Set up a firewall on Ubuntu 22.04 or newer using UFW

Having a functional firewall on the server is an important step in securing the server. In this guide, we will create a basic firewall that you can later extend with your own rules. The guide assumes a newly installed Cloud VM running Ubuntu 22.04 or later. If you want to set up a firewall on Debian 11 or later, we have a guide for that here: "Set up a firewall on Debian 11 using nftables".

UFW stands for Uncomplicated Firewall and is a tool that simplifies the administration of the built‑in Linux firewall. It comes pre‑installed on Ubuntu by default, but it is disabled.

Set up some basic rules

Start by verifying that the firewall is disabled. Do this with the command:

sudo ufw status

UFW should now respond with Status: inactive.

Now you can start adding the rules you need. To avoid risking locking yourself out, begin by allowing SSH:

sudo ufw allow ssh

That should give the following output:

Rules updated
Rules updated (v6)

Now, let's add the other ports you want to open, such as HTTP and HTTPS. Do this with:

sudo ufw allow http
sudo ufw allow https

Instead of specifying a service name such as http or https, you can also specify a port number. The syntax would then be ufw allow 80/tcp to allow HTTP.

Let's also allow traceroute. To do that, you need to open the UDP ports 33434 through 33524. Do this with the following command:

sudo ufw allow 33434:33524/udp

Now it’s time to set a default policy for outbound and inbound traffic. By default, the firewall should be configured to allow outbound traffic but deny inbound traffic. To make absolutely sure that this is the case, you can explicitly set these rules with the following command:

Now that you have the most important rules in place, you can enable the firewall. Do this with the command:

You will now receive a warning that the firewall might interrupt active SSH connections. Since you have already allowed SSH, answer y to the prompt. Afterwards, you get a confirmation that the firewall has been enabled:

Now you have a fully functioning firewall that blocks all incoming traffic except for SSH, HTTP, HTTPS, and traceroute. ICMP (ping) is already allowed before UFW loads its rules. Check the firewall’s status again:

This time, it will also display the allowed ports:

Note that UFW has added rules for both IPv4 and IPv6 by default.

Edit the rules

Adding new rules is no more difficult than running the ufw allow command again with the service or port you want to allow. For example, to allow TCP port 8080, you would run:

If we list the status again with sudo ufw status, the new port will be shown:

If you now want to delete TCP port 8080 from the firewall, use the same syntax you used to add it, but prepend delete to the command:

A new listing with sudo ufw status shows that the port has been removed from both IPv4 and IPv6:

To edit the list with greater precision, you can use a numbered list. This lets you delete a specific rule or insert new rules at a particular position in the list. Start by adding TCP port 8080 again so that you have something to experiment with:

Now we list the status again, but this time using a numbered list. Run the following command:

This will output the following list:

Now, for example, you can delete TCP port 8080 for IPv4 but not for IPv6. To do that, delete only rule number 5:

Here, you also get a prompt asking whether this is the correct rule you want to delete. If it is, answer y to the question:

Similarly, you can insert new rules into the list. Suppose you want to insert TCP port 8080 again, but this time at the third position in the list. You can do that with the following command:

A new listing with sudo ufw status numbered shows that it succeeded:

Delete both rules for TCP port 8080 since this was only used for experimentation:

Block outgoing traffic

To make the server even more secure, you can block all outbound traffic by default and allow only the necessary ports.

First, allow traffic on the necessary ports before changing the policy to block all outbound traffic. The ports you need to allow are HTTP and HTTPS, DNS lookups, NTP requests (for time synchronization), and traceroute. You also need to allow DHCPv6 so the server can obtain an IPv6 address. Do this with the following commands:

The last command above allows outbound IPv6 connections to UDP ports 546 and 547, which are used for DHCPv6. To restrict the rule to IPv6 only, you had to specify the full command with proto udp to ::/0 port 546:547. The special address ::/0 represents all IPv6 addresses. For DHCP over IPv4, Ubuntu already includes a working rule that is loaded before the UFW rules.

Before proceeding to change the policy, verify that the changes look correct by listing the rules again with sudo ufw status:

Everything looks good. The ports we allow outbound traffic on are marked with ALLOW OUT in the list above. Now you can change the firewall policy to deny all outbound traffic that isn’t explicitly allowed in the rules. Run the command:

The firewall will now output:

You now have a solid basic firewall that only permits the traffic you explicitly allow. Keep in mind, however, that you may need to adjust the rules to suit the specific services and applications you run on your server.

If you lock yourself out by accident

Be careful when loading new firewall rules so you don’t lock yourself out of the SSH service (TCP port 22). If you do accidentally lock yourself out, you can log in through the console in Glesys Cloud. You’ll find it under Compute → Virtual machines. Click Actions next to your server’s name and select Console. Once you’re logged in, you can either completely disable the firewall with sudo ufw disable or fix the rule that is blocking you.

For more information on accessing the console and logging in using single-user mode, see Connect to the VM console.