Don’t Lock Yourself Out: Enabling UFW on a Linux Server Without Breaking SSH
Setting up a firewall on a Linux server is essential for security — but one wrong move can lock you out of your own server via SSH. This happens more often than it should, and recovery can be frustrating (or expensive if you need provider support).
Most VPS providers offer a web console or rescue mode if this happens, but relying on that is slower and avoidable.
This guide shows how to enable UFW (Uncomplicated Firewall) safely, with verification steps at every stage, so you keep SSH access throughout the process.
What you’ll learn
- How to check your current SSH configuration
- The correct order to add firewall rules (SSH first)
- How to verify rules before and after enabling UFW
- A simple safety test that prevents lockouts
Time required: 5–10 minutes
Skill level: Beginner to intermediate (comfortable with SSH)
Requirements: SSH access to a Linux server with sudo privileges
Step 1: Check your current SSH connection
First, confirm that you are connected via SSH and know which user you are using:
whoami
Next, check which port SSH is listening on (usually 22). On older systems:
sudo netstat -tlnp | grep ssh
On newer systems, ss replaces netstat:
sudo ss -tlnp | grep ssh
You should see output similar to:
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
If your SSH daemon uses a custom port (for example 2222), note it carefully — you’ll need it in the next step.
Step 2: Allow SSH before enabling the firewall
This is the most important rule: allow SSH first.
Default SSH port (22)
sudo ufw allow ssh
This allows the port associated with the ssh service (usually port 22, as defined in /etc/services).
Custom SSH port (example: 2222)
sudo ufw allow 2222
Or, explicitly specify TCP:
sudo ufw allow 2222/tcp
Verify that the rule was added:
sudo ufw status verbose
You should see your SSH rule listed as ALLOW IN.
Step 3: Add other required rules
If your server runs a web service, allow HTTP and HTTPS traffic.
Using application profiles (recommended for Nginx)
sudo ufw allow 'Nginx Full'
Or manually allow ports 80 and 443
sudo ufw allow 80
sudo ufw allow 443
Now set default policies to block everything except what you explicitly allow:
sudo ufw default deny incoming
sudo ufw default allow outgoing
These policies do not take effect until UFW is enabled. By adding allow rules first, you ensure existing SSH traffic is permitted the moment the firewall activates.
Step 4: Verify rules before enabling UFW
Check that UFW is still inactive:
sudo ufw status
Expected output:
Status: inactive
Double-check that your SSH rule exists:
sudo ufw show added
You should see the SSH allow rule you added earlier.
Step 5: Enable the firewall
Now enable UFW:
sudo ufw enable
You’ll see a warning similar to:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Type y and press Enter.
If everything is correct, your current SSH session will remain connected.
Step 6: Verify firewall status and rule order
Check the active rules:
sudo ufw status verbose
Example output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
To inspect rule order and numbering:
sudo ufw status numbered
Example:
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 443/tcp (v6) ALLOW IN Anywhere (v6)
By default, UFW mirrors rules for IPv6 if IPv6 is enabled. The (v6) entries are normal and created automatically.
Numbered rules are useful because:
- You can delete a specific rule by number:
bash sudo ufw delete 3 - Rule order is easy to inspect (UFW processes rules top-down)
- Output is more compact than
status verbose
With more specific rules (for example, limiting access by IP), the output might look like:
[ 1] 22/tcp ALLOW IN 192.168.1.100
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] 3306/tcp ALLOW IN 10.0.0.0/8
Step 7: Critical safety test
⚠️ Do not skip this step.
Open a new terminal window and try to SSH into the server again. Do not close your original SSH session.
If the new connection works, you’re safe.
If it fails, fix the issue using your original session before logging out.
Final checklist
Before logging out, confirm that:
- SSH works in a second terminal
ufw statusshowsALLOWfor your SSH port- The default policy is
deny incoming
Once these checks pass, your firewall is active and your access is safe.