UFW (Uncomplicated Firewall) is the standard firewall for Ubuntu. This guide covers the essential rules, common configurations for web servers and app servers, and how to manage rules without locking yourself out.
In this guide
UFW is installed by default on Ubuntu but inactive. Set default policies first: sudo ufw default deny incoming — sudo ufw default allow outgoing. This blocks all inbound traffic and allows all outbound. Then add rules for what you need. Enable only after adding SSH rule — otherwise you will lock yourself out: sudo ufw allow OpenSSH — sudo ufw enable — sudo ufw status verbose.
Allow HTTP and HTTPS: sudo ufw allow 80 — sudo ufw allow 443. Or use the Nginx profile: sudo ufw allow "Nginx Full". Allow your app port if not proxied: sudo ufw allow 3000. Allow PostgreSQL from specific IP only: sudo ufw allow from 10.0.0.5 to any port 5432. Never expose PostgreSQL or Redis to all IPs — always restrict to specific source IPs.
For maximum security, restrict SSH to your specific IP: sudo ufw allow from YOUR.IP.ADDRESS to any port 22. Delete the broad rule: sudo ufw delete allow OpenSSH. This means only your IP can even attempt to connect to SSH. Note: if your IP is dynamic (changes frequently), this will lock you out when it changes — use fail2ban instead for dynamic IPs.
List rules with numbers: sudo ufw status numbered. Delete a rule by number: sudo ufw delete 3. Reset all rules: sudo ufw reset (disables UFW and removes all rules — use with caution). Reload after changes: sudo ufw reload. Always verify status after changes: sudo ufw status verbose. Rules take effect immediately — no restart needed.
Need Help?
Our engineering team handles implementations like this every week. Get a free scoping call — we will tell you exactly what it takes and what it costs.
Book a free callCompetitive Intelligence
Efficiency Modeling
© 2026 NexWorldTech — Built for Global Dominance.