A fresh Debian install often leaves firewall setup until the moment you need to lock down SSH or open a web port cleanly. To install UFW on Debian, you only need the default APT package, and the same workflow applies on Debian 13, 12, and 11.
UFW is the simpler rule layer on top of Debian’s firewall stack, so you can allow SSH, HTTP, HTTPS, or subnet-specific access without writing raw nftables or iptables rules by hand. Once it is installed, you get application profiles, IPv6-aware rules, status checks, and logging from the same command set.
Debian does not preinstall UFW on Debian 13, 12, or 11. If you see
ufw: command not found, install the package first, and remember that plain user shells can also miss/usr/sbin, where theufwbinary lives.
Install UFW on Debian with APT
UFW installs directly from Debian’s default repositories. Before installation, update your system to avoid package conflicts:
sudo apt update && sudo apt upgradeThese commands use
sudofor tasks that need root privileges. If your user is not in the sudoers file yet, follow the guide on how to add a user to sudoers on Debian.
If the update pulled in a new kernel, reboot before you start changing firewall rules.
Install the package once the system is current:
sudo apt install ufwRelevant output on Debian 13 includes the package itself, any missing firewall dependencies, and the final setup line:
Summary: Upgrading: 0, Installing: 4, Removing: 0, Not Upgrading: 13 Installing: ufw Installing dependencies: iptables libip4tc2 libip6tc2 Setting up ufw (0.36.2-9) ...
Debian 12 may show a shorter dependency list, and Debian 11 can install only ufw when the lower-level firewall packages are already present. Across Debian 13, 12, and 11, apt-cache policy ufw starts at Installed: (none), so do not expect UFW to be present on a fresh system.
UFW is now installed but the firewall is not yet active. Before enabling it, configure essential rules to avoid losing access to your system.
Allow SSH on Debian Before Enabling UFW
If you are connected over SSH, allow SSH before you enable UFW. Otherwise the new firewall policy can cut off the session immediately.
Allow SSH connections through the firewall:
sudo ufw allow sshUFW confirms the rule was added for both IPv4 and IPv6:
Rules updated Rules updated (v6)
If you use a custom SSH port instead of the default port 22, allow that port instead:
sudo ufw allow 2222/tcpReplace 2222 with your actual SSH port number.
Enable the UFW Firewall on Debian
With SSH access secured, enable the firewall. UFW blocks all incoming traffic and allows all outbound traffic by default, protecting your system from unauthorized access while permitting normal internet use.
Run the enable step once the SSH rule is in place:
sudo ufw enableThe first run can ask for confirmation because enabling the firewall may disrupt SSH. After you answer y, the output ends with:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Once the firewall is active, it blocks all incoming traffic to your system, protecting you from unauthorized access. However, this may also prevent access to legitimate services you need.
Check UFW Status on Debian
Verify the active rules and defaults as soon as the firewall is enabled:
sudo ufw status verboseExpected output on Debian 13, 12, and 11:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
This confirms that UFW is active, logging at the low level, denying new inbound traffic, and still allowing outbound traffic.
Use the numbered view when you want rule positions for later edits or deletions:
sudo ufw status numberedExpected output after the initial SSH rule:
Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)
This view becomes especially useful once you start adding HTTP, HTTPS, subnet, or interface-specific rules and need to remove only one of them later.
Set UFW Default Policies on Debian
The UFW firewall’s default setting is to block all incoming connections and allow all outbound connections. This configuration is the most secure as it ensures no unauthorized users can connect to your system without explicit permission. To allow incoming connections, you must create specific rules that permit traffic based on IP addresses, programs, ports, or a combination of these factors.
These two commands restore Debian’s standard inbound and outbound defaults:
Deny all incoming connections:
sudo ufw default deny incomingAllow all outgoing connections:
sudo ufw default allow outgoingBy default, UFW is already enabled with these rules. However, you can modify them to suit your specific needs.
Block All Outgoing Traffic with UFW
Blocking all outbound traffic also blocks DNS lookups, package updates, and ordinary web requests. Use this only on systems where you plan to allow every required outbound service explicitly.
To block all outgoing connections:
sudo ufw default deny outgoingAfter blocking outgoing traffic, you must explicitly allow each service your system needs. For example, to allow DNS and HTTP/HTTPS:
sudo ufw allow out 53/udp
sudo ufw allow out 80/tcp
sudo ufw allow out 443/tcpTo restore normal outbound connectivity:
sudo ufw default allow outgoingThe default UFW firewall policies live in the /etc/default/ufw file. This file contains the configuration settings for UFW, including the default policies for incoming and outgoing traffic. By modifying the settings in this file, you can customize the firewall rules to meet your specific security needs.
Configure UFW Application Profiles and Advanced Rules on Debian
Once the default policy is in place, the next step is deciding which services, ports, and networks should stay reachable. These examples cover the UFW patterns that are most useful on Debian desktops, servers, and small lab systems.
View UFW Application Profiles
Start by listing the application profiles that ship with UFW and any packages already installed on the system:
sudo ufw app listRelevant output on Debian included more than a single SSH profile:
Available applications: AIM Bonjour CIFS CUPS DNS IMAP OpenSSH SSH WWW WWW Secure
The exact list changes with installed packages, but Debian’s UFW package already ships a longer built-in profile list than a one-line SSH-only example. When you add web servers such as Nginx or Apache, you also pick up their application-specific profiles.
Check a single profile when you want to confirm which ports it opens:
sudo ufw app info SSHExpected output showing the application profile details:
Profile: SSH Title: SSH server Description: SSH server Port: 22/tcp
Replace SSH with the profile name you want to inspect. Current Debian builds can expose both OpenSSH and SSH profiles, but sudo ufw allow ssh remains the safer command to remember in the main workflow.
Enable IPv6 in UFW on Debian
If your Debian system is configured with IPv6, you must ensure that UFW is configured to support IPv6 and IPv4 traffic. By default, UFW should automatically enable support for both versions of IP; however, it’s a good idea to confirm this.
Open the default UFW settings file to verify the IPv6 toggle:
sudo nano /etc/default/ufwThe setting you want is:
IPV6=yesIf the value is set to “no,” change it to “yes” and save the file by pressing CTRL+O and then CTRL+X to exit.
After making changes to the file, restart the UFW firewall service:
sudo systemctl restart ufwUFW now handles both IPv4 and IPv6 traffic. When you create rules, UFW automatically applies them to both protocols. For example, sudo ufw allow 80/tcp opens port 80 for both IPv4 and IPv6 connections, as shown in the rule confirmation:
Rule added Rule added (v6)
Configure SSH Access Rules in UFW
If SSH is not installed yet, install and enable SSH on Debian first. The base SSH allow rule was already added earlier, so this section moves to the changes that usually happen after that first safe setup.
Change the SSH Port in UFW
If you change the SSH listening port (configured in /etc/ssh/sshd_config), update UFW rules to match. The correct sequence prevents lockout:
Step 1: Allow the new SSH port before changing the SSH configuration:
sudo ufw allow 3541/tcpStep 2: Update SSH configuration to use the new port and restart the service.
Step 3: Test the new connection in a separate terminal before closing your current session.
Step 4: Once confirmed working, remove the old port rule:
sudo ufw delete allow 22/tcpKeep the existing SSH session open until the new port accepts a second login cleanly. Remove the old rule only after that test succeeds.
Block SSH Access with UFW
Blocking SSH cuts off remote administration. Only use this rule when you still have local console access or another out-of-band way back into the machine.
To block all SSH connections:
sudo ufw deny sshAllow Ports with UFW
Web services usually need HTTP and HTTPS open alongside SSH. If you are still building the stack, install Nginx on Debian or install Apache on Debian first, then come back here to expose only the ports you need. For tighter web-layer filtering later, install ModSecurity with Apache on Debian or secure Nginx with Let’s Encrypt on Debian after the firewall basics are in place.
HTTP on port 80 can be opened in three different ways:
Allow by application profile:
sudo ufw allow 'Nginx HTTP'Each method produces the same result with confirmation output:
Rule added Rule added (v6)
Allow by service name:
sudo ufw allow httpAllow by port number:
sudo ufw allow 80/tcpHTTPS on port 443 works the same way:
Allow by application profile:
sudo ufw allow 'Nginx HTTPS'Allow by service name:
sudo ufw allow httpsAllow by port number:
sudo ufw allow 443/tcpAllow both web ports together with the combined profile when that matches your stack:
sudo ufw allow 'Nginx Full'Allow UFW Port Ranges
You can allow individual ports and port ranges. When opening a port range, specify the protocol. Use TCP for connection-oriented services (web servers, SSH, databases) and UDP for stateless protocols (DNS, VPN, streaming media).
Open the range for both protocols with:
sudo ufw allow 6500:6800/tcp
sudo ufw allow 6500:6800/udpIf you only need a few ports, a comma-separated list is shorter:
sudo ufw allow 6500,6501,6505,6509/tcp
sudo ufw allow 6500,6501,6505,6509/udpAllow IP-Based Access with UFW
UFW supports IP-based access control for restricting services to specific networks or hosts. This section covers allowing connections from individual IPs, subnets, and specific network interfaces.
Allow Specific IP Addresses with UFW
Allow a single client address when only one host should reach the system:
sudo ufw allow from 192.168.55.131UFW confirms the rule:
Rule added
Allow a Specific IP Address on a UFW Port
Combine the source address with a single destination port when the service should stay private:
sudo ufw allow from 192.168.55.131 to any port 3900Allow Subnet Connections on a UFW Port
Allow an entire subnet on one port with:
sudo ufw allow from 192.168.1.0/24 to any port 3900As a result, this command allows all IP addresses from 192.168.1.1 to 192.168.1.254 to connect to port 3900.
Allow a Specific Network Interface with UFW
Use the interface form when the host has multiple NICs and only one should accept the traffic:
sudo ufw allow in on eth2 to any port 3900Overall, using these commands, you can easily allow remote connections to your system through UFW while maintaining its security.
Deny Remote Connections with UFW
If you’ve noticed suspicious or unwanted traffic coming from a particular IP address, you can deny connections from that address using UFW. UFW denies all incoming connections by default, but you can create rules to block connections from specific IPs or IP ranges.
Block one source address with:
sudo ufw deny from 203.13.56.121The rule takes effect immediately:
Rule added
Furthermore, if an attacker is using multiple IP addresses within the same subnet to target your system, you can block the entire subnet by specifying the IP range in CIDR notation:
sudo ufw deny from 203.13.56.0/24This command blocks all 256 addresses from 203.13.56.0 to 203.13.56.255.
Target only specific ports when you do not want to block every connection from that subnet:
sudo ufw deny from 203.13.56.0/24 to any port 80
sudo ufw deny from 203.13.56.0/24 to any port 443Blocking incoming connections provides effective security, but IP spoofing can still bypass address-based filtering. Implement multiple security layers rather than relying solely on IP blocking.
Delete UFW Rules on Debian
Deleting unnecessary or unwanted UFW rules is essential for maintaining an organized and efficient firewall. You can delete UFW rules in two different ways. First, list your current rules with their numbers:
sudo ufw status numberedThe output displays numbered rules, making it easy to identify which rule to delete:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 443/tcp (v6) ALLOW IN Anywhere (v6)
To delete a rule, specify its number. For example, to remove the HTTP rule (rule 2), run:
sudo ufw delete 2UFW asks for confirmation before deleting:
Deleting: allow 80/tcp Proceed with operation (y|n)? y Rule deleted
Alternatively, delete a rule by specifying the original command with delete added:
sudo ufw delete allow 443/tcpWhen you delete a rule, the remaining entries are renumbered. Run
sudo ufw status numberedagain before deleting anything else so you do not target the wrong line.
