TUX.RE Forum


https://tux.re/forum/

Installing and Configuring UFW on Debian

https://tux.re/forum/viewtopic.php?t=141

Page 1 of 1

Installing and Configuring UFW on Debian

Posted: Sat Apr 25, 2026 10:56 am
by Admin
Installing and Configuring UFW on Debian

UFW (Uncomplicated Firewall) is a simple and user-friendly firewall management tool for Linux systems. It acts as a frontend for iptables/nftables and allows administrators to control network traffic without writing complex rules.

It is ideal for securing Debian servers running services like SSH, web servers, mail systems, or DNS.

[hr]

Why Use UFW?

A firewall is a critical part of server security. With UFW you can:
  • Block unwanted incoming connections
  • Allow only required services
  • Protect SSH access
  • Manage firewall rules easily
  • Enable logging for monitoring
[hr]

Installation

First update your system:

Code: Select all

apt update
Then install UFW:

Code: Select all

apt install ufw
Check status:

Code: Select all

ufw status
Output:

Code: Select all

Status: inactive
[hr]

Basic Configuration

Set secure default policies:

Code: Select all

ufw default deny incoming
ufw default allow outgoing
This means:
  • Incoming traffic is blocked
  • Outgoing traffic is allowed
[hr]

Important: Allow SSH First

Before enabling UFW, allow SSH access:

Code: Select all

ufw allow OpenSSH
or:

Code: Select all

ufw allow 22/tcp
If you skip this step, you may lock yourself out of your server.

[hr]

Allow Common Services

Web Server (Apache / Nginx)

Code: Select all

ufw allow 80/tcp
ufw allow 443/tcp
or:

Code: Select all

ufw allow "Apache Full"
Mail Server (Postfix / Dovecot)

Code: Select all

ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 465/tcp
ufw allow 993/tcp
ufw allow 995/tcp
DNS Server (Bind / PowerDNS)

Code: Select all

ufw allow 53/tcp
ufw allow 53/udp
[hr]

Enable UFW

Activate the firewall:

Code: Select all

ufw enable
Check status:

Code: Select all

ufw status verbose
Example:

Code: Select all

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
53                         ALLOW       Anywhere
[hr]

Advanced Rules

Allow access from a specific IP:

Code: Select all

ufw allow from 203.0.113.10 to any port 22 proto tcp
Deny a port:

Code: Select all

ufw deny 3306/tcp
Delete a rule:

Code: Select all

ufw delete allow 3306/tcp
Or by number:

Code: Select all

ufw status numbered
ufw delete 3
[hr]

Enable Logging

Code: Select all

ufw logging on
Logs are stored in:

Code: Select all

/var/log/ufw.log
[hr]

IPv6 Configuration

Edit the config file:

Code: Select all

nano /etc/default/ufw
Make sure this is set:

Code: Select all

IPV6=yes
Reload UFW:

Code: Select all

ufw reload
[hr]

Useful Commands

Reload rules:

Code: Select all

ufw reload
Disable firewall:

Code: Select all

ufw disable
Reset all rules:

Code: Select all

ufw reset
[hr]

Example: Basic Web Server Setup

Code: Select all

apt update
apt install ufw

ufw default deny incoming
ufw default allow outgoing

ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp

ufw logging on
ufw enable
ufw status verbose
[hr]

Common Mistakes
  • Forgetting to allow SSH before enabling UFW
  • Opening too many unnecessary ports
  • Ignoring IPv6 configuration
  • Conflicts with Docker firewall rules
[hr]

Conclusion

UFW is a powerful and simple firewall tool for Debian systems. It allows you to secure your server quickly with clear and manageable rules.

A good firewall strategy is:
  • Deny all incoming traffic by default
  • Allow only required services
  • Restrict sensitive ports
  • Enable logging
  • Check IPv6 support
With this setup, your Debian server is significantly more secure and easier to manage.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited