Skip to main content

Set up UFW on a VPS (Debian / Ubuntu firewall guide)

UFW (Uncomplicated Firewall) is the simplest way to secure a fresh VPS without dealing directly with iptables. It provides a clean and readable way to manage network access rules.

Basic principle

  • Block all incoming traffic by default
  • Allow all outgoing traffic
  • Explicitly open only required ports

This reduces the attack surface immediately.

Critical rule

Never enable UFW before allowing SSH access.

If you enable the firewall too early, you risk losing remote access and will need to use your provider’s recovery console.

Install UFW

sudo apt update
sudo apt install ufw

Allow SSH access

sudo ufw allow 22/tcp

If you use a custom SSH port, replace 22 with your port.

Allow web traffic

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Example: game server (FiveM)

sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp

Database access (only if needed externally)

sudo ufw allow 3306/tcp

Enable UFW

sudo ufw enable

Check status

sudo ufw status verbose

Open a port range

sudo ufw allow 27000:27050/tcp

Restrict access to a single IP

sudo ufw allow from 203.0.113.42 to any port 3306

Remove a rule

sudo ufw delete allow 3306/tcp

Disable UFW

sudo ufw disable

Rules remain saved and can be re-enabled later.

Logs and debugging

sudo tail -f /var/log/ufw.log

Common mistake

Do not block all ports without verifying running services.

You may break SSH access, APIs, or databases.

UFW is not a complete security solution

UFW only filters network traffic.

For brute-force protection, use Fail2ban alongside it.

Summary

UFW is one of the first and most important security layers to configure on a VPS.

Next step: secure SSH further and install Fail2ban.