View UFW Logs on Debian
The UFW firewall logs all events. Review these logs periodically to identify potential security breaches or troubleshoot network issues. By default, UFW logging is set to low, which is adequate for most desktop systems. However, servers may require a higher level of logging to capture more details.
Adjust logging to low, medium, high, or fully off depending on how much detail you need. Start with the low level first:
sudo ufw logging lowExpected output:
Logging enabled
To set UFW logging to medium:
sudo ufw logging mediumTo set UFW logging to high:
sudo ufw logging highFinally, to disable logging entirely:
sudo ufw logging offThe logging levels capture different amounts of detail:
- Low: Logs blocked packets not matching default policy
- Medium: Adds logging for packets matching rules (allows and denies)
- High: Logs all packets with rate limiting disabled
UFW writes logs to /var/log/ufw.log. Tail the last 30 lines with:
sudo tail -n 30 /var/log/ufw.logReviewing the logs can help you determine which IP addresses are attempting to connect to your system and identify any suspicious or unauthorized activities. Furthermore, reviewing the logs can help you understand network traffic patterns, optimize network performance, and identify any issues that may arise.
Test UFW Rules Before Applying Changes
The --dry-run flag previews changes without applying them, useful for critical systems where mistakes could cause lockouts or service disruptions.
Test firewall state changes:
sudo ufw --dry-run enableTest adding a rule:
sudo ufw --dry-run allow 8080/tcpRelevant output begins with the generated filter table instead of applying it to the live firewall:
*filter :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] ### RULES ###
Review the generated rules, then rerun the command without --dry-run when the preview matches what you intended.
Reset UFW Rules on Debian
Resetting UFW deletes every saved rule, including the SSH allow rule. Only do this from a local console or another session where you can recover immediately.
Reset UFW only when you want to wipe the saved rules and start over:
sudo ufw resetRelevant output includes the confirmation prompt and the timestamped backups written into /etc/ufw/:
Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20260402_100918' Backing up 'before.rules' to '/etc/ufw/before.rules.20260402_100918' Backing up 'after.rules' to '/etc/ufw/after.rules.20260402_100918' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20260402_100918' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20260402_100918' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20260402_100918'
Verify the reset completed:
sudo ufw statusStatus: inactive
After a reset, UFW is inactive and all rules are cleared. The backup filenames always carry the time of the reset, so your timestamp will differ from the example above. To bring the firewall back online, allow SSH first and then enable UFW again:
sudo ufw allow ssh
sudo ufw enableScan Open Ports on Debian with Nmap
Your system’s security should be a top priority, and one way to ensure it is by checking for open ports regularly. UFW blocks all incoming connections by default, but sometimes ports may be left open inadvertently or for legitimate reasons. In this case, knowing which ports are open and why is essential.
Nmap is the easiest way to check whether the ports you meant to expose are actually reachable. If you want a full walkthrough for the scanner itself, see how to install Nmap on Debian.
sudo apt install nmapStart by identifying the host address you want to scan:
hostname -IExample output:
192.168.50.45
Scan that address from another machine on the same network:
nmap 192.168.50.45Nmap scans your system and lists all open ports. Example output:
Starting Nmap 7.x ( https://nmap.org ) Nmap scan report for 192.168.50.45 Host is up (0.00012s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
If you find any open ports you are unsure about, investigate them before closing or blocking them, as it may break services or lock you out of your system.
Once you know which ports are actually open, you can tighten or remove the matching UFW rules instead of guessing.
Disable or Remove UFW on Debian
Temporarily Disable UFW on Debian
Disabling UFW stops the live firewall rules but keeps the saved configuration on disk.
Disabling UFW opens the machine to whatever the rest of the network allows. Use this only for short troubleshooting windows and turn the firewall back on as soon as the test is finished.
To disable UFW temporarily:
sudo ufw disableExpected output:
Firewall stopped and disabled on system startup
Your firewall rules are preserved. To re-enable UFW:
sudo ufw enableRemove UFW on Debian
Before removing the package, stop the firewall and clear the saved rule set so you know exactly what state you are leaving behind:
sudo ufw disable
sudo ufw resetRemove only the package itself first:
sudo apt remove ufwReview
sudo apt autoremovemanually before you run it here. On reused Debian systems, APT can also target older kernel packages, which is not a safe blind cleanup step for a firewall guide.
