basic firewall setup UFW
Basic Firewall Setup - Using ufw to Allow Only SSH/HTTP/HTTPS
1. Prerequisites
- Access Level: Root or
sudouser. - Software:
ufw(commonly pre-installed on Ubuntu; if not:apt install ufw). - Knowledge: Awareness of which services need network access (SSH, HTTP, HTTPS).
2. 5W + 1H Framework
| Question | Explanation |
|---|---|
| What | A firewall filters network traffic, allowing only authorized ports. ufw is Ubuntu’s simplified firewall tool. |
| Why | Prevents unauthorized access and limits attack surface. |
| When | Right after server provisioning and initial hardening, before deploying WordPress. |
| Where | Runs on your VPS, controlling inbound/outbound traffic. |
| Who | System administrators, DevOps, agencies hosting multiple WordPress clients. |
| How | Configure ufw rules, enable firewall, and verify open ports. |
3. Core Commands with Expected Outputs
Command 1: Install UFW (if missing)
apt install ufw -y
- Expected Output:
ufw is already the newest version (0.36-7ubuntu2).
- Use Case: Ensure firewall package is installed.
Command 2: Allow SSH
ufw allow 22/tcp
- Expected Output:
Rule added
Rule added (v6)
- Use Case: Keep remote access open.
- Benefit: Prevents locking yourself out.
Command 3: Allow HTTP (Port 80)
ufw allow 80/tcp
- Expected Output:
Rule added
Rule added (v6)
- Use Case: Allow standard web traffic.
Command 4: Allow HTTPS (Port 443)
ufw allow 443/tcp
- Expected Output:
Rule added
Rule added (v6)
- Use Case: Allow encrypted web traffic.
Command 5: Enable Firewall
ufw enable
- Expected Output:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
- Use Case: Activate firewall rules.
Command 6: Check Firewall Status
ufw status verbose
- Expected Output:
Status: active
To Action From
-- -
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
- Use Case: Verify allowed services.
Command 7: Deny Unwanted Port (Example 3306 for MySQL)
ufw deny 3306/tcp
- Expected Output:
Rule added
Rule added (v6)
- Use Case: Block direct DB access from public internet.
4. Use Case Scenarios
| Use Case | Description | Ports | Role | Why It’s Useful |
|---|---|---|---|---|
| Basic WordPress Hosting | Allow web + SSH only | 22, 80, 443 | Admin | Default secure setup. |
| WooCommerce Store | Same as above | 22, 80, 443 | Developer | Secures store from unnecessary ports. |
| Multi-Site VPS | Isolate services | Block 3306, 25 | Agency | Prevents DB/email exposure. |
| Migration Setup | Temporarily open port | 22 + 80 + 443 + rsync port | DevOps | Controlled exposure during migration. |
5. Best Practice Notes
- Always allow SSH first before enabling firewall.
- Open only necessary ports (22, 80, 443 for WordPress basics).
- Block sensitive ports like MySQL (3306) from public access.
- Use provider-level firewalls as an additional layer.
- Monitor firewall logs (
/var/log/ufw.log) for suspicious activity. - Document firewall rules for auditing and team workflows.
6. Quick Reference Cheat Sheet
| Command | Purpose |
|---|---|
ufw allow 22/tcp | Allow SSH. |
ufw allow 80/tcp | Allow HTTP. |
ufw allow 443/tcp | Allow HTTPS. |
ufw deny port/tcp | Block specific port. |
ufw enable | Enable firewall. |
ufw status verbose | Check active rules. |
7. Glossary
- Firewall: Security system that filters inbound/outbound traffic.
- UFW (Uncomplicated Firewall): User-friendly firewall for Ubuntu.
- Port: Communication endpoint (22 = SSH, 80 = HTTP, 443 = HTTPS).
- Inbound Rule: Controls traffic into the server.
- Outbound Rule: Controls traffic leaving the server.