Quick answer: On a Linux VPS, allow only SSH, HTTP, and HTTPS and block the rest. Use firewalld on AlmaLinux, Rocky, and CentOS, or ufw on Ubuntu and Debian. Always allow SSH before enabling the firewall, and scope sensitive ports like databases to specific trusted IPs.
A firewall controls which ports on your Linux VPS are reachable from the internet. A sensible default is to allow only what you need - SSH, HTTP, and HTTPS - and block everything else. Modern distributions use one of two front ends: firewalld (AlmaLinux, Rocky, CentOS) or ufw (Ubuntu, Debian).
Always allow SSH before enabling the firewall, or you will lose access. If you changed the SSH port, allow that port instead of 22.
firewall-cmd --permanent --add-service=ssh firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload firewall-cmd --list-all # verify
To open a custom port, for example a non-standard SSH port:
firewall-cmd --permanent --add-port=2222/tcp firewall-cmd --reload
ufw allow OpenSSH ufw allow http ufw allow https ufw enable ufw status verbose # verify
For a custom port:
ufw allow 2222/tcp
Database and admin ports should never be open to the whole internet. Scope them to a known address:
# ufw example: allow MySQL only from one IP ufw allow from 203.0.113.10 to any port 3306 proto tcp
The firewalld equivalent uses a rich rule with a source address.
List the active rules and remove anything you do not recognize. The fewer open ports, the smaller your attack surface. Re-check after installing new software, since some packages open ports automatically.
How do I avoid locking myself out?
Allow SSH (or your custom SSH port) before enabling the firewall.
Which tool does my server use?
firewalld on AlmaLinux, Rocky, and CentOS; ufw on Ubuntu and Debian.
On a SoftSys managed Linux VPS our team configures and maintains the firewall for you, keeping only the necessary ports open and locking database and admin access to trusted addresses.