol. Use /udp for UDP traffic.
By port range (for services using multiple ports):
sudo ufw allow 6000:6007/tcp
This allows ports 6000 through 6007.
By interface (for VPN routing, like Tailscale):
sudo ufw allow in on tailscale0
sudo ufw route allow in on tailscale0
This allows traffic on the tailscale0 network interface and permits routing through it.
Removing Rules
First, list rules with numbers:
sudo ufw status numbered
Then delete by number:
sudo ufw delete 3
This removes rule number 3. Rule numbers shift after deletion, so always re-check with status numbered before deleting another.
Alternatively, delete by specification (exactly as you added it):
sudo ufw delete allow 80/tcp
Common Rules Reference
| Service | Command | What it allows |
|---|---|---|
| SSH | sudo ufw allow OpenSSH | Remote terminal access (port 22) |
| HTTP | sudo ufw allow 80/tcp | Web traffic, unencrypted |
| HTTPS | sudo ufw allow 443/tcp | Web traffic, encrypted |
| HTTP + HTTPS | sudo ufw allow 'Nginx Full' | Both web ports at once |
| Ping | sudo ufw allow proto icmp | ICMP ping requests |
Notes
- UFW blocks all incoming traffic by default (deny policy)
- Ping (ICMP) is blocked by default
- Rules persist across reboots
- Always allow SSH before enabling UFW, or you will lose access
- When in doubt, check
sudo ufw statusbefore and after changes