UFW Firewall - Gemini
**** VPS Hardening Module: UFW Firewall
Objective
This guide will walk you through setting up and managing UFW (Uncomplicated Firewall) — a simple yet powerful tool to secure your Ubuntu VPS.
By the end of this lesson, you will be able to install, configure, verify, and manage a firewall that protects your WordPress server from unauthorized access while keeping essential services available.
What Is UFW and Why Do You Need It?
Your VPS is always connected to the internet, which means it’s constantly visible to bots and potential attackers.
A firewall acts as your first line of defense — like a bouncer at a club, it decides who gets in and who doesn’t.
UFW (Uncomplicated Firewall) is a simplified interface for iptables, designed to make firewall configuration easier.
It lets you define which traffic to allow (e.g., SSH, HTTP, HTTPS) and which to deny (everything else).
Key Concepts
| Concept | Description |
|---|---|
| Policy | The default rule for all traffic (e.g., deny all incoming). |
| Rule | A specific permission (e.g., allow port 22 for SSH). |
| Port | A communication channel used by services (e.g., port 80 for websites). |
| Protocol | Defines how data is sent (TCP or UDP). Most web traffic uses TCP. |
Installation and Basic Setup
Before we configure anything, ensure UFW is installed and ready.
Step 1: Install UFW (if not already installed)
Most Ubuntu systems come with UFW preinstalled. But if yours doesn’t, install it using:
sudo apt update
sudo apt install ufw -y
apt update— Refreshes the list of available packages.apt install ufw -y— Installs UFW and automatically confirms with "yes".
After installation, check the service status:
sudo ufw status
Expected output if newly installed:
Status: inactive
Step-by-Step Configuration
Let’s secure your server step by step.
Step 1: Set Secure Default Policies
We start with a “deny everything” approach, then selectively allow what we need.
sudo ufw default deny incoming
sudo ufw default allow outgoing
- Blocks all inbound connections by default.
- Allows all outbound (your VPS can still download updates, plugins, etc.).
Step 2: Allow SSH (Your Remote Access)
Critical Step — Don’t skip!
If you don’t allow SSH before enabling UFW, you will lock yourself out.
sudo ufw allow ssh
This automatically opens port 22/tcp.
If you changed your SSH port (e.g., 2222), use this instead:
sudo ufw allow 2222/tcp
Step 3: Allow Web Traffic (HTTP & HTTPS)
For WordPress or any web server (like OpenLiteSpeed, Nginx, or Apache), allow these:
sudo ufw allow http
sudo ufw allow https
or explicitly:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Step 4: (Optional) Allow Other Common Services
| Service | Port | Description |
|---|---|---|
| DNS | 53 | Required if your server hosts its own DNS. |
| FTP | 21 | File transfer protocol (rarely used for modern WordPress setups). |
| MySQL | 3306 | Allow only if connecting remotely (not recommended publicly). |
| LiteSpeed Admin | 7080 | Optional — for managing OpenLiteSpeed web server. |
Example (allow only your IP to access OLS admin):
sudo ufw allow from 203.0.113.5 to any port 7080 proto tcp
Step 5: Enable UFW
Once your rules are ready, enable the firewall:
sudo ufw enable
You’ll see:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Type y, then press Enter.
Verify:
sudo ufw status verbose
Expected output:
Status: active
Default: deny (incoming), allow (outgoing), disabled (routed)
To Action From
-- -
22/tcp (SSH) ALLOW Anywhere
80,443/tcp (Web) ALLOW Anywhere
Managing Rules
View Rules
sudo ufw status numbered
Shows your rules in a numbered list for easy management.
Delete Rules
By number:
sudo ufw delete 3
By name:
sudo ufw delete allow http
Block an IP (Blacklist)
If you detect malicious traffic:
sudo ufw deny from 198.51.100.10
Advanced Configuration
Rate-Limit SSH (Brute-Force Protection)
sudo ufw limit ssh
Prevents an IP from making too many connection attempts in a short time (anti-brute-force).
Allow from a Specific IP Only
Useful for private services (like database or staging):
sudo ufw allow from 203.0.113.5 to any port 3306 proto tcp
Enable Logging
Logging helps you detect blocked attempts.
sudo ufw logging on
To turn it off:
sudo ufw logging off
Logs are stored at:
/var/log/ufw.log
IPv6 Support
If your VPS uses IPv6, open /etc/default/ufw:
sudo nano /etc/default/ufw
Find:
IPV6=no
Change to:
IPV6=yes
Then reload:
sudo ufw reload
Backup & Reset Rules
Export your current configuration (for backup):
sudo ufw status numbered > ~/ufw_rules_backup.txt
To reset everything:
sudo ufw reset
This disables UFW and deletes all rules.
Verify & Troubleshoot
| Check | Command | Description |
|---|---|---|
| Active status | sudo ufw status | Shows if UFW is running. |
| Verbose mode | sudo ufw status verbose | Shows detailed info. |
| Service ports | sudo ufw app list | Lists application profiles. |
| Logs | sudo tail -f /var/log/ufw.log | Monitors live logs. |
| Reset UFW | sudo ufw reset | Clears all settings and rules. |
Common WordPress VPS Use Case (Recommended Rules)
| Service | Command | Purpose |
|---|---|---|
| SSH | sudo ufw allow 2222/tcp | Remote access (use custom port). |
| HTTP | sudo ufw allow 80/tcp | Allow web traffic. |
| HTTPS | sudo ufw allow 443/tcp | Secure web traffic. |
| OLS Admin | sudo ufw allow from <your_ip> to any port 7080 | Restrict admin panel. |
| MySQL (Private) | sudo ufw allow from <your_ip> to any port 3306 | Remote DB access if required. |
UFW Command Cheat Sheet
| Command | Description |
|---|---|
sudo apt install ufw -y | Install UFW. |
sudo ufw enable | Enable the firewall. |
sudo ufw disable | Disable the firewall. |
sudo ufw reload | Reload rules without stopping the firewall. |
sudo ufw status | Check status. |
sudo ufw status numbered | List rules with numbering. |
sudo ufw default deny incoming | Deny all incoming by default. |
sudo ufw default allow outgoing | Allow all outgoing by default. |
sudo ufw allow <port> | Allow a port. |
sudo ufw allow <service> | Allow using app profile (e.g., ssh, http). |
sudo ufw deny <port> | Block a port. |
sudo ufw delete <number> | Delete a rule by number. |
sudo ufw limit <service> | Rate-limit a service (e.g., SSH). |
sudo ufw logging on | Enable logging. |
sudo ufw reset | Reset all rules. |
Summary
- Install UFW →
sudo apt install ufw -y - Set secure defaults → deny incoming, allow outgoing
- Allow necessary ports → SSH, HTTP, HTTPS
- Enable & verify →
sudo ufw enable, thensudo ufw status - Add advanced protection → rate limit, logging, IPv6
- Backup config regularly
Would you like me to add a Quick Lab section next (with input/output examples like your tar and ls modules — e.g., sample terminal session + expected results)?
That would make it consistent with your existing “Linux Ubuntu for managing WordPress in VPS” curriculum.