UFW — The Complete Guide
Uncomplicated Firewall — three commands between an exposed server and a hardened one
UFW (short for Uncomplicated Firewall) is a command-line tool for Ubuntu that wraps Linux's iptables in clear, simple syntax. iptables itself is the standard Linux firewall tool since the early 2000s — extremely powerful, but punishingly complex (commands with 6 parameters, chains and tables and policies). UFW takes all that power and exposes it through an interface you can learn in 5 minutes: 'allow SSH', 'block everything else', 'enable'. That is exactly what most personal-VPS users need. For me (Elad) the principle is alive, just with slightly different tools: on my Contabo server the firewall is built directly on iptables (the tool underneath UFW) — only three ports are open (SSH 22, HTTP 80, and HTTPS 443), management access goes through Tailscale (an encrypted private network between my machines), and fail2ban automatically bans addresses that try to break in. All the agents running on internal ports are not reachable from the internet at all, and it complements Cloudflare Tunnel perfectly — two layers of defense instead of one. UFW is the friendliest way to reach exactly the same result, which is why this guide teaches it: the 5 commands you'll use 100% of the time and the common configurations every production VPS needs.
What this guide covers
What is a firewall and why you need one
The first guard at the entrance to your network
A firewall is software that sits at your network card's entrance and inspects every packet that arrives — if it matches an allow rule, it passes through; if not, it gets dropped. Without a firewall, every service listening on your server is open to the world — including ports you didn't even know were open (like a database you tried once or a dev service you forgot to stop). On a fresh VPS, internet scanners will find you within minutes and try to break in. UFW makes that defense simple: default 'block everything', you allow only what you need.
The 5 commands you'll use 100% of the time
ufw status, allow, deny, delete, enable
Most of what you'll do with UFW boils down to five simple commands. Know them and you're set for 99% of cases.
Real-world scenarios
The configs every production VPS needs
After learning the basics, let's see what you'll actually do. Here are the most common setups on a production server.
Advanced: profiles, IPv6, and Docker
What you need to know when the basics aren't enough
After you have the basics, a few cases need special attention — mainly Docker (which bypasses UFW), IPv6 (default in 2026), and application profiles.
Debugging: what to do when something doesn't work
Common errors and their fixes
Most UFW problems are either 'I blocked something I needed' or 'I locked myself out after enable'. Here's the orderly diagnosis.
Alternatives: nftables, firewalld, fail2ban
What else exists in the Linux ecosystem
UFW is the obvious choice for Ubuntu/Debian, but there are other tools that suit different situations.
