There was a problem loading the comments.

How to Configure a Basic Firewall with firewalld or ufw

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Quick answer: On a Linux VPS, allow only SSH, HTTP, and HTTPS and block the rest. Use firewalld on AlmaLinux, Rocky, and CentOS, or ufw on Ubuntu and Debian. Always allow SSH before enabling the firewall, and scope sensitive ports like databases to specific trusted IPs.

A firewall controls which ports on your Linux VPS are reachable from the internet. A sensible default is to allow only what you need - SSH, HTTP, and HTTPS - and block everything else. Modern distributions use one of two front ends: firewalld (AlmaLinux, Rocky, CentOS) or ufw (Ubuntu, Debian).

Before you start: do not lock yourself out

Always allow SSH before enabling the firewall, or you will lose access. If you changed the SSH port, allow that port instead of 22.

firewalld (AlmaLinux / Rocky / CentOS)

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
firewall-cmd --list-all        # verify

To open a custom port, for example a non-standard SSH port:

firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --reload

ufw (Ubuntu / Debian)

ufw allow OpenSSH
ufw allow http
ufw allow https
ufw enable
ufw status verbose             # verify

For a custom port:

ufw allow 2222/tcp

Restrict sensitive ports to specific IPs

Database and admin ports should never be open to the whole internet. Scope them to a known address:

# ufw example: allow MySQL only from one IP
ufw allow from 203.0.113.10 to any port 3306 proto tcp

The firewalld equivalent uses a rich rule with a source address.

Verify and keep it minimal

List the active rules and remove anything you do not recognize. The fewer open ports, the smaller your attack surface. Re-check after installing new software, since some packages open ports automatically.

Frequently asked questions

How do I avoid locking myself out?
Allow SSH (or your custom SSH port) before enabling the firewall.

Which tool does my server use?
firewalld on AlmaLinux, Rocky, and CentOS; ufw on Ubuntu and Debian.

On a SoftSys managed Linux VPS our team configures and maintains the firewall for you, keeping only the necessary ports open and locking database and admin access to trusted addresses.


Share via
Did you find this article useful?  

Related Articles

Tags

© Softsys Hosting