Skip to main content

How to Set Up Debian Firewall (Debian UFW)

Published on:
.
28 min read
.
For German Version

Debian, commonly known as Debian GNU/Linux, is one of the oldest Linux-based operating systems. It is developed by the community-supported Debian Project, which was founded by Ian Murdock in 1993. Many other distributions, including Ubuntu, are based on Debian. Debian releases a new stable branch every two years. It will be supported for around three years, including updates for major security and usability issues. A total of 5 years of security support is available for each Debian release.

The Debian installation comes with a default firewall, iptables, configured to allow all traffic. For access control, Debian includes a built-in L4 packet filtering system called Netfilter, as well as an interface called iptables for configuring the Netfilter. When a packet arrives at the server, it is routed to the Netfilter subsystem, which accepts, manipulates, or rejects it based on the rules provided by userspace through iptables.

'iptables' is a firewall solution that is highly configurable and adaptable. Learning iptables principles and becoming an iptables guru, on the other hand, maybe cumbersome. Because iptables firewall configuration for an average user is difficult, many iptables frontend applications have been developed.

The Uncomplicated Firewall (ufw) is an iptables frontend application that includes a framework for managing netfilter and a command-line interface (CLI) for interacting with the firewall. It is particularly useful for host-based firewalls. The Uncomplicated Firewall (ufw) provides a user-friendly way to manage netfilter. ufw not only provides an easy-to-use interface for those unfamiliar with firewall concepts, but it also simplifies complex iptables instructions to assist an experienced system administrator.

To defend Debian servers from cyber threats, it is common to configure 'ufw' as a host-based firewall. The Debian server can also be configured as a firewalling and routing platform for networks, especially small business (SMB) and home networks, with the help of 'ufw'.

In this article, we'll explain how to install The Uncomplicated Firewall (ufw) on a Debian 10/11/12 server and use the Zenarmor to enable next-generation firewall features like content and application filtering.

What are the Requirements to Install a Firewall on Debian 10/11/12 with UFW?

To follow the Uncomplicated Firewall (ufw) configuration tutorial you will need:

  • A Debian 10 Buster or Debian 11 Bullseye or Debian 12 Bookworm Server and

  • Privileged access to your Debian system as root or via the sudo command. The best practice is to run administrative commands as a sudo user.

warning

All given commands are to be executed with root privileges either directly as a root user or by use of the sudo command.

What are the Steps to Install a Firewall with UFW on Debian 10/11/12?

You can easily set up a host-based firewall by configuring the UFW on your Debian server. UFW installation and configuration steps are given below:

1. UFW Installation

On Debian server distributions, UFW is pre-installed software. As a result, you should not have to install the ufw package on your server. If it is not already installed on your system, you can install ufw package on your Debian server manually by following the instructions below:

  1. Update your local package index by running the next command:
sudo apt update && sudo apt upgrade -y
  1. Install ufw package by running the following command:
sudo apt-get install ufw -y

The output should look something like this:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ufw
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/164 kB of archives.
After this operation, 852 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously unselected package ufw.
(Reading database ... 158348 files and directories currently installed.)
Preparing to unpack .../archives/ufw_0.36-1_all.deb ...
Unpacking ufw (0.36-1) ...
Setting up ufw (0.36-1) ...
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
Processing triggers for systemd (241-7~deb10u8) ...

2. UFW Uninstallation

You can uninstall the ufw package from your Debian server by running the following command:

sudo apt autoremove ufw --purge -y

The output should look something like this:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:

ufw*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 852 kB disk space will be freed.
(Reading database ... 158456 files and directories currently installed.)
Removing ufw (0.36-1) ...
Skip stopping firewall: ufw (not enabled)
Processing triggers for man-db (2.8.5-2) ...
(Reading database ... 158363 files and directories currently installed.)
Purging configuration files for ufw (0.36-1) ...
Processing triggers for systemd (241-7~deb10u8) ...
Processing triggers for rsyslog (8.1901.0-1) ...
warning

It is not recommended to remove the UFW from a server that is accessible from the Internet if you don't know how to use iptables or have a reasonable alternative.

3. Enable UFW

By default, ufw is disabled on Debian 10/11/12 server.

tip

ufw allows you to add rules before enabling the firewall. Therefore, if you are remotely connected to your server using ssh, you should run the following:

sudo ufw allow proto tcp from any to any port 22

The output should look something like this:

Rule added
Rule added (v6)

The ssh port will be open after the firewall is enabled.

To enable the ufw, run the following command below:

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

After running the above command, the firewall is activated and enabled when the system boots up. By default, all incoming traffic is automatically blocked and all outgoing traffic is permitted once the firewall is operational. The firewall immediately protects your system by preventing anyone from remotely connecting to it.

warning

Please beware that to be able to log in to your server you must explicitly allow incoming SSH connections before enabling the UFW firewall.

You may verify the status of UFW to make sure it is active without any error by running the next command:

sudo ufw status

This will display the output similar to given below:

Status: active
  
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)

4. Checking the Status and Rules of the UFW

To check the firewall status and ufw rules, you may run the following command:

sudo ufw status verbose

To view the ufw rules with their sequence numbers, you may run the next command:

sudo ufw status numbered

The output should look something like this::

Status: active

To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)

5. Configuring UFW Default Policies

By default, UFW blocks all incoming network packets while allowing all outgoing packets. As a result, unless you explicitly open a service port, no one can connect to your server, whereas all applications running on your server will be able to communicate with the outside world.

the /etc/default/ufw file is used to store the UFW default policies. You may change the default policies by running the next command:

sudo ufw default allow|deny|reject [incoming|outgoing|routed]

All outgoing connections should be blocked as a best practice, and only approved outbound connections should be allowed. You can accomplish this by issuing the following command:

sudo ufw default deny outgoing
warning

In such cases, you need to maintain all permitted outgoing connections by defining the related allow rules.

6. Managing UFW Application Profiles

The application profile, which includes the service description and UFW settings, is created in the /etc/ufw/applications.d directory during the installation of an application package using the 'apt' command.

The syntax for application profiles is simple, using the .INI file format:

[`<name>`]
title=`<title>`
description=`<description>`
ports=`<ports>`

The ports field can be used to specify a |, separated list of ports/protocols, with the protocol being optional. Multiple ports can also be specified using a comma-separated list or a range (specified with start:end), in which case the protocol is required.

