Home » Blog » How to Set Up and Configure UFW Firewall on Linux (Ubuntu/Debian)
Linux Server Administration

How to Set Up and Configure UFW Firewall on Linux (Ubuntu/Debian)

by Salman Chawhan
by Salman Chawhan

A misconfigured or absent firewall is one of the most common security gaps on Linux servers. Whether you’re running a web server, a VoIP stack, or a mail server, controlling what traffic can enter and leave your system is fundamental to a hardened server setup.

UFW (Uncomplicated Firewall) is the default firewall management tool on Ubuntu and Debian-based systems. It acts as a simplified front-end for iptables, making it accessible for both beginners and experienced sysadmins without sacrificing control.

In this guide, you’ll learn how to install, configure, and manage UFW from scratch on Ubuntu 22.04 / 24.04.

Prerequisites

  • A Linux server running Ubuntu 22.04 or 24.04 (or any Debian-based distro)
  • Root or sudo access
  • Basic terminal familiarity

Step 1: Install UFW

UFW comes pre-installed on most Ubuntu systems. To check if it’s available:

bash

sudo ufw status

If it’s not installed, run:

bash

sudo apt update && sudo apt install ufw -y

Step 2: Set Default Policies

Before enabling UFW, set the default policies. The safest approach is to deny all incoming and allow all outgoing traffic by default.

bash

sudo ufw default deny incoming
sudo ufw default allow outgoing

Important: Never enable UFW before allowing SSH access, or you will lock yourself out of the server.

Step 3: Allow SSH Access

This is a critical step. If you skip it and enable UFW, you’ll be locked out.

Default SSH (port 22):

bash

sudo ufw allow ssh

Custom SSH port (e.g., port 2222):

bash

sudo ufw allow 2222/tcp

Step 4: Enable UFW

Once SSH is allowed, enable the firewall:

bash

sudo ufw enable

You’ll see a confirmation prompt. Type y to proceed.

To verify:

bash

sudo ufw status verbose

Step 5: Allow Common Services

Here are the most commonly needed rules for typical Linux servers:

Web Server (HTTP & HTTPS)

bash

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Or use the application profile shorthand:

bash

sudo ufw allow 'Nginx Full'
sudo ufw allow 'Apache Full'

FTP

bash

sudo ufw allow 21/tcp

Mail Server (SMTP, IMAP, IMAPS)

bash

sudo ufw allow 25/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp

MySQL / MariaDB (restrict to localhost or specific IP)

bash

sudo ufw allow from 192.168.1.100 to any port 3306

FreeSWITCH / VoIP (SIP & RTP)

bash

sudo ufw allow 5060/udp
sudo ufw allow 5060/tcp
sudo ufw allow 16384:32768/udp

Step 6: Allow or Deny by IP Address

Allow a specific IP for all traffic:

bash

sudo ufw allow from 203.0.113.50

Allow a specific IP on a specific port:

bash

sudo ufw allow from 203.0.113.50 to any port 22

Deny a specific IP:

bash

sudo ufw deny from 198.51.100.0

Allow an entire subnet:

bash

sudo ufw allow from 192.168.1.0/24

Step 7: Delete Rules

List rules with numbers:

bash

sudo ufw status numbered

Sample output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere

Delete a rule by number:

bash

sudo ufw delete 3

Delete a rule by specification:

bash

sudo ufw delete allow 80/tcp

Step 8: Enable UFW Logging

Logging helps you monitor blocked and allowed connections — especially useful for debugging and auditing.

bash

sudo ufw logging on

Log levels available: off, low, medium, high, full

bash

sudo ufw logging medium

Logs are written to:

/var/log/ufw.log

Step 9: Allow Application Profiles

UFW ships with predefined application profiles. List them with:

bash

sudo ufw app list

Allow a specific profile:

bash

sudo ufw allow 'OpenSSH'

Step 10: Reset UFW (If Needed)

To completely reset UFW back to default (removes all rules):

bash

sudo ufw reset

This disables UFW and removes all rules. Useful when you need to start fresh.

Disable UFW Temporarily

If you need to test something without the firewall:

bash

sudo ufw disable

Re-enable when done:

bash

sudo ufw enable

UFW Quick Reference Table

TaskCommand
Check statussudo ufw status verbose
Allow SSHsudo ufw allow ssh
Allow HTTPsudo ufw allow 80/tcp
Allow HTTPSsudo ufw allow 443/tcp
Deny IPsudo ufw deny from <IP>
Allow IP on portsudo ufw allow from <IP> to any port <PORT>
Delete rulesudo ufw delete <rule number>
Enable loggingsudo ufw logging on
Reset all rulessudo ufw reset

Common Mistakes to Avoid

  • Never enable UFW before allowing SSH — you will lose remote access immediately
  • Avoid allowing port 3306 (MySQL) to all — restrict it to trusted IPs only
  • Don’t forget IPv6 — UFW handles it automatically if IPV6=yes is set in /etc/default/ufw
  • Always verify rules with sudo ufw status numbered after changes

Conclusion

UFW is one of the most practical tools in a Linux sysadmin’s arsenal. It gives you the power of iptables with a much cleaner interface, and when configured correctly, it significantly reduces your server’s attack surface.

Start with the defaults (deny incoming, allow outgoing), open only what your services need, and review your rules regularly. Combined with tools like Fail2Ban and SSH key authentication, UFW forms a solid first layer of server security.

You Might Also Like
Salman Chawhan

Hi, I'm Salman Chawhan. I am a Senior IT Operations Engineer and Full-Stack Architect with a 9+ year track record of managing global server fleets (100+ nodes) and delivering high-performance technical systems for international enterprises. I run this blog to share production-grade insights on cloud architecture, telecom, and automation. Beyond writing, I operate an active freelance consulting practice helping global clients resolve critical IT, cloud, and telecommunication challenges on an hourly basis.Core Freelance Offerings: * RingCentral & Enterprise VoIP: Advanced IVR setup, custom queue layouts, and automated call-routing configurations. * Cloud & DevOps Engineering: Automated infrastructure deployment via AWS, Terraform, Docker, and Kubernetes. * Systems & Mailing Solutions: Proxmox hypervisor clustering, pfSense firewall failovers, and high-volume, secure bulk email delivery engines. Have a critical technical bottleneck or a system migrations project? Let's connect to deploy a fast, secure, and robust fix. [Let's Talk Projects]

You may also like

How To Sync E-Mail from One Server to Another Using...

How to create MySQL user in Linux server

How to Install ISPConfig with Nginx Web Server on Ubuntu...

How to Register and Unregister Trunk on FreeSWITCH

Secure Your Website with Let’s Encrypt and Nginx: A Step-by-Step...

Sentora Hosting Panel Installation on a Linux Server

Monitoring Calls with FreeSWITCH CLI: A Comprehensive Guide

PostgreSQL Backup Database and restore

Creating a Bootable Installation Media for Ubuntu OS

20 Linux Administration Tips and Tricks to Help You Excel...

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00