UFW Firewall Configuration Guide for VPS

A step-by-step guide to configure UFW (Uncomplicated Firewall) on a fresh VPS installation.

Prerequisites

Ubuntu/Debian-based VPS
SSH access with sudo privileges
UFW installed (included by default on Ubuntu)

Initial Setup

Check Current Status

# Check if ufw is installed and its status
sudo ufw status

# Check current iptables rules (should be empty on fresh install)
sudo iptables -L -n

Set Default Policies

# Block all incoming traffic by default
sudo ufw default deny incoming

# Allow all outgoing traffic by default
sudo ufw default allow outgoing

Configure Rules

Allow SSH (Custom Port)

Replace 2222 with your actual SSH port:

sudo ufw allow 2222/tcp comment 'SSH'

Allow Monitoring (Beszel)

Replace 8090 with your actual Beszel port:

sudo ufw allow 8090/tcp comment 'Beszel monitoring'

Additional Rules (For Later Use)

These rules can be added later when needed:

# HTTP (when Traefik/web services are ready)
sudo ufw allow 80/tcp comment 'HTTP'

# HTTPS (when Traefik/web services are ready)
sudo ufw allow 443/tcp comment 'HTTPS'

# Allow from specific IP only (more restrictive)
sudo ufw allow from 203.0.113.50 to any port 8090 proto tcp comment 'Beszel from specific IP'

Pre-Activation Verification

Before enabling the firewall, verify the rules that will be applied:

sudo ufw show added

Expected output:

Added user rules (see 'ufw status' for running firewall):
ufw allow 2222/tcp comment 'SSH'
ufw allow 8090/tcp comment 'Beszel monitoring'

⚠️ Critical: Ensure your SSH port is in the list before proceeding.

Enable Firewall

⚠️ Keep your current SSH session open during this step

sudo ufw enable

You will be prompted:

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Type y and press Enter.

Post-Activation Verification

Check Firewall Status

sudo ufw status verbose

Expected output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW IN    Anywhere                   # SSH
8090/tcp                   ALLOW IN    Anywhere                   # Beszel monitoring
2222/tcp (v6)              ALLOW IN    Anywhere (v6)              # SSH
8090/tcp (v6)              ALLOW IN    Anywhere (v6)              # Beszel monitoring

Test SSH Connection

Before closing your current session, open a new terminal and test:

ssh -p 2222 your_user@your_server_ip

If successful, your firewall is properly configured. If not, use your existing session to troubleshoot.

Management Commands

View Rules

# Simple status
sudo ufw status

# Verbose status with policies
sudo ufw status verbose

# Numbered rules (useful for deletion)
sudo ufw status numbered

Add Rules

# Allow a port
sudo ufw allow 443/tcp comment 'HTTPS'

# Allow from specific IP
sudo ufw allow from 192.168.1.100 to any port 22

# Allow a port range
sudo ufw allow 6000:6007/tcp

Delete Rules

# Delete by rule number
sudo ufw status numbered
sudo ufw delete 3

# Delete by rule specification
sudo ufw delete allow 8080/tcp

Emergency Commands

# Disable firewall (if locked out via console access)
sudo ufw disable

# Reset all rules to default
sudo ufw reset

Logging

Enable Logging

# Set logging level (off, low, medium, high, full)
sudo ufw logging medium

View Logs

# View firewall logs
sudo tail -f /var/log/ufw.log

# Search for blocked connections
sudo grep "UFW BLOCK" /var/log/ufw.log | tail -20

Integration with Fail2ban

UFW works seamlessly with fail2ban. When fail2ban bans an IP, it creates iptables rules that work alongside UFW. No additional configuration is required.

Verify fail2ban rules:

sudo iptables -L -n | grep -A 5 f2b

Troubleshooting

Cannot Connect After Enabling UFW

If you have console access (provider's web interface):

sudo ufw disable
sudo ufw status numbered
# Fix the rules
sudo ufw enable

Check if Port is Actually Open

From another machine:

nc -zv your_server_ip 2222

Verify UFW is Using iptables

sudo iptables -L -n | grep -E "ufw|Chain"

Quick Reference

Command	Description
`sudo ufw status`	Show current status and rules
`sudo ufw enable`	Enable firewall
`sudo ufw disable`	Disable firewall
`sudo ufw allow 80/tcp`	Allow port 80 TCP
`sudo ufw deny 23/tcp`	Deny port 23 TCP
`sudo ufw delete allow 80/tcp`	Remove a rule
`sudo ufw reset`	Reset to defaults
`sudo ufw reload`	Reload rules

Next Steps

Once the basic firewall is configured and tested:

Configure fail2ban to work with your SSH port
Set up LXC containers with internal networking
Add HTTP/HTTPS rules when Traefik is ready
Consider restricting monitoring port to specific IPs

Prerequisites​

Initial Setup​

Check Current Status​

Set Default Policies​

Configure Rules​

Allow SSH (Custom Port)​

Allow Monitoring (Beszel)​

Additional Rules (For Later Use)​

Pre-Activation Verification​

Enable Firewall​

Post-Activation Verification​

Check Firewall Status​

Test SSH Connection​

Management Commands​

View Rules​

Add Rules​

Delete Rules​

Emergency Commands​

Logging​

Enable Logging​

View Logs​

Integration with Fail2ban​

Troubleshooting​

Cannot Connect After Enabling UFW​

Check if Port is Actually Open​

Verify UFW is Using iptables​

Quick Reference​

Next Steps​