Lock Down Your Linux Box with UFW — The Starter Guide for New Users

IT & Systems
, , ,
1

:brick: So You Moved to Linux — Let’s Lock It Down with UFW (Without Breaking Stuff)

A beginner-friendly firewall setup for new Linux users who just want their system to be safe and sane.

:brick::fire::desktop_computer::locked_with_key:

:stop_sign: Disclaimer:
This guide is written and tested for Ubuntu 22.04 (and should mostly work on other Debian-based distros).
If you’re running Fedora, Arch, or something more exotic — you may need to adjust install commands (dnf, pacman, etc.) and check for service manager compatibility.
Always test firewall rules in a safe environment before applying to production systems.

So you’ve made the jump to Linux. Whether it’s for dev work, tinkering, or just escaping Windows updates, you now have a shiny (or slightly dusty) Linux machine — probably running Ubuntu.

But here’s the deal: it’s not secure by default .

Let’s fix that with UFW — the uncomplicated firewall that won’t melt your brain.

:locked_with_key: What’s SSH and Why Should You Care?

SSH (Secure Shell) lets you remotely log into your Linux box from another machine — like opening a terminal from across the house or across the world. It’s how pros manage servers, headless machines, and remote dev setups.

Do you need it?

  • If you always work directly on your machine with a keyboard and monitor? Probably not.
  • But if you want to access it from your Mac, laptop, or remote office? You definitely want SSH.

Install and Enable SSH:

sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh

If you ever plan to SSH into your machine, you MUST allow port 22 in the firewall.

sudo ufw allow 22

Want to restrict access to your internal network?

sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp

:wrench: Installing and Enabling UFW

First things first — get it installed:

sudo apt install ufw

Then activate it:

sudo ufw enable

Boom. Firewall is now live.

:prohibited: Block Everything by Default

We want to deny everything coming in and allow everything going out:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Now we’ll start punching in specific rules.

:white_check_mark: Allow Only What You Actually Use

Let’s say you’re running a VNC server or planning to connect via SSH — only then should those ports be open:

sudo ufw allow 5901  # VNC
sudo ufw allow 22    # SSH (if needed)

If you game or use Steam/Discord? Most of that’s outbound, so you’re fine.

:magnifying_glass_tilted_left: View and Manage Rules

Check your rules:

sudo ufw status numbered

Delete a rule if you mess up:

sudo ufw delete [rule number]

Start fresh:

sudo ufw reset

:brain: Best Practices Recap

  • Don’t allow ports you don’t actively use
  • Limit access to specific IPs/subnets when possible
  • Keep SSH closed if you don’t need it — or protect it heavily if you do
  • Run ufw status after each change so you don’t lock yourself out

:megaphone: Got Feedback?

Which rules do you always add first? Did this keep your system safe or make something weird stop working? Share your tweaks or war stories in the thread — someone out there will thank you.