What this is
UFW (Uncomplicated Firewall) is a simple firewall manager for Linux, commonly used on Ubuntu/Debian. It helps you control which ports are allowed.
What it is for
- Block unwanted inbound traffic
- Allow only the services you actually use (SSH, HTTP/HTTPS)
- Reduce the attack surface of your VPS
Prerequisites
- Ubuntu/Debian server (UFW is most common here)
- SSH access
- Sudo privileges
- Important: Keep your current SSH session open while enabling the firewall
Step-by-step (very detailed)
Step 1) Install UFW
sudo apt update
sudo apt install -y ufwWhat it does: Updates package list and installs UFW.
Expected output: Package installation messages.
Step 2) Check current firewall status
sudo ufw status verboseExpected output: Usually Status: inactive on new servers.
Step 3) Allow SSH (MOST IMPORTANT before enabling)
sudo ufw allow OpenSSHWhat it does: Allows inbound SSH on port 22 (or the OpenSSH profile).
Why it is needed: If you enable UFW without allowing SSH, you can lock yourself out.
Expected output: Rules updated.
If you use a custom SSH port (example 2222):
sudo ufw allow 2222/tcpStep 4) Allow web ports (if you host websites)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpExpected output: Rules updated.
Step 5) Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoingWhat it does: Blocks inbound by default; allows outbound.
Step 6) Enable UFW
sudo ufw enableExpected output: A warning prompt, then Firewall is active and enabled on system startup.
Step 7) Verify rules
sudo ufw status numberedExpected output: A numbered list including SSH (and 80/443 if added).
Warnings & useful notes
- If you are using a different SSH port, allow it before enabling.
- Prefer allowing only required ports. Do not open ports “just in case”.
Final verification
- Open a new terminal and confirm you can still SSH into the server.
- Check listening ports:
sudo ss -lntp.
Conclusion
UFW is now protecting your VPS by default. Keep your rules minimal and review them whenever you add new services.