Skip to main content
A firewall decides which traffic to let onto the server and which to block. ufw (Uncomplicated Firewall) is a simple frontend to iptables: instead of long rules, you write short commands. The idea is simple — block all incoming traffic and open only the ports you actually need (SSH, your site). On a Lumi server (Ubuntu 22.04 by default) you connect as root — the IP and password come from the server’s card in the bot. Run every command below as root.

Installation

On Ubuntu, ufw is usually already installed. If not:
apt update && apt install ufw

Initial setup

Before turning the firewall on, be sure to allow SSH. If you run ufw enable before allowing SSH, you’ll lose access to the server.
1

Allow SSH

ufw allow OpenSSH
OpenSSH is a ready-made profile for port 22. If you change the default SSH port to your own, open the number directly, for example ufw allow 2222/tcp.
2

Set the default policies

Block all incoming traffic, leave outgoing open (so the server can fetch updates and reach the network on its own):
ufw default deny incoming
ufw default allow outgoing
3

Enable the firewall

ufw enable
Confirm by entering y at the prompt.

Open your site’s ports

A web server needs 80 (HTTP) and 443 (HTTPS):
ufw allow 80
ufw allow 443
Open only what you use. A database, for instance, usually has no business facing the outside world — let it listen locally only.
ufw status
To see rules with numbers (handy for deletion):
ufw status numbered
By the rule itself:
ufw delete allow 80
Or by the number from ufw status numbered:
ufw delete 3
ufw filters traffic on the server itself. Closed ports don’t get in the way of outgoing connections — updates and network access keep working.

Where to next

Server hardening

A security checklist — keys, fail2ban, updates.

SSH keys

Key-based login instead of a password.