Ubuntu Firewall Configuration with UFW Explained

Ubuntu Firewall Configuration with UFW Explained

UFW (Uncomplicated Firewall) is Canonical’s official, beginner-friendly frontend for managing iptables (and increasingly nftables in newer Ubuntu releases). On Ubuntu Server, it provides a clean, human-readable way to control incoming and outgoing network traffic without needing to master raw iptables syntax or nft rulesets.

UFW is not enabled by default on Ubuntu Server installations, which means a freshly installed server allows all incoming and outgoing connections unless another firewall (cloud provider security group, hardware firewall, etc.) is in place.

Core Concepts in UFW

  • Default Policy UFW operates with two global defaults:
    • Default incoming policy: usually DENY after enabling
    • Default outgoing policy: usually ALLOW (most servers need to initiate outbound connections)
  • Rules Rules are evaluated top-down. The first matching rule wins. Rules can be added with:
    • Port/protocol (e.g., 22/tcp)
    • Service name (from /etc/services)
    • Application profile (predefined by packages, e.g., OpenSSH, Apache Full)
    • Source/destination IP or subnet
    • Interface (e.g., eth0, wg0)
  • States
    • ALLOW — explicitly permit
    • DENY — silently drop
    • REJECT — drop with ICMP/TCP RST response (useful for diagnostics)
    • LIMIT — rate-limit new connections (default: 6 per 30 seconds per IP)
  • Application Profiles Many server packages (nginx, apache2, ssh, postfix, etc.) install ready-made profiles in /etc/ufw/applications.d/. These define common ports (e.g., Apache Full = 80/tcp + 443/tcp).

Step-by-Step UFW Usage on Ubuntu Server

  1. Check Current Status Shows whether UFW is active, default policies, and all active rules.
  2. Enable UFW (Critical First Step) Enabling applies the default deny incoming policy immediately. Always allow SSH first if working remotely.
  3. Allow Essential Services Common patterns:
    • SSH: ufw allow ssh or ufw allow 22/tcp
    • Web server: ufw allow ‘Apache Full’ or ufw allow 80,443/tcp
    • Specific source: ufw allow from 192.168.1.0/24 to any port 5432 (PostgreSQL from LAN)
  4. Rate Limiting (Brute-Force Protection) Automatically applied to SSH by many admins: ufw limit ssh
  5. Delete or Reset Rules Rules are numbered; deletion requires the number shown in ufw status numbered.
  6. Logging UFW logs to /var/log/ufw.log (or systemd journal). Enable detailed logging for troubleshooting.
  7. IPv6 Support Controlled via /etc/default/ufw (IPV6=yes by default on recent releases).

Recommended Minimal Secure Configuration for a Typical Ubuntu Server

Typical production flow for a web + database + SSH server:

  • Deny all incoming by default
  • Allow SSH (limited or from specific IPs)
  • Allow HTTP/HTTPS from anywhere
  • Allow database ports only from application servers
  • Allow outgoing (default)
  • Enable logging for blocked traffic

Best-practice example sequence:

  1. Allow SSH first (critical when remote)
  2. Enable UFW
  3. Allow web ports
  4. Allow any other required services with restrictions
  5. Optionally deny specific noisy bots or countries (via ipset + before.rules)

UFW vs Alternatives on Modern Ubuntu

Feature / AspectUFWnftables (raw)firewalldiptables-legacy
Ease of useVery highLowMediumLow
Default on Ubuntu ServerYes (frontend)Yes (backend since ~22.04)NoNo
Application profilesExcellentNoneGoodNone
Zone / trust modelNoNoYesNo
Dynamic rules / runtime changesBasicExcellentExcellentGood
LoggingSimple file + journaljournal onlyjournaljournal or file
Best forMost servers, quick setupComplex / high-performanceMulti-zone servers, desktopsLegacy compatibility

Since Ubuntu 22.04+, UFW translates rules to nftables by default (iptables-nft backend), giving better performance and atomic rule updates compared to legacy iptables.

Troubleshooting UFW Issues

  • Rules not applying — Check syntax errors: ufw status verbose and journalctl -u ufw
  • Connection still blocked — Look for higher-priority rules or before/after hooks in /etc/ufw/before.rules
  • No log entries — Ensure ufw logging on or ufw logging high
  • Boot-time application — UFW is enabled at boot if ufw enable was run

Summary: Quick UFW Command Reference

  • Check everything: ufw status verbose
  • Safe first allow: ufw allow OpenSSH
  • Activate: ufw enable
  • See numbered rules: ufw status numbered
  • Delete rule #3: ufw delete 3
  • Reset to defaults: ufw reset (careful — removes everything)
  • Turn logging up: ufw logging high

UFW strikes an excellent balance between simplicity and power for the vast majority of Ubuntu Server deployments. Use application profiles whenever available, restrict sources for sensitive ports (databases, SSH), and combine with fail2ban for dynamic brute-force protection.

If you share your server’s role (web server, database host, VPN endpoint, mail server, etc.) or specific ports/services you need to expose, more tailored rule recommendations can be provided.

Fast • Reliable • Affordable VPS - DO It Now!

Get top VPS hosting with VPS.DO’s fast, low-cost plans. Try risk-free with our 7-day no-questions-asked refund and start today!

Contact Us

VPS.DO offers reliable, cost-effective KVM VPS hosting as a robust Cloud-as-a-Service solution worldwide. We DO our best to power your success with unbeatable VPS value.

Copyright © 2026 VPS.DO

Services
Information
Account