A firewall is your Ubuntu server’s first line of defense, and setting it up doesn’t have to be complicated. Ubuntu’s Uncomplicated Firewall (UFW) makes securing your system easy, even if you’re new to Linux. In this guide, we’ll walk you through how to set up a basic firewall with UFW on Ubuntu, including examples of common services and ports to allow, steps to back up and restore rules, and how to automate it with Ansible. Let’s dive into this beginner-friendly tutorial and lock down your server today.
What is UFW? Understanding Ubuntu’s Firewall Tool
UFW simplifies firewall management by wrapping complex iptables rules in an easy-to-use interface. Preinstalled on most Ubuntu systems, it’s perfect for beginners and pros alike. Whether you’re securing a web server or a personal machine, mastering UFW is a must. Let’s get started with the essentials.
Step 1: Installing UFW on Ubuntu (If It’s Missing)
UFW typically comes with Ubuntu, but double-check by running:
ufw --versionIt is already installed, it will return a version. No UFW? Install it fast:
sudo apt update
sudo apt install ufwNow you’re ready to configure your firewall.
Step 2: Setting UFW Default Policies for Security
Before enabling UFW, set default rules to control traffic. A smart starting point? Deny all incoming connections and allow all outgoing ones. Here’s how:
sudo ufw default deny incoming
sudo ufw default allow outgoingThis setup blocks unsolicited traffic while letting your server fetch updates or data. It’s a solid baseline for any Ubuntu firewall.
Step 3: Allowing Common Services and Ports in UFW
Your server needs to breathe—allow key services like SSH or HTTP. UFW makes this a breeze with service names or port numbers. Here are the most common setups:
bash
sudo ufw allow sshBut what if you use custom ports for your SSH? This is actually a good practice and highly recommended. In this case, we will open (as example) port 2222:
sudo ufw allow 2222/tcpTo protect SSH from overload and brute-force attacks, we can limit SSH attempts to 6 per 30 seconds per IP address, like this:
sudo ufw limit ssh
Common Ports, Services, and UFW Commands
| Port | Protocol | Service | Description | UFW Command to Open |
|---|---|---|---|---|
| 20 | TCP | FTP (Data) | File Transfer Protocol (data transfer) | sudo ufw allow 20/tcp |
| 21 | TCP | FTP (Control) | File Transfer Protocol (control) | sudo ufw allow ftp or sudo ufw allow 21/tcp |
| 22 | TCP | SSH | Secure Shell for remote access | sudo ufw allow ssh or sudo ufw allow 22/tcp |
| 23 | TCP | Telnet | Unencrypted remote access (less common) | sudo ufw allow 23/tcp |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol (email) | sudo ufw allow smtp or sudo ufw allow 25/tcp |
| 53 | TCP/UDP | DNS | Domain Name System (name resolution) | sudo ufw allow dns or sudo ufw allow 53 |
| 80 | TCP | HTTP | Web traffic (unencrypted) | sudo ufw allow http or sudo ufw allow 80/tcp |
| 110 | TCP | POP3 | Post Office Protocol (email retrieval) | sudo ufw allow pop3 or sudo ufw allow 110/tcp |
| 143 | TCP | IMAP | Internet Message Access Protocol (email) | sudo ufw allow imap or sudo ufw allow 143/tcp |
| 443 | TCP | HTTPS | Secure web traffic (encrypted) | sudo ufw allow https or sudo ufw allow 443/tcp |
| 465 | TCP | SMTPS | Secure SMTP (email over SSL/TLS) | sudo ufw allow 465/tcp |
| 587 | TCP | SMTP (Submission) | Email submission (often encrypted) | sudo ufw allow 587/tcp |
| 993 | TCP | IMAPS | Secure IMAP (email over SSL/TLS) | sudo ufw allow imaps or sudo ufw allow 993/tcp |
| 995 | TCP | POP3S | Secure POP3 (email over SSL/TLS) | sudo ufw allow pop3s or sudo ufw allow 995/tcp |
| 3306 | TCP | MySQL | MySQL database server | sudo ufw allow mysql or sudo ufw allow 3306/tcp |
| 5432 | TCP | PostgreSQL | PostgreSQL database server | sudo ufw allow 5432/tcp |
| 8080 | TCP | HTTP-Alt | Alternative HTTP port (e.g., dev servers) | sudo ufw allow 8080/tcp |
| 25565 | TCP | Minecraft | Minecraft game server | sudo ufw allow 25565/tcp |
Step 4: Enabling Your UFW Firewall
sudo ufw enableSample output:Sample output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp LIMIT AnywhereStep 5: Managing UFW Rules
sudo ufw status numberedThis will give a numbered list of rules. From here you can – for example – delete a specific rule:
sudo ufw delete 2You can also disable the firewall without losing settings:
sudo ufw disableExport rules to a file:
sudo ufw status > ufw-rules-backup.txtFor a deeper backup, use iptables:
sudo iptables-save > iptables-backup.rulesStore this file safely (e.g., cloud storage or Git).
Restoring UFW Rules
To restore from a ufw status backup, reapply manually:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
# Add other rules from your file
sudo ufw enableFrom an iptables backup:
bash
sudo iptables-restore < iptables-backup.rulesReload UFW:
sudo ufw reloadAutomating UFW Setup with Ansible
Managing multiple servers? Ansible automates UFW setup effortlessly. Here’s a quick guide.
Ansible Prerequisites
- Install Ansible: sudo apt install ansible.
- Add your Ubuntu server to /etc/ansible/hosts.
Sample Ansible Playbook for UFW
Create ufw_setup.yml:
---
- name: Set Up UFW on Ubuntu
hosts: all
become: yes
tasks:
- name: Install UFW
apt:
name: ufw
state: present
update_cache: yes
- name: Set default policies
ufw:
direction: incoming
policy: deny
ufw:
direction: outgoing
policy: allow
- name: Allow SSH
ufw:
rule: allow
name: ssh
- name: Allow HTTP
ufw:
rule: allow
port: 80
proto: tcp
- name: Allow HTTPS
ufw:
rule: allow
port: 443
proto: tcp
- name: Limit SSH
ufw:
rule: limit
name: ssh
- name: Enable UFW
ufw:
state: enabled
- name: Backup rules
shell: ufw status > /root/ufw-rules-backup.txt
args:
creates: /root/ufw-rules-backup.txtRun it:
ansible-playbook ufw_setup.ymlThis playbook handles everything—installation, rules, and backups.
UFW Best Practices for Ubuntu
- Test First: Try rules on a test VM before production.
- Enable Logging: Use sudo ufw logging on and check /var/log/ufw.log.
- Backup Regularly: Automate backups with cron or Ansible.
- Version Control: Store Ansible playbooks in Git.
Conclusion: Secure Your Ubuntu Server with UFW
Setting up a firewall with UFW on Ubuntu is quick, effective, and scalable. From allowing SSH and web traffic to automating with Ansible, this guide covers it all. Back up your rules, test your setup, and rest easy knowing your server’s secure. Ready to get started? Follow these steps and take control of your Ubuntu security now!
Power Your Projects with vpszen.com VPS Solutions
Looking for reliable hosting to run your Linux servers and host your next big project? VpsZen.com has you covered with top-tier VPS options tailored to your needs.
Choose from ARM64 VPS Servers for energy-efficient performance, or Root VPS Servers for virtual servers with dedicated resources.