Overview
UFW (Uncomplicated Firewall) provides a straightforward interface for managing iptables firewall rules on Linux systems. This guide covers essential UFW operations for securing your RamNode VPS.
💡 Tip: UFW is included by default on most Ubuntu and Debian systems.
Installation and Initial Setup
Most Ubuntu and Debian systems include UFW by default. If it's not installed, you can add it with:
sudo apt update && sudo apt install ufw -yImportant
Before enabling UFW, configure your default policies and allow SSH access to avoid locking yourself out.
Configure your default policies:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow sshThe first two commands establish a secure baseline: block all incoming connections while permitting outbound traffic. The third command ensures you maintain SSH access to your VPS.
Enabling the Firewall
Once your initial rules are in place, enable UFW:
sudo ufw enableYou'll receive a warning about potential SSH disruption. Since you've already allowed SSH, confirm with 'y' to proceed.
✅ Success: Your firewall is now active and protecting your server.
Allowing Services by Name or Port
UFW allows you to open ports using service names or port numbers:
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 3306/tcpUFW references /etc/services for named services, so 'http' translates to port 80 and 'https' to port 443.
Allowing Specific IP Addresses
You can allow connections from specific IP addresses or subnets:
sudo ufw allow from 192.168.1.100
sudo ufw allow from 10.0.0.0/24 to any port 22💡 Tip: The second example restricts SSH access to a specific subnet, which is useful for limiting administrative access to known networks.
Denying Traffic
Block specific IP addresses or ports:
sudo ufw deny from 203.0.113.50
sudo ufw deny 23/tcpRemoving Rules
You can delete rules by specifying them exactly as created or by rule number:
sudo ufw delete allow http
sudo ufw status numbered
sudo ufw delete 3Checking Firewall Status
To view your current rules and UFW status:
sudo ufw status verboseThis displays all active rules along with the default policies and logging level.
Rate Limiting
UFW includes basic rate limiting to protect against brute-force attacks:
sudo ufw limit sshThis rule allows connections but limits them to six connection attempts within 30 seconds from a single IP address before temporarily blocking that source.
✅ Recommended: Enable rate limiting on SSH to protect against brute-force attacks.
Application Profiles
Some applications install UFW profiles in /etc/ufw/applications.d/. View available profiles with:
sudo ufw app list
sudo ufw app info "OpenSSH"You can then allow applications by profile name rather than memorizing port numbers.
Logging
Enable logging to track blocked connections and troubleshoot issues:
sudo ufw logging on
sudo ufw logging mediumLogs are written to /var/log/ufw.log and can help identify attack patterns or misconfigured rules.
Resetting UFW
If you need to start over with a clean configuration:
sudo ufw resetWarning
This disables UFW and removes all rules, returning to a default state.
Best Practices
When configuring UFW on your VPS, follow these recommendations:
Open Only Required Ports
For a typical web server, this might include SSH (22), HTTP (80), and HTTPS (443).
Restrict Database Access
Database ports like 3306 (MySQL) or 5432 (PostgreSQL) should remain closed unless remote access is required—and then restrict to known IP addresses.
Use Localhost for Backend Services
For applications behind a reverse proxy, backend services often only need to accept connections from localhost.
Regular Audits
Regularly review your firewall rules with sudo ufw status to ensure they reflect your current requirements.
Quick Reference
sudo ufw enablesudo ufw disablesudo ufw status verbosesudo ufw allow [port]/[protocol]sudo ufw deny [port]/[protocol]sudo ufw delete [rule]sudo ufw reset