טוען...
2026 · Linux Firewall · Practical guide
UFW — The Complete Guide
Uncomplicated Firewall — three commands between an exposed server and a hardened one
UFW (short for Uncomplicated Firewall) is a command-line tool for Ubuntu that wraps Linux's iptables in clear, simple syntax. iptables itself is the standard Linux firewall tool since the early 2000s — extremely powerful, but punishingly complex (commands with 6 parameters, chains and tables and policies). UFW takes all that power and exposes it through an interface you can learn in 5 minutes: 'allow SSH', 'block everything else', 'enable'. That is exactly what most personal-VPS users need. For me (Elad) on Hetzner, UFW is the first line of defense: it blocks everything except SSH (22), HTTP (80, for Let's Encrypt), and HTTPS (443). All 13 agents running on internal ports 3700-3900 are not reachable from the internet at all — UFW simply ignores requests to them. It complements Cloudflare Tunnel perfectly: if something in the Tunnel breaks and a port suddenly opens — UFW still blocks. Two layers of defense instead of one. This guide will show you the 5 commands you'll use 100% of the time and the common configurations every production VPS needs.
3
open ports I run
5
commands to know
built-in
install
free
cost
Default: deny everything
The right question isn't 'what do I block' but 'what do I _allow_'. UFW turns that mindset into commands.
Hundreds of iptables commands with arcane syntax
`ufw allow 22/tcp` — one clear command
Exposed server — 'who even knows about it?'
Locked-down server — even if they know, they can't get in
Opened a port for a quick test, forgot to close it
`ufw status` shows everything — no surprises
Rules are wiped after a reboot
`ufw enable` saves automatically, comes back after boot
Who is this for?
Here's how:
Anyone spinning up a fresh VPS
Step 1 on a new server: SSH. Step 2: UFW. Without it you're inviting the internet to peek in.
Devs migrating from PaaS to a server
On Vercel/Heroku there is no firewall — the provider handles it. On a VPS, you do. UFW makes that simple.
Linux students
iptables is a headache. UFW wraps it in syntax a 10-year-old could read.
Teams that need DevSecOps
A firewall = compliance requirement. UFW provides it without enterprise solution overhead.
The practical guide
Click any section to open it
Resources & links
Ubuntu UFW Documentation
The official docs — short and clear
DigitalOcean UFW Tutorial
The most recommended beginner tutorial
ufw-docker
The plugin that fixes Docker bypassing UFW
fail2ban
Mandatory companion to UFW — auto-blocks brute force
CrowdSec
Collective defense — global IP blocklist of attackers
The Cloudflare Tunnel guide
If you use a Tunnel, you need even fewer open ports
Need server hardening?
A 30-minute review can save you from disaster. I can audit your UFW + SSH + fail2ban.
Liked it? Share:
Elad Yaakobovitch
Full-Stack Developer & AI Specialist
On my Hetzner UFW allows only 3 ports (SSH limit, 80, 443) — and that's one of the things that lets me sleep at night. There's also fail2ban that automatically bans any IP that tries SSH brute-force more than 3 times. A simple combo, a 5-minute fix, zero breaches since 2023.