To list all application profiles available on your server run the following command:

sudo ufw app list

Depending on the applications installed on your system, the output will look something like this:

Available applications:
AIM
Bonjour
CIFS
DNS
Deluge
IMAP
IMAPS
IPP
KTorrent
Kerberos Admin
Kerberos Full
Kerberos KDC
Kerberos Password
LDAP
LDAPS
LPD
MSN
MSN SSL
Mail submission
NFS
OpenSSH
POP3
POP3S
PeopleNearby
SMTP
SSH
Socks
Telnet
Transmission
Transparent Proxy
VNC
WWW
WWW Cache
WWW Full
WWW Secure
XMPP
Yahoo
qBittorrent
svnserve

To view details of the firewall profile for a specific application, run the following command:

sudo ufw app info '<name>'

where <name> is one of the apps listed by the app list command.

For example, you may view the details on the firewall profile for WWW Full by running the following command:

sudo ufw app info 'WWW Full'

And, the output may be similar to this:

Profile: WWW Full
Title: Web Server (HTTP,HTTPS)
Description: Web Server (HTTP,HTTPS)
  
Ports:
80,443/tcp

You may also see profiles for all known applications with the following command:

sudo ufw app info all

This is a useful feature when you're looking into open ports on your server and aren't sure what applications they belong to or what the application does.

When the default port of an application is changed, you may edit the application profile file. after editing an application profile, you must run the following command to update the firewall with the most recent profile information:

sudo ufw app update '<name>'

If you enter 'all' for the name, all profiles will be updated.

7. Enabling IPv6

UFW supports both IPv4 and IPv6 addresses. By default, IPv4/v6 addresses are enabled. If you have an IPv6 enabled Debian system, to verify that IPv6 address support is enabled on your UFW, you may follow the next steps given below:

  1. Edit the /etc/default/ufw file with your favorite program such as vi or nano.

  2. Find and set the related line to IPv6=yes.

  3. Save and close the file.

  4. To enable IPv6 by activating the changes on the /etc/default/ufw file run the following command:

    sudo ufw reload

8. Allow SSH Connections

To configure your UFW firewall to allow incoming SSH connections, you may run one of the following commands:

sudo ufw allow ssh

or

sudo ufw allow 22

If you have configured a custom listening port for SSH connections other than the default port 22, you need to run the following command to allow SSH:

sudo ufw allow <port-number>

For instance, if your SSH service runs on port 2222, then you can run the following command to allow connections on that port:

sudo ufw allow 2222

Now, your firewall is configured to allow incoming SSH connections, you can enable it by running:

sudo ufw enable

You will be warned that enabling the firewall may disrupt existing ssh connections, just type y and press Enter

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Limiting SSH connections

Connection rate limiting is supported by ufw, which is useful for preventing brute-force login attacks. When you enable the limit feature for SSH, ufw normally allows the SSH connections but denies it if an IP address tries to initiate 6 or more connections within 30 seconds. To limit the SSH connections for preventing brute-force attacks, type the following command:

sudo ufw limit ssh/tcp

9. Allowing Additional Connections

UFW can be configured to open specific ports, allowing specific services on your server to be accessed from the outside. UFW Rules can be specified using either

  • a simple syntax or

  • a full syntax.

The simple syntax only specifies the host's port and, optionally, the protocol to be allowed or denied. The following is the general simple syntax for an allow rule:

sudo ufw allow <port-number>

The full syntax that is more complete specifies the source and destination addresses as well as ports. The general full syntax for an allow rule is given below:

sudo ufw allow <port-number>/<protocol>

or

ufw allow [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]

You can also add comments to your firewall rules using the 'comment' parameter to help explain your entry. To add a comment to an existing UFW firewall rule, just write the same rule with the comment parameter.

In this section, we will begin with simple syntax examples for connecting to the most common services, such as HTTP(S) and FTP. Then, for experienced administrators, we will go over the UFW full syntax usage.

Open FTP Service Port (20:21/TCP)

To allow incoming FTP connections, you must allow port 20 and port 21 by entering the following commands:

sudo ufw allow 21/tcp
sudo ufw allow 20/tcp

Open MySQL Service Port (3306/TCP)

To allow incoming MySQL connections, run one of the following commands.

  1. To allow by service name, run the following command:

    sudo ufw allow mysql

  2. To allow by port number, run the following command (full syntax):

    sudo ufw allow 3306/tcp

Open HTTPS Service Port (443)

On Debian, to open port 443 and allow HTTPS connections you may run one of the following commands.

  1. To allow by service name, run the following command:

    sudo ufw allow https

  2. To allow by port number, run the following command (full syntax):

    sudo ufw allow 443/tcp

  3. To allow by application profile, you may run the following command for NGINX:

    sudo ufw allow 'WWW Secure'

Open HTTP Service Port (80)

On Debian, to open port 80 and allow HTTP connections you may run one of the following commands.

  1. To allow by port number, run the following command (full syntax):

    sudo ufw allow 80/tcp

  2. To allow by service name, run the following command:

    sudo ufw allow http

  3. To allow by application profile, you may run the following command for NGINX:

    sudo ufw allow 'WWW'
    tip

    You can also enable both HTTP and HTTPS services by running the following command:

    sudo ufw allow 'WWW Full'

Open DNS Service Port (53)

If you are running a DNS server on your Debian server, to allow your clients to send DNS queries to your server you must allow incoming DNS connections by running one of the following commands:

sudo ufw allow 53 comment 'DNS server'

or

sudo ufw allow dns comment 'DNS server'

These commands will allow TCP and UDP port 53 to any address on the server.

Open WireGuard Service Port(51820/UDP)

To allow VPN client connections to your WireGuard server, run the following command:

sudo ufw allow 51820/udp comment 'WireGuard VPN server'

Open OpenVPN Service Port (1194/UDP)

To allow VPN client connections to your OpenVPN server, run the following command:

sudo ufw allow 1194/udp comment 'OpenVPN server'

Open Email Service Ports

The ports used for mail delivery by each of the TCP/IP protocols are listed in the table below.

