UFW (Uncomplicated Firewall) is a frontend utility for managing netfilter rules in the Linux kernel via iptables. It is commonly used on Ubuntu-based systems to define host-level firewall policies in a simplified format. On a VPS, UFW controls which network packets are accepted, rejected, or dropped before they reach user-space services.
A Virtual Private Server (VPS) is typically provisioned with a public IPv4 and/or IPv6 address. Any service listening on an open port becomes reachable from the internet unless restricted. A firewall enforces policy decisions on inbound and outbound traffic before the traffic reaches application processes.
UFW simplifies the management of iptables rules by abstracting complex rule syntax into high-level commands. Internally, UFW manipulates the INPUT, OUTPUT, and FORWARD chains of the netfilter framework.
INPUT
OUTPUT
FORWARD
A common baseline configuration on a VPS is to deny all unsolicited incoming traffic while allowing outgoing traffic. This ensures that only explicitly permitted services are externally reachable.
sudo ufw default deny incoming sudo ufw default allow outgoing
sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443
sudo ufw enable sudo ufw reload
sudo ufw status sudo ufw status verbose
The configuration above defines a default-deny policy for inbound connections and explicitly allows SSH (22), HTTP (80), and HTTPS (443). Once enabled, UFW inserts the corresponding rules into the Linux netfilter framework.
UFW rules are processed in sequence. The first matching rule determines the outcome. This ordering is significant when defining allow and deny rules for overlapping address ranges or ports.
UFW supports source-based filtering. This allows a service to remain inaccessible to the public internet while being available to specific internal or trusted IP addresses.
The rule above permits MySQL access only from a specific source address. This is commonly used for administrative access or private database communication.
