Set up UFW on a VPS (Debian / Ubuntu firewall guide)
UFW (Uncomplicated Firewall) is the simplest way to secure a fresh VPS without dealing directly with iptables. It provides a clean and readable way to manage network access rules.
Basic principle
- Block all incoming traffic by default
- Allow all outgoing traffic
- Explicitly open only required ports
This reduces the attack surface immediately.
Critical rule
Never enable UFW before allowing SSH access.
If you enable the firewall too early, you risk losing remote access and will need to use your provider’s recovery console.
Install UFW
sudo apt update
sudo apt install ufw
Allow SSH access
sudo ufw allow 22/tcp
If you use a custom SSH port, replace 22 with your port.
Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Example: game server (FiveM)
sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp
Database access (only if needed externally)
sudo ufw allow 3306/tcp
Enable UFW
sudo ufw enable
Check status
sudo ufw status verbose
Open a port range
sudo ufw allow 27000:27050/tcp
Restrict access to a single IP
sudo ufw allow from 203.0.113.42 to any port 3306
Remove a rule
sudo ufw delete allow 3306/tcp
Disable UFW
sudo ufw disable
Rules remain saved and can be re-enabled later.
Logs and debugging
sudo tail -f /var/log/ufw.log
Common mistake
Do not block all ports without verifying running services.
You may break SSH access, APIs, or databases.
UFW is not a complete security solution
UFW only filters network traffic.
For brute-force protection, use Fail2ban alongside it.
Summary
UFW is one of the first and most important security layers to configure on a VPS.
Next step: secure SSH further and install Fail2ban.