ServerPort
SMTP25 or 587 (for TLS) or 465 (for SSL)
POP110
POPS995
IMAP143
IMAP3993

When you provide an email service on your Debian server, you must run the following commands to allow email connections:

sudo ufw allow 25 comment 'allow smtp connections'
sudo ufw allow 587 comment 'allow smtp tls connections'
sudo ufw allow 465 comment 'allow smtp ssl connections'
sudo ufw allow 995 comment 'allow pops connections'
sudo ufw allow 110 comment 'allow pop3 connections'
sudo ufw allow 143 comment 'allow imap connections'
sudo ufw allow 993 comment 'allow imap3 connections'

10. Allowing Port Ranges

You can allow incoming connections for a range of ports using : between the port numbers. However, you must specify the protocol, either tcp or udp. For example,

sudo ufw allow 55100:55200/tcp

Also, you may allow multiple ports by using a comma , between the port numbers. For example,

sudo ufw allow 22,80,443/tcp

11. Allow Connections From an Only Trusted IP Address

You may need to allow the administrator to access the server without any restrictions. To allow access to all ports from an IP address, such as 10.10.10.100, specify from followed by the IP address you need to whitelist:

sudo ufw allow from 10.10.10.100

12. Allow Connections From a Trusted IP Address on Specific port

You may need to restrict connections from a specific IP address to a single port. For example, on your server, the MySQL service(3306) can only be accessed by the Application Server with the IP address 10.10.10.10. To accomplish this, run the following command:

sudo ufw allow from 10.10.10.10 to any port 3306

13. Allow Connections From Trusted Subnets

To grant access to all ports from a Subnet address, such as 10.10.0.0/24, enter from followed by the network address to whitelist. For example, you could grant users on the subnet 10.10.0.0/24 access to the FTP service by running the following command:

sudo ufw allow from 10.10.0.0/24 to any port 20:21 proto tcp

14. Allow Connections From a Specific Interface

ufw applies rules to all available interfaces by default. You can limit this, by specifying the DIRECTION on a specific interface. The DIRECTION can be either:

  • in for incoming connections or

  • out for outgoing connections.

If you want to create a firewall rule that only applies to a specific network interface, enter allow in on followed by the network interface name.

To allow all new incoming HTTP connections on ens18, for example, use:

sudo ufw allow in on ens18 to any port 80 proto tcp

15. Denying Connections

If you haven't changed the default policy for all incoming connections, UFW will block all incoming connections unless you explicitly allow them. If you want to deny access to a specific port, use the deny command and, optionally, the protocol command.

sudo ufw deny <port>/<protocol>

For example, suppose you have an HTTP(S) web server that is publicly accessible from anywhere in the world. Furthermore, you may need to block connections coming from an untrustworthy IP address, such as 122.133.144.155, which is used to carry out cyber attacks on your web server. You can use one of the following commands to deny all connections from a specific IP address:

sudo ufw deny from 122.133.144.155

or

sudo ufw deny from 122.133.144.155 to any port 80,443 proto tcp

In addition, if you want to change your default incoming policy to accept connections, you'll need to define deny rules for any services or IP addresses that you don't want to accept connections from. It is strongly advised, for example, that you restrict access to your SSH port (22) to only your trusted IP addresses. You can use the following command to prevent any incoming connections to the SSH port:

sudo ufw deny ssh/tcp

16. Denying ICMP/Ping Request

Ping requests are allowed by default in UFW. However, you may need to block the icmp request for security reasons. To deny ping packets, take the following steps:

  1. Edit the /etc/ufw/before.rules with your favorite editor, such as nano. The rules in this file are evaluated before any rules are added via the ufw command.

  2. Remove or comment the lines given below

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

  1. Save and close the file.

  2. To activate the changes, you can reload the ufw by running the next command

    sudo ufw reload

17. Deleting Rules

You may delete the UFW rules from your Debian server in two different ways:

1. Rule Number

It's easier to delete UFW rules by rule number, especially if you're a novice user. To delete a rule by number, follow the next steps:

  • You must first find the number of the rule you wish to delete by typing the following command:

    sudo ufw status numbered

    You should see the output similar to the following:

    Status: active
    To Action From
    ------------
    [ 1] 22/tcp LIMIT IN Anywhere
    [ 2] 2222 ALLOW IN Anywhere
    [ 3] 21/tcp ALLOW IN Anywhere
    [ 4] 20/tcp ALLOW IN Anywhere
    [ 5] 3306 ALLOW IN Anywhere
    [ 6] 3306/tcp ALLOW IN Anywhere
    [ 7] 443/tcp ALLOW IN Anywhere
    [ 8] WWW ALLOW IN Anywhere
    [ 9] WWW Secure ALLOW IN Anywhere
    [10] WWW Full ALLOW IN Anywhere
    [11] 80/tcp ALLOW IN Anywhere
    [12] 51820/udp ALLOW IN Anywhere # WireGuard VPN server
    [13] 1194/udp ALLOW IN Anywhere # OpenVPN server
    [14] 53 ALLOW IN Anywhere # DNS server
    [15] DNS ALLOW IN Anywhere # DNS server
    [16] 25 ALLOW IN Anywhere # allow smtp connections
    [17] 587 ALLOW IN Anywhere # allow smtp tls connections
    [18] 465 ALLOW IN Anywhere # allow smtp ssl connections
    [19] 995 ALLOW IN Anywhere # allow pops connections
    [20] 110 ALLOW IN Anywhere # allow pop3 connections
    [21] 143 ALLOW IN Anywhere # allow imap connections
    [22] 993 ALLOW IN Anywhere # allow imap3 connections
    [23] 55100:55200/tcp ALLOW IN Anywhere
    [24] 22,80,443/tcp ALLOW IN Anywhere
    [25] Anywhere ALLOW IN 10.10.10.100
    [26] 3306 ALLOW IN 10.10.10.10
    [27] 20:21/tcp ALLOW IN 10.10.0.0/24
    [28] Anywhere DENY IN 122.133.144.155
    [29] 80,443/tcp DENY IN 122.133.144.155
    [30] 22/tcp (v6) LIMIT IN Anywhere (v6)
    [31] 2222 (v6) ALLOW IN Anywhere (v6)
    [32] 21/tcp (v6) ALLOW IN Anywhere (v6)
    [33] 20/tcp (v6) ALLOW IN Anywhere (v6)
    [34] 3306 (v6) ALLOW IN Anywhere (v6)
    [35] 3306/tcp (v6) ALLOW IN Anywhere (v6)
    [36] 443/tcp (v6) ALLOW IN Anywhere (v6)
    [37] WWW (v6) ALLOW IN Anywhere (v6)
    [38] WWW Secure (v6) ALLOW IN Anywhere (v6)
    [39] WWW Full (v6) ALLOW IN Anywhere (v6)
    [40] 80/tcp (v6) ALLOW IN Anywhere (v6)
    [41] 51820/udp (v6) ALLOW IN Anywhere (v6) # WireGuard VPN server
    [42] 1194/udp (v6) ALLOW IN Anywhere (v6) # OpenVPN server
    [43] 53 (v6) ALLOW IN Anywhere (v6) # DNS server
    [44] DNS (v6) ALLOW IN Anywhere (v6) # DNS server
    [45] 25 (v6) ALLOW IN Anywhere (v6) # allow smtp connections
    [46] 587 (v6) ALLOW IN Anywhere (v6) # allow smtp tls connections
    [47] 465 (v6) ALLOW IN Anywhere (v6) # allow smtp ssl connections
    [48] 995 (v6) ALLOW IN Anywhere (v6) # allow pops connections
    [49] 110 (v6) ALLOW IN Anywhere (v6) # allow pop3 connections
    [50] 143 (v6) ALLOW IN Anywhere (v6) # allow imap connections
    [51] 993 (v6) ALLOW IN Anywhere (v6) # allow imap3 connections
    [52] 55100:55200/tcp (v6) ALLOW IN Anywhere (v6)
    [53] 22,80,443/tcp (v6) ALLOW IN Anywhere (v6)

