Installing and Configuring UFW on Debian

[Admin]

Installing and Configuring UFW on Debian

UFW (Uncomplicated Firewall) is a simple and user-friendly firewall management tool for Linux systems. It acts as a frontend for iptables/nftables and allows administrators to control network traffic without writing complex rules.

It is ideal for securing Debian servers running services like SSH, web servers, mail systems, or DNS.

[hr]

Why Use UFW?

A firewall is a critical part of server security. With UFW you can:

• Block unwanted incoming connections
• Allow only required services
• Protect SSH access
• Manage firewall rules easily
• Enable logging for monitoring

[hr]

Installation

First update your system:

Code: Select all

apt update

Then install UFW:

Code: Select all

apt install ufw

Check status:

Code: Select all

ufw status

Output:

Code: Select all

Status: inactive

[hr]

Basic Configuration

Set secure default policies:

Code: Select all

ufw default deny incoming
ufw default allow outgoing

This means:

• Incoming traffic is blocked
• Outgoing traffic is allowed

[hr]

Important: Allow SSH First

Before enabling UFW, allow SSH access:

Code: Select all

ufw allow OpenSSH

or:

Code: Select all

ufw allow 22/tcp

If you skip this step, you may lock yourself out of your server.

[hr]

Allow Common Services

Web Server (Apache / Nginx)

Code: Select all

ufw allow 80/tcp
ufw allow 443/tcp

or:

Code: Select all

ufw allow "Apache Full"

Mail Server (Postfix / Dovecot)

Code: Select all

ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 465/tcp
ufw allow 993/tcp
ufw allow 995/tcp

DNS Server (Bind / PowerDNS)

Code: Select all

ufw allow 53/tcp
ufw allow 53/udp

[hr]

Enable UFW

Activate the firewall:

Code: Select all

ufw enable

Check status:

Code: Select all

ufw status verbose

Example:

Code: Select all

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
53                         ALLOW       Anywhere

[hr]

Advanced Rules

Allow access from a specific IP:

Code: Select all

ufw allow from 203.0.113.10 to any port 22 proto tcp

Deny a port:

Code: Select all

ufw deny 3306/tcp

Delete a rule:

Code: Select all

ufw delete allow 3306/tcp

Or by number:

Code: Select all

ufw status numbered
ufw delete 3

[hr]

Enable Logging

Code: Select all

ufw logging on

Logs are stored in:

Code: Select all

/var/log/ufw.log

[hr]

IPv6 Configuration

Edit the config file:

Code: Select all

nano /etc/default/ufw

Make sure this is set:

Code: Select all

IPV6=yes

Reload UFW:

Code: Select all

ufw reload

[hr]

Useful Commands

Reload rules:

Code: Select all

ufw reload

Disable firewall:

Code: Select all

ufw disable

Reset all rules:

Code: Select all

ufw reset

[hr]

Example: Basic Web Server Setup

Code: Select all

apt update
apt install ufw

ufw default deny incoming
ufw default allow outgoing

ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp

ufw logging on
ufw enable
ufw status verbose

[hr]

Common Mistakes

• Forgetting to allow SSH before enabling UFW
• Opening too many unnecessary ports
• Ignoring IPv6 configuration
• Conflicts with Docker firewall rules

[hr]

Conclusion

UFW is a powerful and simple firewall tool for Debian systems. It allows you to secure your server quickly with clear and manageable rules.

A good firewall strategy is:

• Deny all incoming traffic by default
• Allow only required services
• Restrict sensitive ports
• Enable logging
• Check IPv6 support

With this setup, your Debian server is significantly more secure and easier to manage.