🔒 Ubuntu Server Firewall Configuration

Complete Guide to UFW and Cloud Firewall Setup

Understanding Firewalls

In computing terms, a firewall is a software or hardware-based network security system that controls incoming and outgoing network traffic. This is accomplished by analyzing data packets and determining whether they should be allowed through based on an applied rule set.

Simple Definition: A firewall is essentially a filter that checks packets or requests coming into or out of your server, allowing only authorized traffic to pass through.

Firewall Traffic Flow

External
Traffic
Firewall
Filter
Your
Server

Traffic is analyzed and filtered before reaching your server

Required Ports for WordPress

For a WordPress server to function properly, we need to open specific ports while keeping everything else locked down for security:

Service Port Protocol Purpose
SSH 22 TCP Secure remote server access
HTTP 80 TCP Standard web traffic
HTTPS 443 TCP Encrypted web traffic
HTTPS (QUIC) 443 UDP HTTP/3 protocol support
Ping (ICMP) N/A ICMP Network diagnostics (enabled by default)
⚠️ Important: Port 443 requires both TCP and UDP protocols. TCP handles standard HTTPS traffic, while UDP is necessary for QUIC and HTTP/3 support.

Firewall Management Tools

IPTables and NFTables

The firewall is traditionally managed by utilities called IPTables or NFTables. These tools allow you to create rules to manage traffic coming from or going to your server. However, these rules can become very complex, and a typing error can result in you being locked out of your server. It's a task best left to experienced system administrators.

UFW (Uncomplicated Firewall)

UFW is a wrapper that removes the complexity of creating IPTable and NFTable rules. It makes adding firewall rules an easy and straightforward task, perfect for those who want effective security without the complexity.

IPTables/NFTables

  • Low-level firewall management
  • Complex rule syntax
  • Highly customizable
  • Risk of lockout errors
  • Requires expertise

UFW (Uncomplicated Firewall)

  • User-friendly wrapper
  • Simple command syntax
  • Sufficient for most needs
  • Reduces error risk
  • Beginner-friendly

Cloud Firewall vs Server Firewall

✓ Best Practice: Use both cloud firewall and server firewall together for maximum protection and performance.

Cloud Firewall Advantages

  • No Resource Consumption: Doesn't use CPU cycles from your server
  • Pre-filtering: Malicious traffic is blocked before reaching your server
  • Centralized Management: Define access rules in one location and apply them to all servers
  • Performance Benefits: Reduces server load by filtering traffic upstream

Dual Firewall Architecture

Internet Traffic
Cloud Firewall (First Line of Defense)
Filtered Traffic
Server Firewall (UFW - Second Line of Defense)
Your Server Applications
Note: Not all hosting providers offer cloud firewall services. If your host offers this feature, absolutely use it. Otherwise, implement firewall rules using UFW on your server.

Configuring UFW (Uncomplicated Firewall)

Step 1: Check UFW Status

Before making any changes, check if UFW is already enabled on your server:

sudo ufw status verbose

You'll see one of two possible responses:

  • Status: active - UFW is enabled and running
  • Status: inactive - UFW needs to be enabled and configured

Scenario A: UFW Already Active (e.g., Vultr)

If UFW is already active with SSH (port 22) open, you only need to add the additional ports:

  1. Allow HTTP traffic:
    sudo ufw allow http
  2. Allow HTTPS with TCP protocol:
    sudo ufw allow https/tcp
  3. Allow HTTPS with UDP protocol (for QUIC/HTTP3):
    sudo ufw allow https/udp
  4. Reload the firewall to apply changes:
    sudo ufw reload
  5. Verify the new rules:
    sudo ufw status verbose

Scenario B: UFW Inactive (Fresh Installation)

If UFW is inactive, you need to set it up from scratch:

  1. Set default policy to deny all incoming traffic:
    sudo ufw default deny incoming
  2. Set default policy to allow all outgoing traffic:
    sudo ufw default allow outgoing
  3. Allow SSH (critical - do this first!):
    sudo ufw allow ssh
    ⚠️ Critical Warning: Always enable SSH before activating the firewall, or you'll be locked out of your server!
  4. Allow HTTP:
    sudo ufw allow http
  5. Allow HTTPS with TCP:
    sudo ufw allow https/tcp
  6. Allow HTTPS with UDP:
    sudo ufw allow https/udp
  7. Enable UFW:
    sudo ufw enable

    You'll see a warning: "Command may disrupt existing SSH connections. Proceed with operation (y|n)?" Type y and press Enter.