  • After viewing the numbered rule list, to delete the rule, such as with number 24, run the following command:

    sudo ufw delete 24

    The output should look something like this:

    Deleting:
    allow 22,80,443/tcp
    Proceed with operation (y|n)? y
    Rule deleted

    Before it is deleted, you will be asked for confirmation. Type "y" and then "Enter" if you're sure. Type "n" to cancel the procedure if you make a mistake.

2. Specifying the Actual Rule

You can also delete a rule by specifying the actual rule, for example, if you added a rule to open port 8080 you can delete it with the next command:

sudo ufw delete allow 8080

18. UFW Disabling or Resetting

If you need to stop UFW and deactivate all the rules for any reason, use the following command:

sudo ufw disable

The output should look something like this:

Firewall stopped and disabled on system startup

If you need to re-enable UFW and activate all rules later, execute the following command:

sudo ufw enable

When you reset UFW, all active rules are deleted and the firewall is reset to its default settings. This is a good option if you want to undo all of your changes and start over.

Type the following command to reset UFW:

sudo ufw reset

19. UFW Logging

By default, all UFW entries are logged with the 'low' log level into the /var/log/ufw.log file. A higher level of logging may be required. There are numerous logging levels to choose from, and you can select your preferred option based on which firewall logs you want to save.

  • off: ufw logging is turned off.
  • Low: logs blocked packets that don't match the rules you've specified and packets that match the rules you've logged.
  • Medium: Logs low-level, authorized packets that don't meet the rules, invalid packets, and all new connections to your server.
  • High: Logs medium without attempts/rate-limiting, and all packets with attempt limiting
  • Full: All firewall packets are fully logged, with no rate/access attempts limitations.

To set your UFW logging level, use the command below.

sudo ufw logging LEVEL

For example:

sudo ufw logging full

To enable logging for a specific firewall rule, such as SSH, use the command.

sudo ufw allow log 22/tcp

To disable the UFW logging feature, you may run the following command:

sudo ufw logging off
warning

Above medium log levels, a large amount of logging output is generated, quickly filling up your disk. The log level medium may generate a large amount of logging output on a busy system.

20. Testing UFW Rules

To test your UFW rules, use the '--dry-run' option. It is a useful alternative when tinkering with firewall settings. If you run the following command, you will see an example of the modifications that would have occurred if they had not been processed:

sudo ufw --dry-run enable

What are the Best Practices for UFW Rule Management in Debian?

On Debian systems, UFW (Uncomplicated Firewall) is a simple yet powerful tool for managing network traffic. While setting up a firewall is an essential first step, maintaining its effectiveness depends on how well it's managed over time. UFW's true power is in how you maintain, document, and test the rules you create. Below are some of the most important best practices for managing UFW on Debian effectively.

  • Start with a "Default Deny" Policy: The fundamental principle of firewall security is to "Block everything, allow only what's necessary." In UFW, you can enforce this approach with the following commands.

    sudo ufw default deny incoming
    sudo ufw default allow outgoing

    This setup blocks all incoming traffic by default, except for what you explicitly allow. Many Linux systems automatically run services like SSH, HTTP, or NTP after installation, making them accessible over the network. Without strict default rules, these could remain unintentionally open to the public. Applying a default deny policy ensures that only authorized traffic gets through, reducing your attack surface and giving you full control over what's exposed.

  • Don't Enable UFW Without First Allowing SSH Access: Before enabling UFW, you must ensure that your remote access, typically SSH over port 22, is allowed.

    sudo ufw allow ssh

    Failing to do this can lock you out of your own server. When UFW is activated, all incoming connections are blocked unless rules are already in place. If you haven't whitelisted SSH, your session could be cut off once it ends, and reconnecting may become impossible without physical access. This is particularly critical on headless servers, VPS instances, or systems in data centers.

  • Add Descriptions to Your Rules: If you're managing multiple services, it helps to label your rules for clarity. For example:

    sudo ufw allow 443/tcp comment ' 'Allow HTTPS traffic'

    Adding comments helps you quickly understand the purpose behind each rule when revisiting configurations later.

  • Review and Clean Up Rules Regularly: Firewall rules can become outdated or redundant over time. To keep your setup clean and efficient, review your rules periodically.

    sudo ufw status numbered

    You can remove unnecessary rules using this command.

    sudo ufw delete [rule number]

    A lean rule set not only reduces complexity but also minimizes misconfigurations.

  • Restrict Access by IP or Interface: Not all services should be open to the entire internet. You can restrict access to specific IP addresses or networks.

    sudo ufw allow from 192.168.1.100 to any port 3306

    Or limit access to a specific network interface.

    sudo ufw allow in on eth0 to any port 443

    This is especially valuable in enterprise networks with multiple interfaces (internal, external, VPN, guest). By controlling traffic based on interface or source IP, you minimize risk and tailor access to your infrastructure's architecture.

  • Be Careful with Port Ranges: Opening broad port ranges like 8000:9000 may be required for certain applications, game servers, or microservices. But wide ranges increase the chances of unintentionally exposing unused or vulnerable services.

    Each open port is a potential doorway for reconnaissance or exploitation. The best approach is to only open ports you know are in use, and document why. This keeps your firewall tighter and your system safer.

  • Always Test Your Rules after Applying Them: Even if everything looks fine in the terminal, there's no substitute for testing from the outside. Other system-level tools (like iptables) or misconfigured services may interfere. You can test rule effectiveness using tools like nmap, telnet, or nc:

    nmap -p 22,80,443 your-server-ip

    If possible, run these tests from a separate network (e.g., a mobile hotspot or another external server) to mimic real-world access attempts. A firewall is only truly secure when its behavior has been verified.

