The ufw firewall: managing ports
ufw (Uncomplicated Firewall) is a simplified front end for the Linux kernel's built-in firewall (netfilter/iptables): instead of writing out long iptables chains, you describe rules with simple commands like ufw allow 80/tcp. In this article you'll install and enable ufw on your mHost VPS, deny all incoming connections by default, open the ports you need — SSH, HTTP/HTTPS, and one of your own — and learn to list the rules and remove the ones you no longer need.

What you'll need
- An mHost VPS on Ubuntu 22.04/24.04 or Debian 11/12 — ufw is the default firewall on exactly these systems.
- On AlmaLinux/Rocky Linux the default tool is firewalld instead, with different commands; this article doesn't cover it.
- SSH access as
rootor a user withsudorights. - Access to the VMmanager 6 panel — as a safety net in case you do lock yourself out over SSH: the panel has a browser-based server console that doesn't depend on SSH. If you haven't logged in yet, start with "How to log in to VMmanager 6".
Step 1. Install ufw
On Ubuntu, ufw is usually already installed out of the box (but disabled); on Debian you need to install it separately. The command below is safe in both cases — on Ubuntu it will simply confirm the package is already there:
sudo apt update
sudo apt install -y ufwCheck that the command is available:
sudo ufw versionThe command should print the ufw version number. If you get command not found instead, check that the package installation above completed without errors.
Step 2. Set the default policy: deny incoming
The whole point of a default-deny firewall is that everything not explicitly allowed by a rule is blocked. Set that explicitly:
sudo ufw default deny incoming
sudo ufw default allow outgoingdeny incoming— any new incoming connection is blocked unless there's a specific allow rule for it.allow outgoing— connections initiated by the server itself (package updates, requests to external APIs, and so on) are allowed.
This is actually ufw's factory-default policy already, but it's worth setting explicitly so the policy is a deliberate choice rather than whatever happened to be there. Neither command turns anything on or affects existing connections — the rules only take effect after Step 4.
Step 3. Allow SSH — before you turn the firewall on
Allow the SSH port (22/tcp by default):
sudo ufw allow 22/tcpStep 4. Enable ufw
sudo ufw enableufw will warn you that the operation may disrupt existing SSH connections:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?Since you already allowed SSH in Step 3, confirm with y. The setting persists: after a server reboot, ufw comes back on automatically in the same state — there's no separate systemd autostart to configure.
Check the status, and — without closing your current SSH session — open a new connection in a separate terminal window. Only close the old session once you've confirmed the new SSH login still works:
sudo ufw statusStep 5. Open HTTP, HTTPS, and your own port
Allow the standard web ports:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpTo open an arbitrary port for your own application or service, specify its number and protocol:
sudo ufw allow 8080/tcp- Always specify the protocol explicitly —
/tcpor/udp. If you omit it, ufw opens the port for both at once, when usually you only need one. - Only open a port once something on the server is actually listening on it — otherwise it's just an unused hole in the firewall.
Step 6. Check the rules: status numbered
Plain ufw status lists rules without numbers. To get a number for every rule — for example, before deleting one — use:
sudo ufw status numberedExample output after the steps above (rules are automatically duplicated for IPv6 — that's the default behavior, unless IPV6=yes has been turned off in /etc/default/ufw):
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 8080/tcp ALLOW IN Anywhere
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 8080/tcp (v6) ALLOW IN Anywhere (v6)The number in brackets is what you'll need in the next step.
Step 7. Delete a rule
Say you no longer need port 8080. Look up its rule number (Step 6) and delete it:
sudo ufw status numbered
sudo ufw delete 4ufw first shows exactly which rule it's about to delete (Deleting: allow 8080/tcp), then asks for confirmation:
Proceed with operation (y|n)?Confirm with y.
To confirm the rule is gone, run sudo ufw status numbered again.
What's next
For deeper SSH protection — changing the port, key-only login — see "Hardening SSH". Fail2ban adds automatic IP banning for repeated failed logins — see "Fail2ban: blocking brute-force attempts". And if you need netfilter capabilities that ufw's simplified syntax doesn't expose, the basic iptables commands are covered in "iptables basics".