What Is UFW and How to Use It? Linux Firewall Management Guide

iptables feels complex? UFW (Uncomplicated Firewall) is the default on Ubuntu/Debian — “iptables with a human face”. A few commands and your server has a working firewall, only the ports you want open. This guide covers UFW basics and practical use.

Why is a firewall mandatory?

Every open port is an attack surface. On a default Linux install, even idle services may be reachable. A firewall allows only what you want, denies the rest.

UFW installation

Pre-installed on Ubuntu. Otherwise:

sudo apt update && sudo apt install ufw -y

AlmaLinux/RHEL doesn’t use UFW — they use firewalld.

Basic usage

sudo ufw status                    # Status
sudo ufw status verbose            # Detailed
sudo ufw enable                    # Activate
sudo ufw disable                   # Disable
sudo ufw reset                     # Reset ALL rules

CRITICAL: don’t lock SSH out!

Before enabling UFW, always allow SSH first — or you lock yourself out!

sudo ufw allow 22/tcp    # Default SSH
# or custom port:
sudo ufw allow 2222/tcp

Then:

sudo ufw enable

Common port allows

# HTTP / HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Mail (SMTP, IMAP, POP3)
sudo ufw allow 25,465,587,993,995/tcp

# FTP
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp    # FTPS

# MySQL (only from a specific IP)
sudo ufw allow from 1.2.3.4 to any port 3306

# By service name
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

IP allow / deny

# Allow all from a specific IP
sudo ufw allow from 1.2.3.4

# Allow specific port from a specific IP
sudo ufw allow from 1.2.3.4 to any port 22

# IP range
sudo ufw allow from 192.168.1.0/24

# Block an IP entirely
sudo ufw deny from 5.6.7.8

Closing a port / deleting a rule

# By number
sudo ufw status numbered    # See numbers
sudo ufw delete 3           # Delete rule #3

# Direct match
sudo ufw delete allow 80/tcp

Rate limit (brute-force protection)

UFW’s built-in rate limit — bans if more than 6 connections in 30 seconds:

sudo ufw limit 22/tcp

Golden rule for SSH — a simple alternative to fail2ban.

Cloudflare-only mode (web servers)

To allow access only via Cloudflare:

# Deny 80/443 to the world
sudo ufw deny 80/tcp
sudo ufw deny 443/tcp

# Allow only Cloudflare IP ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo ufw allow from $ip to any port 80,443 proto tcp
done

Our DDoS post details this: DDoS Protection.

Logging

UFW logs every action:

sudo ufw logging on        # Logging on (default)
sudo ufw logging high      # More detail
sudo tail -f /var/log/ufw.log

fail2ban integration

UFW rule + fail2ban = double layer against brute-force:

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

/etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
banaction = ufw

sudo systemctl restart fail2ban
sudo fail2ban-client status sshd    # see banned IPs

Common mistakes

• Forgetting SSH before enable: locked out → connect via KavesNET VNC console
• Conflict with Plesk: Plesk manages its own firewall → either Plesk OR UFW, not both. See our Plesk post
• Ignoring IPv6: ensure IPV6=yes in /etc/default/ufw
• Default deny incoming: new installs default-deny → explicit allow needed for each service

Quick-start summary

Typical UFW config for a new VDS:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp        # SSH
sudo ufw allow 80/tcp        # HTTP
sudo ufw allow 443/tcp       # HTTPS
sudo ufw limit 22/tcp        # SSH rate limit
sudo ufw enable
sudo ufw status verbose

5 lines of secure baseline firewall.

Related: SSH Connection · DDoS Protection