Ubuntu — UFW Firewall
UFW (Uncomplicated Firewall) is the default firewall tool on Ubuntu. It wraps iptables with a simpler interface. This guide covers a complete baseline setup for a typical server.
Pre-requisites
- Ubuntu 20.04 or later
sudoaccess- Active SSH session — read the SSH warning below before enabling UFW
Defaults
UFW ships inactive. The sensible defaults for a server:
Allow SSH before enabling
Always add your SSH rule before running ufw enable. Enabling UFW without an SSH rule on a remote server locks you out immediately.
Common Allow Rules
By service name
UFW knows common services by name:
By port number
Port range
From a specific IP
From a subnet
Deny Rules
deny silently drops packets. reject drops them and sends back an error (faster timeout for the sender):
Rate Limiting
Built-in rate limiting blocks IPs that make 6+ connections within 30 seconds. Essential for SSH:
Use this instead of allow ssh on any public-facing server.
Enable / Disable
Check Status
Example output:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
Delete Rules
By rule number (get numbers from sudo ufw status numbered):
By rule definition:
Baseline Setup — Typical Web Server
The minimum ruleset for a server running SSH, HTTP, and HTTPS:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
sudo ufw status verbose
Outbound SMTP
If the server should not send email directly (most servers), block outbound port 25 to prevent abuse if the system is ever compromised:
Rules for Services in This Wiki
Quick reference for the UFW rules that other articles here depend on:
| Service | Rule | Article |
|---|---|---|
| WireGuard VPN | sudo ufw allow 51820/udp |
WireGuard VPN |
| Apt-Cacher NG | sudo ufw allow from 192.168.1.0/24 to any port 3142 proto tcp |
Apt-Cacher NG |
| RDP (xrdp / GNOME RD) | sudo ufw allow from 192.168.1.0/24 to any port 3389 |
Enable Remote Desktop |
| TeamSpeak 3 | sudo ufw allow 9987/udp, 30033/tcp, 10011/tcp |
TeamSpeak 3: Install |
Adjust the subnet to your LAN. The pattern is consistent: LAN-only services get a from <subnet> restriction, public services get rate limiting where it exists.