  • Enable Logging (And Actually Review It): You can't protect what you can't see. If you don't know which connections are being allowed or denied, you're operating blind. UFW supports logging denied and accepted traffic.

    sudo ufw logging medium

    To view the log, run the next command.

    sudo less /var/log/ufw.log

    Here you'll find connection attempts, source IPs, ports, timestamps, and more. Reviewing logs helps detect brute-force attacks, misconfigurations, or suspicious activity. Logs can feed into intrusion detection systems (IDS) or be centralized for advanced analytics.

  • Back Up Your Configuration: Your firewall rules are the core of your network security strategy. It's essential to back them up, especially before making changes. You can export your current rules by running the next command.

    sudo ufw status numbered > ~/ufw_rules_backup.txt

    This file becomes your reference for audits, migrations, or quick recovery after accidental changes. For long-term resilience, store backups in version control systems (like Git) or secure cloud storage. Documenting the rule's purpose alongside backups helps teammates or future you make sense of it all.

  • Be Extra Cautious in Production Environments: Every allowed rule is an open door. Before adding one, ask: "Do we really need this open?" Unused or temporary ports often get forgotten�creating long-term vulnerabilities.

    The best practice is to permit only what's essential, from trusted sources, for the shortest time necessary. Blocking everything else not only tightens security but also makes your setup easier to reason about and maintain.

What are the Benefits of UFW?

UFW offers the following advantages:

  • Flexible: The UFW firewall is highly flexible and can be configured to allow or block traffic based on a variety of factors. The UFW provides the flexibility of filtering packet with a source and destination IP addresses, port numbers, protocols, and more.
  • Secure: The UFW has been tested by millions of users and is secure. The default firewall policy is set to deny, which is excellent for preventing inadvertent service exposure to the world. Default settings provide rudimentary protection for the system while enabling essential services such as SSH and DNS to operate. This feature reduces the likelihood of security-compromising misconfigurations or human errors.
  • Simple to use: The UFW is simple to use for both developers and system administrators. The syntax used by ufw makes it simple for users to define principles for permitting or preventing traffic. To permit or deny traffic on specific ports or protocols, users can use simple commands such as "ufw allow ssh" or "ufw deny http" instead of inputting complex iptables commands.
  • Integrating with other applications: ufw is the default firewall solution on Debian systems, so it is well-supported and compatible with other system components. Users can install and administer ufw by utilizing Debian's package management utilities such as apt. Integration of ufw with SSH, NFS, POP3, OpenVPN, and other application profiles is effortless. Scripting is feasible, enabling simple configuration of firewall access to these services via shell scripts or automated tools.
  • Logging: UFW's logging capabilities enable users to monitor network traffic and identify potential security concerns. Using standard Linux utilities like syslog or journalctl, users can view records.
  • Compatibility with iptables: UFW utilizes iptables as its backend, which means it is entirely compatible with iptables rules and commands. Users accustomed to iptables can migrate their rules to ufw without sacrificing functionality.

Is Debian Secure by Default?

Yes. The Debian project manages security by making information available to the public. Also, the Debian security team supports the stable branch.

Debian security advisories are compliant with the Common Vulnerabilities and Exposures vocabulary and are published on the same day that a vulnerability is publicly disclosed.

The Debian project provides guidance and tools for hardening a Debian system. You may harden your Debian system using a variety of tools either automatically or manually. By default AppArmor, a Linux kernel security module that allows the administrator to limit programs' capabilities using per-program profiles, is supported and enabled. Debian also includes an optional hardening wrapper. While it does not harden all of its software by default, it aims to include hardening choices in as many applications as possible.

As mentioned above, Debian comes with Uncomplicated Firewall installed. When you enable UFW, it blocks all incoming connections by default to protect the server against cyber attacks.

How do You Understand UFW Command Syntax?

Firewall configuration can seem intimidating at first glance. Fortunately, UFW (Uncomplicated Firewall) is designed to simplify the process and make rule management far more approachable. Once you understand how UFW commands are structured, creating and reading firewall rules becomes intuitive and even straightforward.

This section breaks down the UFW command syntax into logical components, not with a focus on technical jargon, but on understanding the logic behind how it works.

Basic Structure: How Are UFW Commands Built?

The syntax of a typical UFW command is quite readable.

sudo ufw [action] [target and parameters]

For example:

sudo ufw allow 22

This command means, "Allow incoming connections on port 22 (SSH)."

Here's what each part of the UFW command means:

  • sudo: Runs the command with administrative privileges (because firewalls operate at the system level)
  • ufw: Invokes the UFW command-line tool
  • allow: The action to perform (in this case, allow traffic)
  • 22: The target port (SSH)

Breaking Down a More Detailed UFW Rule

Let's take a closer look at a more advanced example.

sudo ufw allow from 192.168.1.100 to any port 443 proto tcp

This command can be translated to "Allow HTTPS (port 443) traffic from the IP address 192.168.1.100 over the TCP protocol to this server." And here's the breakdown of the detailed UFW command:

  • allow: The action (permit traffic)
  • from 192.168.1.100: The source IP address
  • to any: The destination is any network interface on this host
  • port 443: The destination port (HTTPS)
  • proto tcp: The protocol (TCP)

UFW's readability is one of its biggest strengths, especially for users who are newer to Linux networking.

tip

To improve your UFW usage, follow these practices.

  • Start Simple, Then Expand: Begin with basic commands, and once you're comfortable, add details like from, to, port, or proto.
  • Add Comments to Rules: Use descriptive labels to make your rules self-explanatory and easier to maintain. 
    sudo ufw allow 3306 comment 'MySQL access'
  • Specify Protocols When Needed: Some services use UDP instead of TCP�for example, DNS. 
    sudo ufw allow 53/udp
  • Control Traffic by Interface: You can create rules specific to a network interface, such as allowing HTTP traffic only on eth0. 
    sudo ufw allow in on eth0 to any port 80

Does Debian Need Firewall?

Yes. In fact, not only a Debian server but also all components of an IT system which are publicly accessible via the Internet, such as routers, switches, servers, PCs, mobile devices and IoT devices, need a firewall protection against cyber threats. With cyber attacks on the IT world on the rising trend and costing millions of dollars each year, there has never been a better time to implement an effective firewall in your network.The main reasons for implementing a firewall to protect your Debian system are outlined below:

  1. A strong firewall can provide secure remote access to your system via a VPN service, such as OpenVPN or WireGuard.

    info

    You may find more information about secure remote access on the How to Keep Remote Employees Safe from Potential Cyber Threats? article written by Sunny Valley Networks.

  2. A firewall can limit internet bandwidth usage for efficiency. It can allow network administrators to restrict network bandwidth for non-business traffic by reserving bandwidth for higher-important business traffic.

