Your VPS is exposed to the internet the moment it goes live. Without a firewall, every port on your server is a potential entry point for attackers. Setting up UFW (Uncomplicated Firewall) is one of the fastest and most effective ways to secure your VPS — and it takes less than 10 minutes.
UFW is a user-friendly frontend for iptables, the powerful but complex Linux firewall. It ships with Ubuntu and is available on most Debian-based distributions. Instead of writing cryptic iptables rules, you write simple commands that actually make sense.
Here's how to set it up properly.
Installing UFW
UFW comes pre-installed on Ubuntu. If it's missing, install it:
sudo apt update
sudo apt install ufw -y
Check the current status:
sudo ufw status
# Output: Status: inactive
Important: Don't enable UFW yet. If you enable it before adding an SSH rule, you'll lock yourself out of your server.
Step 1: Set Default Policies
Start by blocking all incoming traffic and allowing all outgoing traffic. This is the safest starting point — nothing gets in unless you explicitly allow it.
sudo ufw default deny incoming
sudo ufw default allow outgoing
This means:
- Incoming: Blocked by default (no one can connect to your server)
- Outgoing: Allowed by default (your server can reach the internet for updates, API calls, etc.)
Step 2: Allow SSH
This is critical. Allow SSH before enabling the firewall, or you'll be locked out:
sudo ufw allow ssh
This opens port 22. If you've changed your SSH port to something else (recommended for security), specify it:
sudo ufw allow 2222/tcp
Step 3: Allow Web Traffic
For a web server, you need HTTP and HTTPS:
sudo ufw allow http
sudo ufw allow https
Or using port numbers:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Step 4: Enable the Firewall
Now that SSH and web traffic are allowed, enable UFW:
sudo ufw enable
You'll see a warning about disrupting SSH connections. Type y to confirm. Your existing SSH session will continue working since you already added the SSH rule.
Verify everything is set up:
sudo ufw status verbose
Expected output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
That's the basic setup. Your server now only accepts SSH and web traffic — everything else is blocked.
Common Rules for Different Server Types
WordPress / PHP Application Server
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# That's it — MySQL should only listen on localhost
Node.js Application Behind Nginx
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# Don't open port 3000 — Nginx proxies to it internally
Key insight: If your app runs on port 3000/4000/8000 and Nginx proxies to it, you don't need to open those ports. Nginx handles external traffic on port 80/443, and the proxy connection happens locally.
Database Server (Separate from Web Server)
sudo ufw allow ssh
sudo ufw allow from 10.0.0.5 to any port 3306 # MySQL from specific IP only
sudo ufw allow from 10.0.0.5 to any port 5432 # PostgreSQL from specific IP only
Never open database ports to the entire internet. Always restrict to specific IPs.
Mail Server
sudo ufw allow ssh
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 587/tcp # SMTP submission
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 465/tcp # SMTPS
Advanced UFW Usage
Allow from Specific IP
Restrict access to specific trusted IPs:
# Allow SSH only from your office IP
sudo ufw allow from 203.0.113.50 to any port 22
# Allow a monitoring service
sudo ufw allow from 198.51.100.0/24 to any port 9090
Rate Limiting
UFW has built-in rate limiting for brute-force protection:
sudo ufw limit ssh
This allows a maximum of 6 connections within 30 seconds from a single IP. Exceeding this rate gets temporarily blocked. Great for preventing SSH brute-force attacks without installing additional software.
Delete Rules
Remove rules you no longer need:
# List rules with numbers
sudo ufw status numbered
# Delete by number
sudo ufw delete 3
# Or delete by rule
sudo ufw delete allow 8080/tcp
Deny Specific IPs
Block a known bad actor:
sudo ufw deny from 192.168.1.100
Allow Port Ranges
For services that need a range of ports:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
UFW with Docker — Important Caveat
If you're running Docker, be aware that Docker modifies iptables directly, bypassing UFW entirely. This means containers with published ports are accessible from the internet even if UFW doesn't have a rule for them.
Solutions:
Bind containers to localhost:
docker run -p 127.0.0.1:3000:3000 myappUse Docker's
--iptables=falseflag and manage rules manually (advanced)Use a reverse proxy (Nginx) and only expose ports 80/443
This is a common gotcha that trips up many developers. If you use Docker, test your firewall by port-scanning your server from an external machine.
Monitoring and Logging
Enable logging to track blocked connections:
sudo ufw logging on
View logs:
sudo tail -f /var/log/ufw.log
You'll see entries for blocked connection attempts — useful for identifying attack patterns or misconfigured rules.
Reset If Things Go Wrong
If you've made mistakes and want to start over:
sudo ufw reset
This disables UFW and removes all rules. You'll need to start from Step 1 again. Make sure you have console access (not just SSH) before resetting, just in case.
Firewall Checklist
Before considering your firewall setup complete, verify:
- ✅ Default incoming policy is deny
- ✅ SSH is allowed (correct port)
- ✅ Web ports (80/443) are allowed if running a web server
- ✅ Database ports are not open to the internet
- ✅ Application ports behind a reverse proxy are not open
- ✅ Rate limiting is enabled on SSH
- ✅ UFW is enabled and active
- ✅ You've tested by connecting from an external machine
Secure Your VPS with DeployBase
A properly configured firewall is your first line of defense against unauthorized access. Combined with SSH key authentication, regular updates, and proper server configuration, UFW gives you a solid security foundation.
At DeployBase, our VPS plans come with full root access so you can configure UFW exactly as shown in this guide. Starting at $5/month with NVMe SSD storage, DDoS protection, and 24/7 support, you get the performance and security infrastructure your applications need.
Get your VPS at DeployBase → — secure hosting, full control.
