UFW Firewall Baseline (Ubuntu / Debian)
Set up a secure default UFW ruleset: deny all inbound, allow SSH and common homelab services. Safe to run on a fresh VPS or LXC container.
Distrosubuntu, debian, raspbian
Shell
bashUpdated
Script
# Install UFW if not present
sudo apt-get install -y ufw
# Set defaults: deny all inbound, allow all outbound
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH before enabling (prevents lockout)
sudo ufw allow ssh
# Enable the firewall
sudo ufw --force enable
# Verify rules
sudo ufw status verbose
What this does
Installs and configures UFW (Uncomplicated Firewall) with a secure default posture:
- Deny all inbound traffic by default
- Allow all outbound traffic
- Allow SSH (port 22) so you don’t lock yourself out
Prerequisites
- Ubuntu 20.04+ or Debian 11+
- Root or sudo access
- An active SSH session (or console access as a fallback)
Adding rules for common homelab services
Run these after the baseline to open only what you need:
# Web servers
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# Proxmox web UI
sudo ufw allow 8006/tcp
# Grafana
sudo ufw allow 3000/tcp
# Allow from a specific IP only (more secure)
sudo ufw allow from 192.168.1.0/24 to any port 8006
# Tailscale interface (if routing through Tailscale)
sudo ufw allow in on tailscale0
Restrict SSH to a specific IP or subnet
# Remove the broad SSH rule and replace with a scoped one
sudo ufw delete allow ssh
sudo ufw allow from 192.168.1.100 to any port 22
Useful commands
sudo ufw status numbered # list rules with indexes
sudo ufw delete 3 # delete rule by number
sudo ufw reload # reload without disrupting connections
sudo ufw disable # disable the firewall entirely
Notes
--force enableskips the interactive confirmation prompt — safe in scripts since SSH is already allowed above- UFW is a frontend for iptables; rules persist across reboots automatically
- If you change the SSH port, update the allow rule:
sudo ufw allow 2222/tcp - For IPv6 support, verify
IPV6=yesis set in/etc/default/ufw