LinuxsecurityTested on real hardware

UFW Firewall Baseline (Ubuntu / Debian)

Set up a secure default UFW ruleset: deny all inbound, allow SSH and common homelab services. Safe to run on a fresh VPS or LXC container.

Distrosubuntu, debian, raspbian
Shellbash
Updated
Script
bash
# Install UFW if not present
sudo apt-get install -y ufw

# Set defaults: deny all inbound, allow all outbound
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH before enabling (prevents lockout)
sudo ufw allow ssh

# Enable the firewall
sudo ufw --force enable

# Verify rules
sudo ufw status verbose

What this does

Installs and configures UFW (Uncomplicated Firewall) with a secure default posture:

  • Deny all inbound traffic by default
  • Allow all outbound traffic
  • Allow SSH (port 22) so you don’t lock yourself out

Prerequisites

  • Ubuntu 20.04+ or Debian 11+
  • Root or sudo access
  • An active SSH session (or console access as a fallback)

Adding rules for common homelab services

Run these after the baseline to open only what you need:

# Web servers
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS

# Proxmox web UI
sudo ufw allow 8006/tcp

# Grafana
sudo ufw allow 3000/tcp

# Allow from a specific IP only (more secure)
sudo ufw allow from 192.168.1.0/24 to any port 8006

# Tailscale interface (if routing through Tailscale)
sudo ufw allow in on tailscale0

Restrict SSH to a specific IP or subnet

# Remove the broad SSH rule and replace with a scoped one
sudo ufw delete allow ssh
sudo ufw allow from 192.168.1.100 to any port 22

Useful commands

sudo ufw status numbered     # list rules with indexes
sudo ufw delete 3            # delete rule by number
sudo ufw reload              # reload without disrupting connections
sudo ufw disable             # disable the firewall entirely

Notes

  • --force enable skips the interactive confirmation prompt — safe in scripts since SSH is already allowed above
  • UFW is a frontend for iptables; rules persist across reboots automatically
  • If you change the SSH port, update the allow rule: sudo ufw allow 2222/tcp
  • For IPv6 support, verify IPV6=yes is set in /etc/default/ufw