  3. An effective firewall can safeguard your network from malicious traffic, such as malware and phishing attacks.

  4. A firewall is the first line of defense against hackers and other unauthorized access attempts. Without having a firewall placed in the network perimeter, your data and valuable assets are at huge risk.

  5. A firewall can prevent your users to access the illegal and harmful websites, such as phishing sites,

What Firewalls can be Installed on Debian?

Debian has a built-in Linux firewall application, called iptables. Generally, it is implemented as a host-based firewall to prevent the Debian server against cyber attacks. It can also be configured as a network firewall between the LAN and untrusted external network to protect the assets in the internal network. You may install and configure the following firewall solutions on your Debian server easily:

  1. Uncomplicated Firewall(UFW): Uncomplicated Firewall (UFW) is a simple-to-use application for managing a netfilter firewall. It has a command-line interface with a few simple commands and utilizes iptables for configuration.

  2. Graphical Uncomplicated Firewall (GUFW): Gufw is a Graphical User Interface (GUI) enhancement that makes it easier to configure UFW to your specific requirements. Gufw Firewall can be downloaded as a standalone tool regardless of your Linux distribution (Debian, Mint, etc.).

  3. FirewalID: Firewalld is a dynamically managed firewall that supports security zones, which define the level of trust for network interfaces. It supports IPv4/v6 firewall settings, as well as IP sets and ethernet bridges. It also provides an interface through which services can directly add firewall rules.

  4. Shorewall: Shorewall is an open-source security utility that runs on top of Netfilter. Shorewall provides an interface for configuring your current security capabilities. It includes six packages, including the core functionality, "lite" and full-feature administration, IPv4 and IPv6 firewall packages, and an event-response package.

  5. Vuurmuur: Vuurmuur is a firewall configuration utility and manager for Linux that is based on iptables. It provides a graphical user interface that allows for both simple and complex settings.

How to Enable NGFW Capabilities on Debian Firewall?

iptables and its frontend program UFW provide a powerful L4 packet filtering solution that is simple to use. As a result, they're commonly used as a host-based firewall. If you set up your Debian firewall as a network firewall between your internal and external networks, however, it won't be able to protect your precious assets from advanced cyber attacks. Furthermore, hackers are now targeting not only large corporations, but also small businesses (SMBs) and even individual consumers. Traditional L4 packet filtering firewalls were not up to the task of dealing with the new cyber threats. As a result, next-generation firewalls are critical for every enterprise, including home users.

According to Gartner, an NGF, is:

a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks.

Please refer to NGFW article written by Sunny Valley Networks for more information.

Thankfully, you can simply implement next-generation firewall capabilities, such as web content and application filtering, by installing and configuring Zenarmor on your Debian server. Zenarmor provides cutting-edge, next-generation firewall features that are not currently available in open-source firewalls. Zenarmor is based on a very lightweight and powerful application layer/L7 packet inspection technology. It provides free access to a wide range of enterprise-grade network security functions.

The primary capabilities of the Zenarmor are listed below:

  • Web Filtering

  • Application Control

  • User-friendly web and application categorization system with a massive and up-to-date database.

  • Real-time auto-blocking of recent malware/phishing outbreaks.

  • Time scheduled policies is an extremely useful feature, particularly for managing internet bandwidth.

  • Cloud Threat Intelligence

  • User-based and device-based filtering, which is very useful for managing schools and campus networks.

  • Rich reporting and analytics which provides network visibility.

  • Centralized Cloud management is a very useful and appealing feature for security administrators who have a large number of firewalls to manage.

To start to defend your network behind Zenarmor, you may run the following command on your Debian server:

curl https://updates.zenarmor.com/getzenarmor | sh

How can You Create Custom Rules with UFW?

UFW offers a simple yet powerful framework that works well for both beginners and advanced users. While it's perfectly suited for managing common services with basic allow/deny commands, sometimes you'll need to go further and define more specific, fine-tuned rules.

Below, you'll find a step-by-step explanation on how to create custom rules for specific services, specify protocols, and manage UFW application profiles.

  1. Writing Custom Rules for Specific Services: If your application runs on a specific port, you can allow traffic to that port using a straightforward command.

    sudo ufw allow 8080/tcp

    This allows TCP traffic on port 8080, commonly used for custom web services or internal APIs.

    To define a rule that limits traffic to a specific source IP, you can run a command like this.

    sudo ufw allow from 192.168.1.10 to any port 2222 proto tcp
    ```jsx

    This allows only the machine at 192.168.1.10 to access TCP port 2222. In other words, only the person you trust, knocking on the door you've chosen, gets in.

  2. Why Specifying Protocols Matters: Some services rely exclusively on UDP instead of TCP, for example, DNS, WireGuard, or certain game servers. If you allow a port without specifying the correct protocol, the rule may not work as intended and could even create unnecessary exposure.

    You may allow DNS traffic over UDP by running next command.

    sudo ufw allow 53/udp

    You may allow DNS traffic over TCP by running next command.

    sudo ufw allow 80/tcp

    Specifying the right protocol makes your firewall more precise and secure.

  3. Creating Custom UFW Application Profiles: UFW supports application profiles, which are stored in /etc/ufw/applications.d/. These profiles let you define rules by name instead of by port and protocol every time. You can even create your own for internal services.

    You may create a custom profile by following these steps.

    1. Create a profile file.

      sudo nano /etc/ufw/applications.d/custom-service

      This opens a new profile file where you'll define your custom service.

    2. Define the profile like this.

      ini
      [Custom Service]
      title=Internal API
      description=Custom TCP-based internal service
      ports=9000/tcp

      This configuration defines the name, description, and port/protocol combination for your custom service.

    3. Register the profile with UFW.

      sudo ufw app update

      This updates UFW's profile database so it recognizes your custom entry.

    4. List all available profiles.

      sudo ufw app list

      This shows all recognized profiles, including the one you just created.

    5. Enable your custom rule using the profile name.

      sudo ufw allow "Custom Service"

Named profiles help keep your firewall rules clean and well-structured, especially when you're managing multiple services across several servers. By taking full advantage of UFW's flexibility, you move beyond simply toggling ports open or closed. Instead, you gain a more thoughtful, organized, and proactive approach to network security. Named profiles, tailored rules, and protocol awareness work together to transform your firewall into an intelligent layer of defense.

How Can UFW and Fail2Ban Be Integrated for Improved Security?