  8. Verify the configuration:
    sudo ufw status verbose

Testing Persistence After Reboot

It's crucial to ensure firewall rules persist after a server reboot:

# Reboot the server sudo reboot # Wait a few minutes, then SSH back in ssh your_server # Check if rules persisted sudo ufw status verbose
✓ Expected Result: Status should be "active" and all rules (ports 22, 80, 443 TCP/UDP) should still be present.

Configuring Cloud Firewall (Vultr Example)

If your hosting provider offers a cloud firewall service, here's how to configure it using Vultr as an example:

  1. Access Firewall Settings:

    Log in to your Vultr account → Products → Network → Firewall

  2. Create Firewall Group:

    Click "Add Firewall Group" and give it a descriptive name (e.g., "cloud-fw")

  3. Configure SSH Rule:

    Protocol: SSH (Port 22)
    Source: "My IP" (recommended for security) or "Anywhere"
    Action: Accept

    Security Tip: Restricting SSH to "My IP" significantly enhances security by allowing access only from your current IP address. However, if your IP changes frequently, you may prefer "Anywhere" for convenience.
  4. Add HTTP Rule:

    Protocol: HTTP (Port 80)
    Source: Anywhere
    Action: Accept

  5. Add HTTPS TCP Rule:

    Protocol: HTTPS (Port 443)
    Protocol Type: TCP
    Source: Anywhere
    Action: Accept

  6. Add HTTPS UDP Rule:

    Protocol: Custom
    Port: 443
    Protocol Type: UDP
    Source: Anywhere
    Action: Accept

  7. Add ICMP Rule (for Ping):

    Protocol: ICMP
    Source: Anywhere
    Action: Accept

    Optional: You can delete the ICMP rule later if you want to disable ping functionality for additional security.
  8. Link Firewall to Server:

    Click "Linked Instances" → Select your server → "Add Linked Instances"

⚠️ Propagation Time: Rule updates can take up to 2 minutes to propagate to all servers. Wait a few minutes before testing.

Handling IP Address Changes

If you've restricted SSH access to your specific IP address and your IP changes (e.g., router restart, ISP change), you'll be locked out of your server:

# Attempting to connect will result in: ssh user@your_server # Output: Connection refused

Solution Steps:

  1. Access Cloud Firewall Panel:

    Log in to your hosting provider's control panel (Vultr account → Products → Network → Firewall)

  2. Edit Firewall Group:

    Select your firewall group (e.g., "cloud-fw") and click "Edit"

  3. Add New SSH Rule with Current IP:

    Add a new SSH rule with source set to "My IP" (this will detect your current IP automatically)

  4. Remove Old SSH Rule:

    Delete the SSH rule with your old IP address

  5. Wait for Propagation:

    Wait 2-3 minutes for the rule to propagate to all servers

  6. Test SSH Connection:
    ssh user@your_server

IP Change Resolution Process

IP Changes → SSH Connection Refused
Log in to Hosting Control Panel
Edit Cloud Firewall Rules
Add New SSH Rule with Current IP
Delete Old SSH Rule
Wait 2-3 Minutes → Access Restored

Security Best Practices

✓ Do This

  • Use both cloud firewall and UFW together
  • Restrict SSH to specific IP addresses when possible
  • Test firewall rules before enabling
  • Verify rules persist after reboot
  • Document your firewall configuration
  • Regularly review and update rules

✗ Avoid This

  • Never enable UFW without allowing SSH first
  • Don't open unnecessary ports
  • Avoid leaving default "deny all" without exceptions
  • Don't forget to reload after making changes
  • Never skip testing after configuration
  • Don't ignore failed connection attempts

Configuration Summary

Completed Setup Checklist

  • ✓ UFW configured with default deny incoming policy
  • ✓ UFW configured with default allow outgoing policy
  • ✓ Port 22 (SSH) opened
  • ✓ Port 80 (HTTP) opened
  • ✓ Port 443 (HTTPS) opened for both TCP and UDP
  • ✓ Cloud firewall configured (if available)
  • ✓ Rules tested and verified to persist after reboot
  • ✓ SSH access secured with IP restriction (optional)

Quick Command Reference

# Check UFW status sudo ufw status verbose # Enable UFW sudo ufw enable # Set default policies sudo ufw default deny incoming sudo ufw default allow outgoing # Allow services sudo ufw allow ssh sudo ufw allow http sudo ufw allow https/tcp sudo ufw allow https/udp # Reload UFW sudo ufw reload # Reboot server sudo reboot

Your server firewall is now properly configured and secured! 🎉