> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Firewall (ufw)

> Open the ports you need, close off the rest

A firewall decides which traffic to let onto the server and which to block. `ufw` (Uncomplicated Firewall) is a simple frontend to `iptables`: instead of long rules, you write short commands. The idea is simple — block all incoming traffic and open only the ports you actually need (SSH, your site).

On a Lumi server (Ubuntu 22.04 by default) you connect as `root` — the IP and password come from the server's card in the bot. Run every command below as root.

## Installation

On Ubuntu, `ufw` is usually already installed. If not:

```bash theme={"system"}
apt update && apt install ufw
```

## Initial setup

<Warning>
  Before turning the firewall on, be sure to allow SSH. If you run `ufw enable` before allowing SSH, you'll lose access to the server.
</Warning>

<Steps>
  <Step title="Allow SSH">
    ```bash theme={"system"}
    ufw allow OpenSSH
    ```

    `OpenSSH` is a ready-made profile for port 22. If you change the default SSH port to your own, open the number directly, for example `ufw allow 2222/tcp`.
  </Step>

  <Step title="Set the default policies">
    Block all incoming traffic, leave outgoing open (so the server can fetch updates and reach the network on its own):

    ```bash theme={"system"}
    ufw default deny incoming
    ufw default allow outgoing
    ```
  </Step>

  <Step title="Enable the firewall">
    ```bash theme={"system"}
    ufw enable
    ```

    Confirm by entering `y` at the prompt.
  </Step>
</Steps>

## Open your site's ports

A web server needs 80 (HTTP) and 443 (HTTPS):

```bash theme={"system"}
ufw allow 80
ufw allow 443
```

Open only what you use. A database, for instance, usually has no business facing the outside world — let it listen locally only.

<AccordionGroup>
  <Accordion title="View the current rules" icon="list">
    ```bash theme={"system"}
    ufw status
    ```

    To see rules with numbers (handy for deletion):

    ```bash theme={"system"}
    ufw status numbered
    ```
  </Accordion>

  <Accordion title="Delete a rule" icon="trash">
    By the rule itself:

    ```bash theme={"system"}
    ufw delete allow 80
    ```

    Or by the number from `ufw status numbered`:

    ```bash theme={"system"}
    ufw delete 3
    ```
  </Accordion>
</AccordionGroup>

<Note>
  `ufw` filters traffic on the server itself. Closed ports don't get in the way of outgoing connections — updates and network access keep working.
</Note>

## Where to next

<CardGroup cols={2}>
  <Card title="Server hardening" icon="lock" href="/en/vps/hardening">
    A security checklist — keys, fail2ban, updates.
  </Card>

  <Card title="SSH keys" icon="key" href="/en/vps/ssh-keys">
    Key-based login instead of a password.
  </Card>
</CardGroup>
