Overview
UFW (Uncomplicated Firewall) is a front-end for iptables that ships with Ubuntu and makes managing firewall rules far less painful. If you’ve just spun up a new Ubuntu VPS or dedicated server, your server is likely accepting connections on every port by default. That’s a problem.
Most hosting security incidents I’ve seen start with an exposed port that nobody meant to leave open — Redis running on port 6379, an unprotected MySQL port, or a forgotten test application. UFW lets you define exactly what traffic is allowed in and silently drops everything else.
This guide covers UFW setup from scratch on Ubuntu 22.04 and 24.04, including the rules you’ll actually need for a web hosting environment. If you’re running a VPS SSD Hosting plan at Host & Tech, this is one of the first things you should do after provisioning.
Prerequisites
- Ubuntu 20.04, 22.04, or 24.04 (steps apply to all three)
- Root or sudo access to the server
- SSH access confirmed and working before you start
- Your server’s IP address (check your Host & Tech control panel if needed)
- Basic comfort running commands in a terminal
Step-by-Step Instructions
Step 1: Install UFW
UFW comes pre-installed on most Ubuntu images. Verify it’s there and install it if not:
sudo apt update
sudo apt install ufw -yStep 2: Check UFW Status
Before enabling anything, check the current state:
sudo ufw status verboseYou’ll likely see Status: inactive. That’s expected at this point. Don’t enable it yet.
Step 3: Set Default Policies
This is the foundation. You’re telling UFW to deny all incoming traffic and allow all outgoing traffic by default. Add your exceptions after this, never before.
sudo ufw default deny incoming
sudo ufw default allow outgoing📝 Note: These defaults mean any port you don’t explicitly allow will be blocked. That’s exactly what you want.
Step 4: Allow SSH Before Enabling UFW
⚠ Warning: This is the step that locks people out of their servers. Do not skip it. If you enable UFW before allowing SSH, you will lose access and need to use the Host & Tech console or rescue mode to recover.
If you’re running SSH on the default port 22:
sudo ufw allow sshIf you’ve changed SSH to a custom port (say, 2222):
sudo ufw allow 2222/tcp📝 Note: allow ssh is a named profile shortcut. It resolves to port 22/tcp using UFW’s built-in application profiles stored in /etc/ufw/applications.d/. Using named profiles is fine, but always confirm what port they map to if you’ve modified SSH config.
Step 5: Allow Web Traffic
For a typical web server running Apache or Nginx, you’ll want HTTP and HTTPS open:
sudo ufw allow http
sudo ufw allow httpsOr using port numbers directly:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpIf you’re running cPanel/WHM on this server, you’ll need a broader set of ports. Add them in one go:
sudo ufw allow 2082/tcp
sudo ufw allow 2083/tcp
sudo ufw allow 2086/tcp
sudo ufw allow 2087/tcp
sudo ufw allow 2095/tcp
sudo ufw allow 2096/tcpStep 6: Allow Mail Ports (If Needed)
Only open these if this server handles email directly. Don’t open mail ports on application servers that don’t need them.
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp
sudo ufw allow 110/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcpStep 7: Enable UFW
Once you’ve added all the rules you need, enable UFW:
sudo ufw enableYou’ll see a prompt warning you that enabling UFW may disrupt existing SSH connections. If you’ve completed Step 4, type y and press Enter.
Step 8: Verify Your Rules
sudo ufw status numberedThe numbered flag adds rule numbers alongside each entry, which makes deleting specific rules much easier later.
Step 9: Allow or Block Specific IP Addresses
You can whitelist a specific IP for a service like MySQL that should never be public-facing:
# Allow only a specific IP to connect to MySQL
sudo ufw allow from 203.0.113.50 to any port 3306
# Block a specific IP entirely
sudo ufw deny from 198.51.100.10In my experience, locking MySQL (3306) down to specific IPs is one of the most impactful things you can do on a database server. Leaving it open to the world is asking for brute-force attempts.
