Why UFW Should Be Enabled on Every VPS
A default VPS often has services listening that you do not actively use. Every open port is potential exposure. UFW gives a clean policy model: deny unsolicited inbound traffic, allow only required ports, and keep outbound traffic controlled.
Safe Setup Sequence (Do Not Skip Order)
- Install UFW and inspect current state.
- Define default policies.
- Allow SSH first.
- Allow HTTP/HTTPS if hosting web apps.
- Enable UFW only after required allows are in place.
Step 1: Install and Check UFW
sudo apt update
sudo apt install ufw -y
sudo ufw status verboseStep 2: Apply Baseline Default Policies
sudo ufw default deny incoming
sudo ufw default allow outgoingThese defaults are standard for application servers: block unsolicited inbound, permit legitimate outbound traffic for updates and API calls.
Step 3: Allow Essential Inbound Services
# SSH (required for remote admin)
sudo ufw allow OpenSSH
# Web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpIf you use a custom SSH port (example 2222):
sudo ufw allow 2222/tcpStep 4: Enable UFW and Verify Rules
sudo ufw enable
sudo ufw status numberedKeep your current SSH session open while enabling so you can recover quickly if something is wrong.
Recommended Production Rules by Use Case
Node.js behind Nginx reverse proxy
- Open: 22, 80, 443
- Closed publicly: Node app port (3000/4000/etc.)
Direct API service on custom port
- Open only if required by architecture
- Prefer reverse proxy + TLS termination at Nginx
SSH Hardening with Rate Limits
sudo ufw limit OpenSSHThis adds rate limiting for repeated connection attempts and helps reduce brute-force pressure. Pair this with Fail2Ban for stronger protection.
UFW + Docker: Important Behavior
Docker modifies iptables directly and can bypass naive firewall assumptions. If you publish container ports with -p, verify actual exposure and test from outside the server.
Best practice: expose only Nginx publicly and keep internal container services on private networks.
IPv6 in UFW
If your VPS has IPv6 enabled, ensure UFW also manages it. Check /etc/default/ufw:
IPV6=yesThen reload:
sudo ufw reloadUseful UFW Commands for Daily Operations
# list rules with numbers
sudo ufw status numbered
# delete a rule by number
sudo ufw delete 3
# deny specific source IP
sudo ufw deny from 198.51.100.50
# allow only one source to one port
sudo ufw allow from 203.0.113.10 to any port 22 proto tcp
# see full current policy
sudo ufw status verboseCommon Mistakes to Avoid
- Enabling UFW before allowing SSH.
- Leaving temporary debug ports permanently open.
- Allowing database ports (3306/5432) publicly without strict need.
- Forgetting IPv6 rules when IPv6 is active.
Troubleshooting Connectivity Issues After Enabling UFW
Cannot connect via SSH
Use provider console access, verify active SSH port, and add a correct allow rule. Then reload UFW.
Website not reachable
Check that ports 80/443 are allowed and Nginx service is running. Firewall and service state must both be correct.
App works locally but not externally
Confirm whether you intend direct app exposure. In many secure setups, app ports remain private and only Nginx is public.
FAQ
Is UFW enough to secure a VPS?
UFW is foundational, but not sufficient alone. Add Fail2Ban, SSH keys, patch automation, and service-level hardening.
Should I allow all outbound traffic?
For most VPS workloads, yes. Restrict outbound only when you have strict compliance or zero-trust requirements.
Can I use cloud provider firewall and UFW together?
Yes. Provider firewall acts as perimeter control; UFW adds host-level enforcement. This layered model is recommended.
Do I need to reboot after UFW changes?
No. Rules apply immediately after command execution or reload.
Conclusion
A correctly configured UFW baseline is one of the fastest security wins for any VPS. Keep your rules minimal, explicit, and documented. Review them regularly as your stack evolves.
Next recommended steps: set up Fail2Ban and follow the full server security checklist.