Setting up a firewall on your Linux server is essential for security — but one wrong move can lock you out of your own server via SSH. It happens more often than you’d think, and recovering from it can be frustrating (or expensive if you need to contact support).
If you do get locked out, most VPS providers offer a web console or rescue mode — but relying on that is slower and avoidable.
This tutorial walks you through enabling UFW (Uncomplicated Firewall) the safe way, with verification steps at every stage to ensure you maintain SSH access. Whether you’re securing a new VPS, hardening an existing server, or just learning Linux system administration, this guide will help you set up your firewall with confidence.
What you’ll learn:
- How to check your current SSH configu…
Setting up a firewall on your Linux server is essential for security — but one wrong move can lock you out of your own server via SSH. It happens more often than you’d think, and recovering from it can be frustrating (or expensive if you need to contact support).
If you do get locked out, most VPS providers offer a web console or rescue mode — but relying on that is slower and avoidable.
This tutorial walks you through enabling UFW (Uncomplicated Firewall) the safe way, with verification steps at every stage to ensure you maintain SSH access. Whether you’re securing a new VPS, hardening an existing server, or just learning Linux system administration, this guide will help you set up your firewall with confidence.
What you’ll learn:
- How to check your current SSH configuration
- The correct order to add firewall rules (SSH first!)
- How to verify everything is working before and after enabling the firewall
- A critical safety test that prevents lockouts
Time required: 5-10 minutes Skill level: Beginner to intermediate (comfortable with SSH) What you’ll need: SSH access to your Linux server with sudo privileges
Step 1: Check Current SSH Connection
First, confirm you are connected via SSH and have sudo privileges. Use whoami command to see your username.
Check what port SSH is using (usually 22)
sudo netstat -tlnp | grep ssh
On newer systems, ss has replaced netstat
sudo ss -tlnp | grep ssh
It should show something like: tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
Note: Your SSH port might be different (like 2222). Remember this number!
Step 2: Allow SSH BEFORE Enabling Firewall
Method 1: If using default SSH port (22)
sudo ufw allow ssh
This rule allows the port associated with the SSH service - usually 22, as defined in /etc/services.
Method 2: If using custom SSH port (replace 2222 with your port)
sudo ufw allow 2222
Method 3: Be extra specific (replace YOUR_PORT with actual port)
sudo ufw allow YOUR_PORT/tcp
Verify the rule was added:
sudo ufw status verbose
Should show your SSH rule as "ALLOW IN"
Step 3: Add Other Required Rules
Allow web traffic (HTTP and HTTPS)
sudo ufw allow 'Nginx Full'
OR manually allow ports 80 and 443:
sudo ufw allow 80
sudo ufw allow 443
Set default policies (block everything except what we allow)
sudo ufw default deny incoming
sudo ufw default allow outgoing
Please note that these default policies won’t take effect until UFW is enabled (Step 5 of this tutorial).
_By adding allow rules first, you ensure existing SSH traffic is permitted the moment the firewall activates. _
Step 4: Test SSH Rule (Before Enabling)
Check UFW status (should still be inactive)
sudo ufw status
Should show: Status: inactive
Double-check SSH is allowed:
sudo ufw show added
Should show your SSH allow rule (from Step 2)
Step 5: Enable Firewall (The Moment of Truth)
Enable UFW with confirmation
sudo ufw enable
You’ll see a warning like:"Command may disrupt existing ssh connections. Proceed with operation (y|n)?". Type: y.
If everything is correct, you should still be connected!
Step 6: Verify Everything Works
Check firewall status
sudo ufw status verbose
You should see something like:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
Check rule priority, which can help with troubleshooting.
sudo ufw status numbered
You should see something like:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 443/tcp (v6) ALLOW IN Anywhere (v6)
Note: By default, UFW mirrors rules for IPv6 if IPv6 is enabled. The (v6) rules are for IPv6 connections and are normal - UFW creates these automatically.
Key Differences from Regular status command.
Numbered rules: Each rule gets a bracketed number [1], [2], etc. Why this matters:
- You can delete specific rules by number: sudo ufw delete 3
- Easier to see rule order (UFW processes rules top to bottom)
- More compact than status verbose
With More Complex Rules
If you have more specific rules (like allowing from certain IPs), it looks like:
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN 192.168.1.100
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] 3306/tcp ALLOW IN 10.0.0.0/8
Step 7: Critical safety test After you’ve done all previous steps you should test that you can still connect. Open a NEW terminal window (DON’T CLOSE YOUR OLD WINDOW WHERE YOU CONFIGURED FIREWALL!) and SSH to your server. If this works, you’re safe! If this test fails, fix the issue in your original terminal window!
To finish, before you log out, confirm if:
- SSH works in a second terminal,
- ufw status shows ALLOW for your SSH port,
- Default policy is set to deny incoming.
Have you ever accidentally locked yourself out of a server? What safety steps do you use?