Step 10: Delete a Rule
Run sudo ufw status numbered first to get rule numbers, then delete by number:
sudo ufw delete 3Or delete by rule specification:
sudo ufw delete allow 8080/tcpStep 11: Rate Limiting (Optional but Recommended)
UFW has a built-in rate limiting option that’s genuinely useful for SSH. It automatically blocks IPs that attempt more than 6 connections in 30 seconds:
sudo ufw limit sshThis won’t replace something like Fail2Ban, but it’s a quick layer of protection that takes one command to enable.
Common Issues & Troubleshooting
Locked Out of SSH After Enabling UFW
This happens when UFW is enabled before adding an SSH allow rule. If you’re on a Host & Tech VPS or dedicated server, use the out-of-band console in your client portal (under Server Management > Console Access). From there, run:
sudo ufw allow ssh
sudo ufw reloadIf UFW is blocking all access and you can’t even reach the console easily, you can disable UFW temporarily:
sudo ufw disableUFW Is Active But Traffic Is Still Blocked
This is usually a conflict with another iptables tool running on the same server. Docker is a notorious culprit. Docker manages its own iptables rules and can bypass UFW entirely for container-exposed ports. If you’re running Docker, check out the Docker UFW documentation and consider using the DOCKER-USER chain rather than relying on UFW alone for container traffic.
Also check whether a cloud provider firewall (like a security group on a cloud VPS) is blocking traffic upstream of UFW. Two separate firewall layers both need to allow the traffic.
UFW Rules Look Correct But Website Isn’t Accessible
Confirm the web server is actually running and bound to the right interface:
sudo ss -tlnp | grep -E ':80|:443'If nothing shows up, the issue is the web server, not the firewall. UFW can’t serve traffic that isn’t there to forward.
sudo ufw status Shows “inactive” After Reboot
UFW should persist across reboots by default on Ubuntu because it’s managed by a systemd service. If it’s not starting on boot, enable the service manually:
sudo systemctl enable ufw
sudo systemctl start ufwAccidentally Deleted All Rules
If you’ve run sudo ufw reset without thinking (it wipes all rules and disables UFW), your server will be temporarily open on all ports. Re-add your rules starting from Step 3 above and re-enable UFW. Backups of your ruleset live in /etc/ufw/ — if you’ve made backups of those files, you can restore them before running sudo ufw reload.
FAQ
Frequently Asked Questions
Does UFW replace iptables on Ubuntu?
No. UFW is a front-end that writes iptables rules for you. The rules are still applied through iptables (or nftables on Ubuntu 22.04+) in the background. If you check sudo iptables -L after setting up UFW, you’ll see the rules UFW generated. This also means tools that directly manipulate iptables, like Docker, can interact with or bypass UFW rules.
Is UFW enabled by default on Ubuntu?
UFW is installed by default on Ubuntu but it’s disabled out of the box. Many cloud and VPS images, including ones used at Host & Tech, ship with UFW inactive so you can configure rules before locking yourself out. Always check sudo ufw status on a fresh server before assuming it’s protected.
How do I allow a port range in UFW?
Use a colon to specify a range and include the protocol, which is required for ranges. For example, to allow ports 6000 through 6100 over TCP: sudo ufw allow 6000:6100/tcp. Without specifying /tcp or /udp, UFW will reject the range rule with a syntax error.
Will enabling UFW affect my running website or application?
It can, if you haven’t added the right allow rules first. UFW’s default deny-incoming policy will block HTTP (80) and HTTPS (443) traffic unless you explicitly allow those ports before enabling it. Always set up your rules in full before running sudo ufw enable.
Can I use UFW on a managed WordPress hosting plan?
If you’re on a Host & Tech managed WordPress hosting plan, the server-level firewall is handled for you and you won’t have direct root access to configure UFW yourself. UFW configuration is relevant for VPS and dedicated server plans where you have full root access to the operating system.