UFW firewall basics: set up a VPS firewall
UFW is the simple way to run a firewall on a VPS. Set a default-deny policy, allow only the ports you need, and turn it on without locking out SSH.
What UFW is and why you want it
UFW stands for Uncomplicated Firewall, and the name is honest. It is a friendly front end over the firewall the Linux kernel already has, so instead of writing raw rules you type short commands like ufw allow 22/tcp. On a fresh VPS every listening service is reachable from the internet by default. A firewall flips that around: you deny everything, then allow the few ports you actually use. That single change removes most of your exposure in about four commands.
Before you touch it, know what is listening, because those are the services a firewall decides the fate of. Reading what is listening with ss -tlnp is the right first step.
The one rule that keeps you from locking yourself out
Here is the mistake that scares people off firewalls. You enable UFW with a default-deny policy, but you never allowed SSH, so the moment the firewall comes up your own connection is cut and you cannot get back in. Avoid it by always allowing SSH before you enable UFW. That is the whole trick, and the steps below do it in the safe order.
If it happens to you anyway, you are not stuck: your provider's web console, over VNC or serial, does not go through SSH, so you can log in there and run ufw disable or add the missing rule.
Step 1: Set the default policies
Start by telling UFW to deny everything coming in and allow everything going out:
sudo ufw default deny incoming
sudo ufw default allow outgoing
deny incoming is the important half. It means any port with no explicit allow rule is closed to the outside, even if a service is listening on it. allow outgoing lets your server reach the internet normally for updates and the like. These two commands change policy only; nothing is enforced until you enable UFW in step 3.
Step 2: Allow the ports you actually need
Before enabling, open SSH so you keep your connection:
sudo ufw allow 22/tcp
UFW can also rate-limit SSH for you: sudo ufw limit 22/tcp allows the port but blocks any address that makes six or more connections in thirty seconds, which blunts brute-force scripts with no extra software.
If you run a web server, allow HTTP and HTTPS too:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Allow only what you serve to the public. A database like Postgres on port 5432 should almost never get an allow rule. Bind it to 127.0.0.1 instead so it is reachable only on the machine. Every port you open is a door you now have to defend, so keep the list short.
You can also build the full sequence of ufw commands for your server here, then run them in order:
Step 3: Enable, and confirm it is on
sudo ufw enable
It warns that the command may disrupt existing SSH connections. Because you allowed 22/tcp in step 2, your session survives. Confirm the result:
sudo ufw status verbose
Status: active
Default: deny (incoming), allow (outgoing)
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp ALLOW IN Anywhere
Read two things here. Status: active means the firewall is running. And every rule appears twice, once plain and once with (v6), which tells you UFW is covering IPv6 as well as IPv4. If the (v6) lines are missing, your IPv6 side is unmanaged, which is its own trap covered in the IPv6 firewall post.
Managing rules later
To see rules with numbers so you can remove one:
sudo ufw status numbered
sudo ufw delete 3
To allow a port only from one address, which is a good way to expose an admin service to just your own IP:
sudo ufw allow from 10.0.0.24 to any port 5432 proto tcp
A firewall is one layer. It controls what can reach a port, but it does not slow down someone hammering a port you have left open, like SSH. For that, add Fail2ban in front of SSH to ban repeat offenders. Defence in depth means each layer covers what the others cannot.
A firewall only makes sense once you know what ports are and how services listen, and configuring one is a step in the first 10 minutes on a new VPS.
FAQ
Will enabling UFW disconnect my SSH session?
Not if you allow SSH first. Run sudo ufw allow 22/tcp before sudo ufw enable, and your connection survives because the firewall now permits port 22. The danger is enabling a default-deny firewall without an SSH allow rule, which cuts you off. If that happens, log in through your provider's VNC or serial console and run ufw disable.
What ports should I open on a VPS?
Only the ones you serve to the public. SSH (22/tcp) so you can manage the box, and HTTP and HTTPS (80/tcp, 443/tcp) if you run a website. Leave everything else denied. Internal services like databases should bind to 127.0.0.1 and get no firewall rule at all, so they are never reachable from the network.
Does UFW handle IPv6?
On modern Ubuntu, yes: IPV6=yes is set in /etc/default/ufw, so each rule applies to both stacks and ufw status shows the IPv6 rules with a (v6) suffix. The ways it can still go wrong are covered in the IPv6 firewall trap.
How do I remove a UFW rule?
Run sudo ufw status numbered to list the rules with index numbers, then sudo ufw delete N where N is the number of the rule you want gone. You can also delete by specification, for example sudo ufw delete allow 80/tcp.
How do I allow a port only from one IP address?
Use a from rule instead of a plain allow. To let only your office address reach PostgreSQL, run sudo ufw allow from 10.0.0.10 to any port 5432 proto tcp. With a default-deny policy the port is closed to everyone until a rule opens it, so this from rule is the only way in: the whole internet stays blocked and only the address you name gets through. Do not also add a plain allow 5432/tcp, which would open the port to everyone. This is the safest way to expose a database or an admin panel. Confirm it with sudo ufw status verbose, which shows the source address beside the port.