Refresh the package cache and verify removal:
sudo apt update
apt-cache policy ufwExpected output confirming the package is gone on Debian 13:
ufw:
Installed: (none)
Candidate: 0.36.2-9
Version table:
0.36.2-9 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
100 /var/lib/dpkg/status
Debian 12 shows 0.36.2-1 as the candidate, and Debian 11 shows 0.36-7.1. The important line after removal is Installed: (none). The trailing 100 /var/lib/dpkg/status entry is only local package history, not proof that UFW is still installed.
Removing UFW leaves Debian without this front end for firewall rules. If you want a zone-based replacement, install firewalld on Debian. If you want mandatory access control beyond network filtering, install SELinux on Debian as a separate hardening layer.
Troubleshoot Common UFW Issues on Debian
Most UFW problems on Debian come down to one of three things: SSH access was not allowed before the firewall was enabled, Docker inserted its own packet rules ahead of UFW, or a later rule is shadowing the one you expected to match.
Locked Out After Enabling UFW on Debian
If you enabled UFW on a remote server without allowing SSH first, you cannot connect remotely. Access the server through a local console or recovery mode, then allow SSH:
sudo ufw allow ssh
sudo ufw reloadVerify the rule appears in the status output:
sudo ufw status numberedStatus: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)
UFW Conflicts with Docker on Debian
Docker modifies iptables directly, bypassing UFW rules. Container ports remain accessible from external networks even when UFW appears to block them. This occurs because Docker inserts its rules before UFW rules in the iptables chain.
Do not set
"iptables": falsein Docker’s daemon.json. While this stops Docker from modifying iptables, it also breaks container networking entirely. Containers cannot communicate with each other or the host, and published ports stop working.
The recommended approach uses the DOCKER-USER chain, which Docker processes before its own rules. Add rules to /etc/ufw/after.rules before the final COMMIT line in the *filter section:
sudo nano /etc/ufw/after.rulesInsert this block immediately before the final COMMIT line inside the existing *filter section:
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p tcp -m tcp --dport 0:65535 -j DROPThis configuration allows internal Docker networks while blocking external access to container ports. Adjust the IP ranges if your Docker networks use different subnets. Reload UFW after changes:
sudo ufw reloadFor detailed Docker networking and firewall configuration, see the official Docker iptables documentation.
UFW Rules Not Taking Effect on Debian
After adding rules, reload UFW to ensure changes apply:
sudo ufw reloadIf rules still do not work, check rule order with sudo ufw status numbered. UFW evaluates rules from top to bottom, so an earlier deny rule can block a later allow rule even when both look correct on their own.
UFW on Debian FAQ
No. Debian 13, 12, and 11 do not install ufw by default. Install the ufw package from Debian’s default APT sources before you try to enable or configure rules.
On minimal or server-oriented Debian shells, ufw lives in /usr/sbin/ufw, and an unprivileged user PATH may not include /usr/sbin. Use sudo ufw ..., call /usr/sbin/ufw directly, and confirm the package is present with apt-cache policy ufw if the error continues.
Debian does not preinstall UFW. UFW is a front end, while the underlying backend can still be nftables through Debian’s iptables-compatible layer, so the practical rule is to manage the firewall with the verified ufw commands and let Debian handle the backend details.
Yes. After UFW is enabled, the firewall starts automatically on boot and keeps the saved rules. Verify the state after a reboot with sudo ufw status verbose and make sure your SSH allow rule is still present before you close any recovery or console session.
Conclusion
UFW is now ready on Debian with SSH protected, sensible default policies in place, and enough rule patterns to handle the usual web, subnet, and logging tasks without dropping into raw firewall syntax. For the next hardening step, install Fail2ban on Debian, or add deeper HTTP filtering later with install ModSecurity with Apache on Debian.
Thank you