UFW — The Complete Guide
Uncomplicated Firewall — three commands between an exposed server and a hardened one
UFW (short for Uncomplicated Firewall) is a command-line tool for Ubuntu that wraps Linux's iptables in clear, simple syntax. iptables itself is the standard Linux firewall tool since the early 2000s — extremely powerful, but punishingly complex (commands with 6 parameters, chains and tables and policies). UFW takes all that power and exposes it through an interface you can learn in 5 minutes: 'allow SSH', 'block everything else', 'enable'. That is exactly what most personal-VPS users need. For me (Elad) on Hetzner, UFW is the first line of defense: it blocks everything except SSH (22), HTTP (80, for Let's Encrypt), and HTTPS (443). All 13 agents running on internal ports 3700-3900 are not reachable from the internet at all — UFW simply ignores requests to them. It complements Cloudflare Tunnel perfectly: if something in the Tunnel breaks and a port suddenly opens — UFW still blocks. Two layers of defense instead of one. This guide will show you the 5 commands you'll use 100% of the time and the common configurations every production VPS needs.
What this guide covers
What is a firewall and why you need one
The first guard at the entrance to your network
A firewall is software that sits at your network card's entrance and inspects every packet that arrives — if it matches an allow rule, it passes through; if not, it gets dropped. Without a firewall, every service listening on your server is open to the world — including ports you didn't even know were open (like a database you tried once or a dev service you forgot to stop). On a fresh VPS, internet scanners will find you within minutes and try to break in. UFW makes that defense simple: default 'block everything', you allow only what you need.
The 5 commands you'll use 100% of the time
ufw status, allow, deny, delete, enable
Most of what you'll do with UFW boils down to five simple commands. Know them and you're set for 99% of cases.
Real-world scenarios
The configs every production VPS needs
After learning the basics, let's see what you'll actually do. Here are the most common setups on a production server.
Advanced: profiles, IPv6, and Docker
What you need to know when the basics aren't enough
After you have the basics, a few cases need special attention — mainly Docker (which bypasses UFW), IPv6 (default in 2026), and application profiles.
Debugging: what to do when something doesn't work
Common errors and their fixes
Most UFW problems are either 'I blocked something I needed' or 'I locked myself out after enable'. Here's the orderly diagnosis.
Alternatives: nftables, firewalld, fail2ban
What else exists in the Linux ecosystem
UFW is the obvious choice for Ubuntu/Debian, but there are other tools that suit different situations.
