UFW (Uncomplicated Firewall) Baseline Deployment for Web Servers

The Uncomplicated Firewall (UFW) is a user-friendly interface for managing iptables, the underlying packet-filtering framework in Linux. For a web server on a Hovixa VPS, UFW acts as the first line of defense, blocking all unsolicited traffic except for the specific ports required by your applications (typically SSH, HTTP, and HTTPS).

1. The "Default Deny" Strategy

An analytically sound firewall configuration follows the principle of Least Privilege. This means we start by explicitly denying all incoming traffic and only "punching holes" for known, necessary services.

# 1. Reset to defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

2. Allowing Essential Services

Before enabling the firewall, you must ensure your administrative access is preserved. If you followed our previous guide and changed your SSH port, you must use that specific port number here.

A. Secure Shell (SSH)

# If using default port 22:
sudo ufw allow 22/tcp

# If using a custom port (e.g., 2284):
sudo ufw allow 2284/tcp

B. Web Traffic (HTTP/HTTPS)

Web servers require ports 80 and 443 to be open to the public world.

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

3. Enabling the Firewall

Once the rules are defined, you can activate UFW. The system will warn you about disrupting SSH connections; as long as you allowed your SSH port in the previous step, it is safe to proceed.

sudo ufw enable

4. Quick-Reference UFW Commands

Requirement Command
Check Status `sudo ufw status verbose`
Delete a Rule `sudo ufw delete allow 80/tcp`
Allow Specific IP `sudo ufw allow from [YOUR_IP] to any port 22`
Disable Firewall `sudo ufw disable`

5. Technical Implementation Details

  • Application Profiles: UFW integrates with /etc/services. Instead of port numbers, you can use application names like sudo ufw allow 'Nginx Full', which automatically opens both 80 and 443.
  • IPv6 Support: Hovixa VPS instances come with IPv6 enabled by default. Ensure /etc/default/ufw has IPV6=yes to ensure your firewall rules apply to both stacks.
  • Connection Tracking: UFW uses the conntrack module. This allows the firewall to distinguish between a new connection attempt and a response to a request your server initiated (which is allowed by the default allow outgoing rule).

Sysadmin Advice: Use **sudo ufw status numbered** to view your rules with an index. This makes it much easier to delete specific rules (e.g., `sudo ufw delete 3`) without typing out the full port and protocol string.

Var dette svaret til hjelp? 0 brukere syntes dette svaret var til hjelp (0 Stemmer)

Mest populære

Advanced Log Analysis: Investigating System Anomalies | Hovixa

Investigating System Anomalies using journalctl and /var/log/auth.log When a Hovixa VPS behaves...
Deploying Docker & Docker Compose: AlmaLinux/CentOS Guide | Hovixa

Deploying Docker and Docker Compose on CentOS/AlmaLinux Environments On RHEL-based distributions...
Secure VPS with Ed25519 SSH Keys: Disable Passwords | Hovixa

Selecting Your Linux Distribution and Hardening SSH Access Choosing the right operating system...
Change SSH Port & Configure Fail2Ban: VPS Hardening | Hovixa

Modifying the Default SSH Port and Configuring Fail2Ban Jail Rules Security through obscurity is...
LEMP Stack Performance Tuning: Nginx, MySQL & PHP-FPM | Hovixa

Compiling and Tuning a LEMP Stack (Linux, Nginx, MySQL, PHP-FPM) A standard LEMP installation...