UFW is a firewall tool designed to control incoming traffic to your system. Fail2Ban, on the other hand, is a behavior-based security solution that analyzes log files to detect repeated unauthorized access attempts and then bans the offending IP addresses, either temporarily or permanently. The real power comes when these two tools are combined. Fail2Ban can automatically trigger UFW to block malicious IPs in real time. This unites the strengths of static firewall policies with dynamic threat detection, offering a more adaptive and resilient security layer. Below is a step-by-step guide on how to integrate UFW and Fail2Ban effectively.

  1. Ensure Required Packages Are Installed: If UFW and Fail2Ban aren't installed on your system, run the next command.

    sudo apt update && sudo apt install ufw fail2ban -y

    This installs both the firewall and the intrusion prevention system on your Debian server.

  2. Enable UFW and Define Basic Rules: Allow essential services like SSH and HTTP.

    sudo ufw allow ssh
    sudo ufw allow http
    sudo ufw enable

    This allows remote access and web traffic while enforcing firewall protection.

  3. Copy the Default Fail2Ban Configuration: Create a local configuration file for safe, customized settings.

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    This ensures your custom changes won't be overwritten during future updates.

  4. Edit the jail.local File: Define which services Fail2Ban should monitor and how it should respond.

    sudo nano /etc/fail2ban/jail.local

    Here, you'll set log paths, retry thresholds, ban durations, and actions.

  5. Configure the [sshd] Jail: This rule monitors SSH login attempts and blocks an IP via UFW after 3 failed tries within 10 minutes.

    ini
    [sshd]
    enabled = true
    port = ssh
    logpath = /var/log/auth.log
    maxretry = 3
    bantime = 3600
    findtime = 600
    banaction = ufw

  6. Restart the Fail2Ban Service: Restarting applies your new settings immediately.

    sudo systemctl restart fail2ban

  7. Verify Fail2Ban Is Active and Banning IPs: This displays whether the SSH jail is active and how many IPs have been banned so far.

    sudo fail2ban-client status sshd

While UFW defines the perimeter, Fail2Ban is the watchdog that detects intrusions and reacts in real-time. Together, they form a smart and responsive defense system. Every system can be attacked�but only some are prepared to fight back. Combine these two tools, and yours will be.

What are Common Issues with UFW and How Can You Troubleshoot Them?

Although UFW is known for its simplicity, users may still encounter unexpected behaviors or access issues. Thankfully, most of these problems stem from small configuration oversights and are easily resolved with the right steps. Below are some of the most common UFW issues on Debian systems and how to fix them.

  1. Rules Not Working Because UFW Isn't Enabled: Rules are correctly defined but don't seem to have any effect. UFW might not be active. Check with the next command.

    sudo ufw status

    If it's inactive, activate it running the next command.

    sudo ufw enable

    If UFW isn't running, your rules won't apply, this is often overlooked by new users.

  2. SSH Access Lost After Enabling UFW: SSH disconnects after UFW is enabled. SSH access must be allowed before activating UFW.

    sudo ufw allow ssh

    This is one of the most common mistakes and can lock you out of your server if not addressed in time.

  3. "Rule Not Found" Error When Deleting Rules: Problem: You try to delete a rule, but UFW says it doesn't exist. Always manage deletions by rule number. Using rule numbers avoids ambiguity and prevents accidental deletions.

    sudo ufw status numbered
    sudo ufw delete [rule number]

  4. Legitimate Traffic Getting Blocked: UFW is blocking traffic that should be allowed. Make sure the port is open and the correct protocol (TCP/UDP) is specified. Even a small mismatch in protocol or port number can lead to frustrating connection failures. You may check logs.

    sudo less /var/log/ufw.log

  5. Application Profile Not Recognized: A command like sudo ufw allow "Apache Full" doesn't work. Check if the profile exists.

    sudo ufw app list

    If not, open the ports manually.

    sudo ufw allow 80,443/tcp

    If a service isn't listed, it doesn't mean it's unsupported, you can still open the required ports manually.

  6. Duplicate or Conflicting Rules: Multiple rules for the same port cause confusion or unpredictable behavior. Use status numbers to review and clean up. Keeping your rule set tidy avoids accidental overlaps and simplifies management.

    sudo ufw delete [number]

  7. IPv6 Connections Are Not Working: IPv6 traffic is being blocked or ignored. For the solution, check your config file and ensure that IPv6 is enabled.

    sudo nano /etc/default/ufw

    Ensure the following line is set to yes:

    IPV6=yes

    If disabled, all IPv6 traffic will silently be dropped.

  8. Logs Are Empty or Missing Events: You're experiencing access issues but don't see any related logs. Logging might be disabled. Without proper logging, diagnosing network issues becomes much harder. Enable logging with the next command.

    sudo ufw logging medium

Most UFW problems are minor and easy to fix once you know what to look for. With a combination of smart rule design, regular log checks, and a clear understanding of your network traffic, you can resolve issues quickly and maintain a secure system.

How Do You Use UFW with Docker and Containers?

UFW (Uncomplicated Firewall) is a system-level firewall tool designed to simplify network traffic control. Docker, on the other hand, creates its own virtual networking layer to isolate containers and manage port forwarding. When used together, these two tools can sometimes conflict, mainly because Docker's dynamic behavior can override or bypass UFW's rules. Here's how you can make Docker and UFW work smoothly together without compromising security.

When Docker runs, it inserts its iptables rules, which can override UFW. This condition is especially problematic in systems where the DOCKER-USER chain is given precedence. As a result, even if UFW blocks a port, Docker may still expose it through its own rules. This behavior can unintentionally expose containers to the internet, posing a serious risk in production environments.

Allowing Ports in Both Docker and UFW

If you want a container to be accessible from the outside, you need to take two steps:

  1. Expose the Port in Docker: Specify the port when running the container.

    docker run -d -p 8080:80 my-container

    This maps port 8080 on the host machine to port 80 in the container.

  2. Allow the Port in UFW: Even if Docker sets up port forwarding, UFW might still block access. You need to explicitly allow it.

    sudo ufw allow 8080/tcp

These two actions together ensure that external traffic is allowed by UFW and correctly routed by Docker.

Preventing Docker from Overriding UFW Rules (The Critical Part)

Docker's iptables behavior can override UFW's control over network traffic. To maintain proper firewall enforcement, you have a couple of options:

  1. Disable Docker's iptables Management: To stop Docker from inserting its own iptables rules, edit the Docker daemon config.

    json
    {
    "iptables": false
    }

    Save this in /etc/docker/daemon.json, then restart Docker.

    sudo systemctl restart docker

    tip

    Disabling Docker's iptables management removes all of Docker's default security handling. You must fully define access control with UFW if you use this method.

