For servers operating publicly on the internet, the first line of defense is often a firewall. It determines which network traffic can enter and exit your system. For users new to Linux servers, the traditional iptables rule set can seem complex and difficult to understand. Fortunately, Ubuntu and Debian systems provide a tool called UFW, short for "Uncomplicated Firewall," which, as the name suggests, simplifies firewall configuration. Essentially, it's a front-end wrapper for iptables, simplifying rule management through user-friendly commands.

UFW is pre-installed in many Ubuntu versions. If your system doesn't have it, the installation process is very quick. First, update the package list, then install the ufw package. This operation requires administrator privileges, so you'll need to use sudo.

sudo apt update

sudo apt install ufw

After installation, it's recommended not to activate it immediately. The first step is to set the default policy, which determines how traffic that doesn't match a specific rule is handled. A reasonable basic policy is: deny all incoming connections by default, but allow all outgoing connections. This allows the server free access to the external network, while unauthorized external connections are blocked.

sudo ufw default deny incoming

sudo ufw default allow outgoing

Next, you need to open the necessary ports one by one according to the services running on the server. The most common case is opening the SSH port (usually 22). If you are remotely managing the server via SSH, you must complete this step before enabling the firewall; otherwise, you may be immediately disconnected and locked out of the server. The command to allow SSH connections using UFW is intuitive.

sudo ufw allow ssh

UFW has built-in definitions for some commonly used services, such as "ssh" corresponding to port 22, "http" to port 80, and "https" to port 443. You can also specify rules directly using port numbers, which is necessary when services use non-standard ports. For example, if you changed the SSH service to port 2222, you should set it like this:

sudo ufw allow 2222/tcp

For servers running websites, you need to open the HTTP and HTTPS ports.

sudo ufw allow http

sudo ufw allow https

If you are running other services, such as a MySQL database (default port 3306) or a custom API service (e.g., on port 3000), you will also need to add rules for them. Rules can specify the protocol (TCP or UDP), which is important for UDP services like DNS.

sudo ufw allow 3306/tcp

sudo ufw allow 3000/tcp

sudo ufw allow 53/udp

Besides allowing connections on specific ports, UFW allows for more granular rules based on IP addresses. For example, you can allow only a specific IP address (such as your office or home network IP) to connect to the SSH port, which is much more secure than leaving it open to the whole world.

sudo ufw allow from 203.0.113.10 to any port 22

Correspondingly, you can also block all traffic from a specific IP address, which is useful when encountering malicious scans or attacks.

sudo ufw deny from 192.168.1.100

After adding a series of rules, you can view the current rule list at any time. The `status` command will display all configured rules. Adding the `numbered` parameter will display a number for each rule, which is convenient when you need to delete a specific rule later.

sudo ufw status numbered

If you find that a rule was added incorrectly, or is no longer needed, you can delete it. There are two ways to delete a rule. One is to use the original command used when creating the rule, simply replacing `allow` or `deny` with `delete`. For example, to delete the rule that allows HTTP:

sudo ufw delete allow http

Another, more general method is to use the rule number. First, run `sudo ufw status numbered` to view the number, and then use the `delete` command followed by the number.

sudo ufw delete 3

After all the necessary rules are configured correctly and you have repeatedly confirmed that SSH connections are allowed, you can officially enable the UFW firewall. The `enable` command activates all rules and makes the firewall automatically load with system startup.

sudo ufw enable

After enabling, the firewall takes effect immediately. You should check the status again and test whether critical services (such as SSH and web) are still accessible. If the test passes, the configuration is correct.

UFW also provides some advanced features. For example, the `limit` rule can help mitigate brute-force attacks. It rate-limits connection attempts on a port, temporarily blocking connections that exceed the limit within a certain period. This is particularly useful for protecting SSH ports.

sudo ufw limit ssh

Logging is important for monitoring and troubleshooting. You can enable UFW's logging feature to record connection attempts processed by the firewall. Logs are usually stored in `/var/log/ufw.log`.

sudo ufw logging on

If you need to temporarily disable the firewall for some testing (please be aware of security risks), you can use the `disable` command. This will disable all rules but will not delete them.

sudo ufw disable

To completely restart, you can use the `reset` command. This will disable UFW and delete all user-defined rules. The system will revert to its initial state after UFW installation.

sudo ufw reset

When managing firewalls, an important principle is "least privilege." That is, only open ports absolutely necessary for business operations, and close all others. For production servers, it is recommended to practice the complete rule configuration process in a local virtual machine or test environment first to ensure no omissions or errors. Especially when connecting via remote SSH, an incorrect rule can lead to irreversible loss of administrative privileges.

UFW's success lies in its balance between power and ease of use. It doesn't hide the complexity of iptables but provides a clear syntax for managing it. You can use simple commands for daily needs, or delve into the underlying iptables rules it generates when needed. For most Ubuntu and Debian server use cases, the functionality provided by UFW is sufficient. Taking the time to familiarize yourself with its commands and configure this network gateway for your server is a fundamental task in system security that requires little investment but yields significant results.