# How to setup a UFW on an Ubuntu or Debian Cloud Server? {% embed url="" %} ### Overview The best way to protect your server is by using a good security solution that has a lot of features and will make it hard for attackers to get in. Therefore, you must use a tool like Uncomplicated Firewall (UFW) so that you can block all types of traffic coming into your server. UFW is a firewall application that is mainly used to manage your firewall capabilities, which will help you with troubleshooting and maintaining your server's security. It also allows you to create custom rules, which will help you control traffic on your server. This tutorial will demonstrate how to build up a UFW for Ubuntu 20.04 or Debian 11 Cloud Server. ### Prerequisites There are certain prerequisites that need to be met before you begin. * Ubuntu 20.04 or Debian 11 server configured with non-root sudo user privileges. * Stable internet connection. ### Get Started **Step 1: Configure UFW with IPv6** Virtual Private Servers (VPS) are designed to provide a high level of performance and stability. However, the best way to protect them is by ensuring your firewall is open for both IPv4 and IPv6 connections. In case your VPS is designed for IPv6, check if it supports IPv6 by navigating to the firewall's configuration file using the following command. ``` sudo nano /etc/default/ufw ``` Make sure that IPv6 value is 'yes', save the file changes and exit.

Now, to restart the firewall, you need to disable it first: ``` sudo ufw disable ``` Output:

![](https://pidproject.therealpbx.co.in/download/attachments/1117759/image-2023-1-16_13-12-13.png?version=1\&modificationDate=1673854933675\&api=v2)Turn back the firewall on: ``` sudo ufw enable ``` Output:

![](https://pidproject.therealpbx.co.in/download/attachments/1117759/image-2023-1-16_13-16-2.png?version=1\&modificationDate=1673855162186\&api=v2)The UFW firewall is successfully set up and configured to support IPv4 as well as IPv6. The next step is to set up some default connections rules for your firewall. **Step 2: Define UFW default rules** Adding firewall rules for incoming and outgoing connections is a good practice to improve security and make your server more efficient. With the default UFW rules set in place, any external identity trying to reach your server will not be able to link to it. However, any internal application can connect externally. In a nutshell, these rules prevent incoming connections and allow outgoing connections. To block all incoming connections, use the following command: ``` sudo ufw default deny incoming ``` ![](http://customer.acecloudhosting.com/index.php?rp=/images/kb/815_deny.png) To allow outgoing connections, use the following command: ``` sudo ufw default allow outgoing ``` ![](http://customer.acecloudhosting.com/index.php?rp=/images/kb/779_2023-01-04-16_01_49-MobaXterm_Pro_Portable.png) **Step 3: Open the Firewall to Connections** To allow connections to your server, you need to be able to communicate with it which requires changing the firewall rules. For instance, if your firewall is enabled, it would block all incoming connections. And, if you are using SSH to connect to your server, it would create an obstacle as you'd be locked out of the server. To avoid this issue, enable SSH connections to your server. ``` sudo ufw allow ssh ```

UFW allows you to make changes to your firewall by using the command which comes with some defaults such as ***ssh.*** It also lets you allow incoming connection to port 22/tcp instead of using the ssh command. You can either allow incoming connections to port 22/tcp or the ssh command (as in the previous example). ``` $ sudo ufw allow 22/tcp ``` If you try and add this rule after you've already run ssh, you'll get the following output since the rule already exists:

In case your SSH server is configured and running on custom port **2222*****,*** you can allow connections using the following command. You can use the same syntax as above but substitute it with port 2222. {% hint style="info" %} **Note**: Using the port number alone has an impact on both tcp and udp. {% endhint %} ``` sudo ufw allow 2222/tcp ```

**a. Ensure Web Server security** To secure your web server, SSH is considered as the primary solution. However, one another effective method to certify security is with File Transfer Protocol (FTP) access which allows you to access a server remotely. For this, you need to authorize connections for port 80. This is useful if you have a web server application running such as Apache or Nginx that listens to connection requests over HTTP. ``` sudo ufw allow 80/tcp ``` **b. Set Up Port Ranges** With UFW, you can allow or deny communication for a certain port or range of ports. To allow access to specific range of ports, use the following syntax. To accomplish this, you must specify the port at the low end of the range and the high end of the range, separated by a colon (:). {% hint style="info" %} **Note**: It is necessary to mention the protocol (TCP or UDP). {% endhint %} The following command will authorize TCP or UDP access to ports ranging from 3000 to 4005. ``` sudo ufw allow 3000:4005/tcp sudo ufw allow 3000:4005/udp ``` **c. Set up IP Addresses** Access to certain IP addresses can be authorized within your firewall settings which means that you can allow connections from a specific IP address, for instance, 192.168.0.170 or 172.16.254.10. Make sure to substitute the IP address with the one you wish to set up. ``` sudo ufw allow from specific_server_ip_address ``` **Step 4: Invalidating connections to specific ports** Denying access to a specific port can stop an external application to attack, or help you quickly restrict port usage. You can use the following command to restrict access to any port. ``` sudo ufw deny port_number/tcp ``` **Step 5: Delete rules** If you wish to eliminate any rule, you can use the delete command and specify the rule after it. ``` sudo ufw delete allow port_number/tcp ```

If there are multiple rules, you can use the numbered list approach in which you can inspect the list of rules that are currently allowed. ``` sudo ufw status numbered ``` ![](http://customer.acecloudhosting.com/index.php?rp=/images/kb/827_numbered.png) You can then mention the rule number to delete that specific rule. ``` sudo ufw delete number ``` The output diplays the deletion of rule number 23.

**Step 6: Enable UFW** Now, that you have set up all the rules for your firewall, you can enable UFW so that the changes can propagate to your firewall. ``` sudo ufw enable ``` Output:

Verify your changes by checking the status that will display all the defined rules. ``` sudo ufw status ``` Output:

Now, to disable the firewall, run this command. ``` sudo ufw disable ``` Output:

**Step 7: Restoring default server rules** If you wish to reset the rules to their default setting, run the following command. Press **y** if prompted to proceed with the reset. ``` sudo ufw reset ``` ![](http://customer.acecloudhosting.com/index.php?rp=/images/kb/829_resetnew.png) ### Conclusion In this tutorial, we've delved into the concept of Uncomplicated Firewall. You can use it lock down or restrict access any inbound connection to your cloud server. Regardless of its uses, the commands are fairly simple and easy to understand if you follow the above steps as stated. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.acecloud.ai/knowledge-base/tutorials/how-to-setup-a-ufw-on-an-ubuntu-or-debian-cloud-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.