  2. Use the DOCKER-USER Chain: If you'd prefer to let Docker manage its own rules but still maintain ultimate control, leverage the DOCKER-USER chain. This allows you to filter or override traffic before Docker handles it. For example, block all incoming traffic to containers.

    sudo iptables -I DOCKER-USER -i eth0 -j DROP

    Then allow only specific traffic.

    sudo iptables -I DOCKER-USER -i eth0 -p tcp --dport 8080 -j ACCEPT

    This method works similarly to UFW but uses iptables directly. Importantly, Docker does not override rules in the DOCKER-USER chain.

Handling Docker's Dynamic IPs

Containers often receive a new internal IP address every time they restart. This makes writing UFW rules based on container IPs unreliable. The best practices to handle Docker dynamic IP address are as follows.

  • Manage access using host-level ports, not container IPs
  • Define rules for public-facing ports on the host (e.g., 8080)
  • Use docker-compose to assign static IPs or create custom bridge networks if needed

How Do You Configure UFW for a Web Server Setup?

When deploying a web server, it's essential to ensure that only the necessary services are accessible from the outside. UFW (Uncomplicated Firewall) helps you manage which connections should be allowed and which should be blocked. Opening essential ports like 80 and 443 in a controlled way and restricting all others helps strengthen your server's resilience against attacks. Proper firewall configuration with UFW forms the foundation for a secure and stable web environment.

Below is a guide on how to configure UFW to protect your web server effectively.

  1. Allowing Access to Common Web Ports: Web servers typically operate over two standard ports: Port 80 (HTTP): Unencrypted web traffic and Port 443 (HTTPS): Encrypted, secure web traffic.

    You can allow these ports using the following UFW commands:

    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp

    Or, to allow both at once using a predefined profile:

    sudo ufw allow "WWW Full"

    These rules ensure that visitors can access your site via both HTTP and HTTPS.

    tip

    "WWW Full" is a built-in UFW application profile. You can view all available profiles using `sudo ufw app list.

  2. Securing Other Web-Related Services: A web server setup often involves more than just HTTP/S ports. Background services must be properly secured. If you manage your server remotely, make sure SSH access (default port 22) is allowed.

    sudo ufw allow ssh

    If you're using a custom SSH port, such as 2222:

    sudo ufw allow 2222/tcp

    If you're using FTP, allow the following ports:

    sudo ufw allow 21/tcp
    sudo ufw allow 20/tcp

  3. Database Connections (MySQL, PostgreSQL): If your database is only used locally, it's best to block external access entirely. However, if remote access is necessary:

    sudo ufw allow from [trusted-IP] to any port 3306 proto tcp   # MySQL
    sudo ufw allow from [trusted-IP] to any port 5432 proto tcp   # PostgreSQL

    These commands restrict access to only trusted IP addresses, minimizing your attack surface.

  4. Enable UFW After Configuration: Once you've defined your rules, enable the firewall.

    sudo ufw enable

Before enabling, double-check that SSH or your remote access port is open.

How Do You Test UFW Firewall Configurations with External Tools?

Once you've written your firewall rules, it's absolutely essential to test them from the outside. The most effective way to confirm whether UFW has been configured correctly is by checking how your system responds to external traffic. Below are several tools and methods you can use to validate your UFW setup.

  1. Testing with Online Port Scanners: One of the easiest methods is to use an online port scanner to check which ports are open to the internet. These tools don't require any installation:

    • https://www.yougetsignal.com/tools/open-ports/
    • https://portchecker.co/
    • https://www.ipfingerprints.com/portscan.php

    Just enter your server's public IP address and the port you want to test. For example, if you've opened port 443 using UFW and it still appears closed, there might be a misconfiguration, or the service may not be running.

  2. Manual Port Testing with telnet or netcat: You can test UFW rules manually from your own machine,or better yet, from a different network,using command-line tools like telnet or nc (netcat).

    telnet [destination-IP] 22

    If the connection succeeds, it means port 22 is open and accessible. If you get a "Connection refused" or "Timeout" error, the port is likely blocked by UFW or the service isn't available.

    nc -vz [destination-IP] 443

    This command checks whether a service is reachable on port 443. If it returns "succeeded," the port is accessible from the outside.

    tip

    Netcat can act as a listener for incoming connections (e.g., nc -l 8080).

If a test yields unexpected results, UFW logs can help you diagnose the issue.

sudo less /var/log/ufw.log

This log captures detailed information about blocked or accepted connection attempts, including IP addresses, ports, and timestamps.

What is the difference between Debian and Linux UFW?

UFW is a utility designed to simplify firewall management on Linux systems. It's commonly used across various distributions, including Debian and Ubuntu. But how does UFW's usage on Debian compare to its use on other Linux platforms? UFW itself is distribution-independent. However, each distro's default configurations, behaviors, and integrations can shape UFW's default behavior. Understanding these nuances is key when configuring security across different environments.

Shared UFW features across Linux distros are as follows.

  • UFW performs the same core function in all systems. It provides a simple interface to manage iptables or nftables rules.
  • The command syntax (allow, deny, status, enable, etc.) is identical regardless of distribution.
  • Configuration files such as /etc/ufw/ufw.conf and /etc/default/ufw exist in the same locations across Debian and Ubuntu.
  • The default behavior is consistent: deny all incoming traffic and allow all outgoing traffic unless specified otherwise.

Debian-Specific Differences in UFW

UFW is the same software across Debian and other Linux distributions. However, the user experience is shaped by how each distro handles configuration defaults, integrations, and tooling. Using UFW on Debian often requires more manual setup, but that gives you greater control and a valuable opportunity to understand your firewall configuration at a deeper level.

FeatureDebianOther Linux Distros (e.g., Ubuntu)
Pre-installedNoYes (UFW comes pre-installed on Ubuntu)
Application ProfilesLimited / May require manual creationBroad built-in support for common services
IPv6 SupportMay be disabled by default (IPV6=no)Usually enabled by default
Default LoggingOften disabled or set to a low levelMedium-level logging typically enabled by default
IntegrationsMinimal and manualIntegrated with tools like NetworkManager and GUIs

Table 1. Debian-Specific Differences

While Debian offers a more minimal and streamlined base, systems like Ubuntu provide more pre-configured features and broader out-of-the-box support for UFW.

UFW is the same software across Debian and other Linux distributions. However, the user experience is shaped by how each distro handles configuration defaults, integrations, and tooling. Using UFW on Debian often requires more manual setup, but that also gives you greater control and a valuable opportunity to understand your firewall configuration at a deeper level.

Get Started with Zenarmor Today For Free
Last updated on by Zenarmor