Learn a compact, hands-on approach to harden a Linux host using the Uncomplicated Firewall. 16.11.2025 | reading time: 3 min UFW is a pragmatic command-line front end for the Linux packet filter that helps the administrator turn intent into concrete rules quickly; this short guide shows how to set sensible defaults, allow services, and inspect what actually runs on the host. Quick, Concrete Setup Do this now on a test VM to see results immediately: set deny-by-default, allow outgoing, enable SSH, permit web ports, and view the rule table; the following commands show the sequence and a sample status output: ``` sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow from 203.0.113.45 to any port 22 sudo ufw deny 23 sudo ufw enable sudo ufw status numbered ```Sample output: ``` Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 203.0.113.45 22/tcp ALLOW 203.0.113.45 23 DENY Anywhere ``` Manage and Tune Rules Operate UFW as a toolkit: use `sudo ufw status verbose` to inspect state, `sudo ufw delete NUM` after `status numbered` to remove mistakes, `sudo ufw limit 22/tcp` to mitigate SSH brute-force, and `sudo ufw logging on` to collect connection events; enable IPv6 support in `/etc/default/ufw` if the host needs it, and remember `ufw app list` plus `ufw allow "OpenSSH"` to leverage application profiles instead of raw ports. Common Pitfalls and Checks Always verify access from another session before enabling rules on a remote host to avoid lockout, test rules with `ss` or `netstat` and `curl` from a client, and use `sudo ufw reset` with care because it removes all custom rules; also be aware that UFW translates high-level commands into kernel rules via the system's packet-filter backend, so conflicts can arise if you mix raw iptables/nftables edits and UFW-managed rules. Where UFW Fits UFW is ideal for small servers and administrators who want repeatable, readable rule sets; for complex, dynamic policies or zone-based management consider firewalld, and for low-level control use iptables or nftables directly, while UFW remains a fast way to implement a secure policy in minutes. Next Steps for the Learner You have a working policy now; expand by scripting rule deployment, integrating logging into a SIEM, or automating firewall hardening in configuration management; to turn these practical skills into career value consider studying for CompTIA Linux+ or LPIC-1 and try the intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. network security utilities
