Firewall Configuration Skill

Configure UFW firewall to control network traffic and minimize attack surface on VPS servers.

What This Skill Does

This skill helps AI agents configure UFW (Uncomplicated Firewall) on Ubuntu/Debian servers. Without a firewall, every port is potentially accessible to the internet. A properly configured firewall creates a security perimeter that only allows necessary traffic.

Key capabilities:

• Install and enable UFW firewall
• Set secure default policies (deny incoming, allow outgoing)
• Open specific ports for required services
• Configure application-specific rules
• Manage firewall rules and verify configuration
• Handle IPv4 and IPv6 traffic

When to Use

Use this skill when you need to:

• Set up a new VPS server with network security
• Restrict network access to only required services
• Implement defense in depth security
• Fix security audit findings related to open ports
• Comply with security best practices
• Protect services from unauthorized access

Critical understanding: Every open port is attack surface. Only open ports for services you're actually running.

Prerequisites

• Root or sudo access to the server
• Ubuntu or Debian-based Linux distribution
• Active SSH session (firewall must allow SSH before enabling!)
• Knowledge of which services/ports you need open

Firewall Setup Steps

Step 1: Install UFW

UFW is usually pre-installed on Ubuntu. Install if missing:

sudo apt update
sudo apt install ufw -y

Step 2: Set Default Policies

CRITICAL: Set these BEFORE enabling the firewall!

# Deny all incoming traffic by default
sudo ufw default deny incoming

# Allow all outgoing traffic by default
sudo ufw default allow outgoing

This creates a "whitelist" approach - nothing gets in unless explicitly allowed.

Step 3: Allow SSH (CRITICAL!)

WARNING: You must allow SSH before enabling UFW, or you'll lock yourself out!

sudo ufw allow ssh

Or specify the port number explicitly:

sudo ufw allow 22/tcp

If you changed SSH to a custom port (e.g., 2222):

sudo ufw allow 2222/tcp

Step 4: Allow Required Services

Add rules for services you're actually running:

Web Server (HTTP/HTTPS):

sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS

Or use application profiles:

sudo ufw allow 'Nginx Full'
# or
sudo ufw allow 'Apache Full'

Common services:

# FTP
sudo ufw allow 21/tcp

# MySQL (only if remote access needed)
sudo ufw allow 3306/tcp

# PostgreSQL (only if remote access needed)
sudo ufw allow 5432/tcp

# SMTP
sudo ufw allow 25/tcp

# DNS
sudo ufw allow 53

# Custom application
sudo ufw allow 8080/tcp

Step 5: Enable UFW

After confirming SSH is allowed:

sudo ufw enable

Confirm when prompted. The firewall is now active.

Step 6: Verify Configuration

Check firewall status and rules:

sudo ufw status verbose

Expected output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere

Advanced Firewall Configuration

Allow from Specific IPs

Restrict access to specific IP addresses:

# Allow SSH only from specific IP
sudo ufw allow from 203.0.113.10 to any port 22

# Allow MySQL only from application server
sudo ufw allow from 203.0.113.20 to any port 3306

# Allow entire subnet
sudo ufw allow from 192.168.1.0/24

Deny Specific IPs

Block malicious IPs:

sudo ufw deny from 203.0.113.100

Port Ranges

Open a range of ports:

sudo ufw allow 6000:6007/tcp

Limit Connections (Rate Limiting)

Protect against brute-force attacks:

# Limit SSH connections (max 6 in 30 seconds)
sudo ufw limit 22/tcp

This works well for SSH but fail2ban is better for comprehensive protection.

Delete Rules

Remove a firewall rule:

# By rule number (get number from 'ufw status numbered')
sudo ufw status numbered
sudo ufw delete 3

# By rule specification
sudo ufw delete allow 80/tcp

Application Profiles

List available application profiles:

sudo ufw app list

Show profile details:

sudo ufw app info 'Nginx Full'

Create custom application profile in /etc/ufw/applications.d/myapp:

[MyApp]
title=My Application
description=My custom application
ports=8080,8443/tcp

Then reload and use:

sudo ufw app update MyApp
sudo ufw allow 'MyApp'

UFW Management Commands

Check Status

# Basic status
sudo ufw status

# Detailed status
sudo ufw status verbose

# Numbered rules (for deletion)
sudo ufw status numbered

Enable/Disable

# Enable firewall
sudo ufw enable

# Disable firewall (temporarily)
sudo ufw disable

# Reload rules
sudo ufw reload

Reset UFW

WARNING: This removes ALL rules!

sudo ufw reset

Logging

# Enable logging
sudo ufw logging on

# Set logging level (low, medium, high, full)
sudo ufw logging medium

# Disable logging
sudo ufw logging off

View logs:

sudo tail -f /var/log/ufw.log

Common Firewall Configurations

Basic Web Server

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Web + Database Server

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow from 203.0.113.0/24 to any port 3306  # DB from app servers only
sudo ufw enable

Restricted SSH Access

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 203.0.113.10 to any port 22  # SSH from office IP only
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Security Best Practices

1. Default deny - Start with deny all, then allow specific services
2. Minimal ports - Only open what you actually use
3. IP restrictions - Limit admin access to known IPs when possible
4. Regular audits - Review rules periodically: sudo ufw status numbered
5. Combine with fail2ban - Add dynamic blocking for brute-force attempts
6. Monitor logs - Check /var/log/ufw.log for suspicious activity
7. Test before enabling - Always allow SSH first!
8. Document rules - Keep notes on why each port is open

Troubleshooting

Locked Out After Enabling UFW

Prevention:

• Always allow SSH before enabling: sudo ufw allow ssh
• Test in a new terminal before closing existing sessions

Recovery:

• Use hosting provider's console/VNC access
• Disable firewall: sudo ufw disable
• Add SSH rule: sudo ufw allow ssh
• Re-enable: sudo ufw enable

Service Not Accessible

# Check if port is allowed
sudo ufw status | grep <port>

# Check if service is listening
sudo ss -tulpn | grep <port>

# Check logs for blocks
sudo tail -f /var/log/ufw.log

UFW Not Starting

# Check status
sudo systemctl status ufw

# Enable UFW service
sudo systemctl enable ufw
sudo systemctl start ufw

# Check for errors
sudo journalctl -u ufw

IPv6 Issues

Enable IPv6 in /etc/default/ufw:

IPV6=yes

Then reload:

sudo ufw reload

Common Mistakes to Avoid

• ❌ Enabling UFW before allowing SSH (lockout!)
• ❌ Opening all ports "temporarily" and forgetting to close them
• ❌ Not testing rules before going to production
• ❌ Allowing database ports from anywhere (0.0.0.0/0)
• ❌ Forgetting to enable UFW after configuration
• ❌ Not documenting why ports are open
• ❌ Disabling firewall instead of troubleshooting issues

UFW vs iptables

UFW is a frontend for iptables that simplifies firewall management:

• UFW: User-friendly, simple syntax, good for most cases
• iptables: Full control, complex syntax, advanced scenarios

UFW rules are translated to iptables rules under the hood. For advanced needs, you can still use iptables directly, but UFW is recommended for most users.

Additional Resources

See references/ufw-rules.md for complete UFW rule reference.

See scripts/setup-firewall.sh for automated setup script.

Related Skills

• ssh-hardening - Secure SSH before enabling firewall
• fail2ban-setup - Add dynamic IP blocking
• auto-updates - Keep firewall software updated