The Ultimate Guide to UFW Firewall on Debian/Ubuntu: Secure & Lightweight

Tired of complex iptables syntax? This simple firewall setup will lock down your server.

This detailed guide walks through configuring UFW (Uncomplicated Firewall) on Debian 10+ and Ubuntu 20.04+ systems. UFW is the recommended firewall management tool for these distributions, providing a user-friendly interface for managing iptables rules.

From installation to advanced configuration, this tutorial will help you build a secure and resource-efficient firewall system, specifically addressing the needs of users requiring SSH, HTTP, HTTPS, and custom port access.

1. Why UFW Firewall Should Be Your First Line of Defense

UFW (Uncomplicated Firewall) is a firewall configuration tool designed specifically for Ubuntu and Debian systems to simplify iptables management. It provides system administrators with sufficient network security control through user-friendly commands without memorizing complex iptables syntax.

Key Advantages of UFW:

Easy to Use: Manage rules with simple commands like allow and deny.
Lightweight: As a frontend to iptables/nftables, it has minimal resource overhead with identical rule efficiency.
Powerful & Flexible: Supports granular control through ports, protocols, IP addresses, and rate limiting.

For most Debian/Ubuntu server users, UFW strikes the perfect balance between usability, functionality, and resource consumption. Unless you have specific networking requirements, UFW should be your default choice.

2. Prerequisites and UFW Installation

Before beginning, ensure you're connected to your server via SSH with sudo privileges.

Install UFW (usually pre-installed, but ensure it's updated):

sudo apt update
sudo apt install ufw -y

Critical Warning: Before enabling UFW, always allow your current SSH connection port (typically port 22 or your custom SSH port). Otherwise, you might lock yourself out of the server!

3. Initial Configuration and Default Policies

Proper default policies form the foundation of firewall security.

# Set default policies: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

This ensures: any incoming connection not explicitly allowed will be denied, while outgoing connections initiated by the server remain unrestricted. This follows the "principle of least privilege" significantly enhancing server security.

4. Opening Essential Ports: SSH, HTTP, HTTPS & Custom Ports

Now open the necessary ports according to your requirements. Always allow your SSH port first!

4.1 Open Standard Service Ports

# Open SSH port (22) - if using default SSH
sudo ufw allow 22/tcp

# Open HTTP (80) and HTTPS (443) for web services
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

4.2 Open Custom Ports (12345 and 54321)

# Open your specified custom ports
sudo ufw allow 12345/tcp
sudo ufw allow 54321/tcp

Explanation:

allow: Permits the connection.
12345/tcp: Specifies TCP protocol on port 12345. Replace with udp for UDP protocol.
To allow both TCP and UDP, omit the protocol: sudo ufw allow 12345.

4.3 (Recommended) SSH Security Hardening: IP Restrictions or Port Changes

Leaving SSH port (22) open to the world exposes you to constant brute-force attacks. Consider these security enhancements:

Method A: Restrict SSH Access to Specific IPs (Most Secure)
If you have a static public IP (e.g., from your office or home), only allow that IP to connect:

# Replace 192.168.1.100 with your actual static IP
sudo ufw allow from 192.168.1.100 to any port 22 proto tcp

Method B: Use Non-Standard SSH Ports (Less Secure)
Without a static IP, using non-standard ports (like 12345 or 54321) reduces automated scanning attacks. After opening custom ports, modify the Port directive in your SSH config file (/etc/ssh/sshd_config) and restart the SSH service.

5. Enable UFW and Verify Rules

With all rules configured, enable UFW:

# Enable UFW
sudo ufw enable

The system might warn that "this may disrupt existing SSH connections." Since you've configured SSH rules, type y to confirm.

Verify Firewall Status and Rules:
After enabling, check the status to ensure everything works correctly.

# Check status
sudo ufw status verbose

The output should show "Status: active" and list all your allowed port rules.

6. Essential UFW Management Commands

Disable UFW: sudo ufw disable
Reset UFW (back to defaults): sudo ufw reset
Delete a Rule:
1. List numbered rules: sudo ufw status numbered
2. Delete by number: sudo ufw delete [number]
Allow Port Range: sudo ufw allow 51000:60000/tcp
Deny Port Access: sudo ufw deny 80/tcp

7. Advanced Techniques & Best Practices

Rate Limiting: Implement connection rate limiting for services like SSH to prevent brute-force attacks.
```
sudo ufw limit ssh/tcp comment 'Limit SSH Bruteforce'
```
Logging: Enable logging for monitoring and debugging.
```
sudo ufw logging on
```
Logs are typically located at /var/log/ufw.log.
Combine with Fail2ban: For production servers, strongly consider installing fail2ban. It monitors system logs and automatically blocks attacker IPs using UFW rules upon detecting malicious login attempts.
Regular Rule Audits: Periodically review your active rules with sudo ufw status and close any unnecessary service ports.

8. Troubleshooting Common Issues

Can't connect via SSH after enabling UFW: Most likely caused by not properly allowing the SSH port. Use your provider's VNC console to access the server, disable UFW (sudo ufw disable), then recheck and add the correct SSH rules.
Service inaccessible: Verify the rule is added correctly (TCP/UDP protocol, port number) and that UFW is enabled (sudo ufw enable).
Rules not applying: Confirm if changes require reloading a service or try restarting UFW (usually unnecessary).

Following this guide will help you quickly establish a secure, efficient, and lightweight firewall system on your Debian or Ubuntu server. UFW's simplicity makes it the ideal choice for most use cases.

Copyright: This article was originally published by MGREI. Please retain this attribution when sharing.