Linux VPS Firewall Setup Guide (UFW & firewalld) - Evoxt
Login
Register
 We care about the Environment
EvoxtGuidesLinux VPS Firewall Setup Guide (UFW & firewalld)

Linux VPS Firewall Setup Guide (UFW & firewalld)

This guide covers a concise Linux VPS firewall setup for Evoxt customers, including how to install the firewall tools (UFW and firewalld), allow custom ports, and remove or deny rules safely. Follow these steps to avoid locking yourself out and to manage runtime vs permanent rules correctly.

Why this matters

  • Allowing only required ports reduces exposure to attacks.
  • Knowing how to remove or deny a port prevents unauthorized access.
  • Understanding runtime vs permanent rules avoids unexpected behavior after reboot.

Quick safety checklist (always do this first)

  • Allow your SSH port before enabling the firewall (or you may lock yourself out).
  • Keep a separate console/VNC session or another working SSH session open while testing.
  • Prefer testing with a non-root user if possible.

UFW (Ubuntu / Debian)

Install & enable

sudo apt update
sudo apt install ufw -y

# ensure SSH allowed first:
sudo ufw allow ssh

# enable firewall
sudo ufw enable

Allow a custom port (example: 12345)

Allow TCP port 12345: 
sudo ufw allow 12345/tcp
Allow UDP port 12345: 
sudo ufw allow 12345/udp
Allow a port from a specific IP only (example: allow 12345 from 203.0.113.5): 
sudo ufw allow from 203.0.113.5 to any port 12345 proto tcp

Check rules and status

sudo ufw status numbered
sudo ufw status verbose

Remove or deny a rule

Remove a previously added allow by specifying the rule (recommended to use numbered deletion): 
# see rule numbers
sudo ufw status numbered

# delete rule by number (example deletes rule #3)
sudo ufw delete 3
Or delete by exact rule text: 
sudo ufw delete allow 12345/tcp
To explicitly block (deny) a port: 
sudo ufw deny 12345/tcp

Notes about UFW

  • UFW applies rules immediately. ufw enable persists across reboots.
  • Use sudo ufw logging on to view blocked attempts in /var/log/ufw.log.

firewalld (AlmaLinux / Rocky / CentOS / RHEL)

Install & enable

sudo dnf install firewalld -y
sudo systemctl enable --now firewalld

Zone basics

firewalld uses zones (default is usually public). You can add ports/services to the active zone or to a specific zone. 
# show default zone
sudo firewall-cmd --get-default-zone

# list active zones & settings
sudo firewall-cmd --list-all

Allow a custom port (example: 12345)

Permanent (persists after reboot): 
sudo firewall-cmd --permanent --add-port=12345/tcp
sudo firewall-cmd --reload
Runtime only (temporarily persists until next reload/reboot): 
sudo firewall-cmd --add-port=12345/tcp

Allow HTTPS (example)

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Check ports and services

sudo firewall-cmd --list-ports
sudo firewall-cmd --list-services
sudo firewall-cmd --list-all

Remove or deny a port

Remove a permanently added port: 
sudo firewall-cmd --permanent --remove-port=12345/tcp
sudo firewall-cmd --reload
Remove a runtime-only port: 
sudo firewall-cmd --remove-port=12345/tcp
Remove a service (e.g., HTTPS): 
sudo firewall-cmd --permanent --remove-service=https
sudo firewall-cmd --reload

Notes about firewalld

  • Use --permanent to persist across reboots; otherwise rules are runtime-only.
  • Use zones to apply different policies to interfaces or networks.

Testing your port rules (from another machine)

Use nc (netcat) to test TCP ports: 
# test port 12345
nc -zv YOUR-SERVER-IP 12345

Result meanings:

  • Connection succeeded — port open & allowed
  • Connection refused — service not listening on that port
  • Connection timed out — port likely filtered/blocked by firewall or network-level filter

Check UFW logs if UFW is expected to block: 
sudo ufw logging on
sudo tail -f /var/log/ufw.log
For firewalld, enable denied logging and check the journal: 
sudo firewall-cmd --set-log-denied=all
sudo journalctl -f -u firewalld

Quick commands

UFW

sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw enable

# allow custom TCP/UDP port
sudo ufw allow 12345/tcp
sudo ufw allow 12345/udp

# allow from specific IP
sudo ufw allow from 203.0.113.5 to any port 12345 proto tcp

# remove by rule number
sudo ufw status numbered
sudo ufw delete [number]

# delete by rule
sudo ufw delete allow 12345/tcp

# explicitly deny
sudo ufw deny 12345/tcp

# status
sudo ufw status verbose

firewalld

sudo dnf install firewalld -y
sudo systemctl enable --now firewalld

# allow custom TCP port permanently
sudo firewall-cmd --permanent --add-port=12345/tcp
sudo firewall-cmd --reload

# allow runtime-only
sudo firewall-cmd --add-port=12345/tcp

# remove permanent port
sudo firewall-cmd --permanent --remove-port=12345/tcp
sudo firewall-cmd --reload

# allow a service (HTTPS)
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

# list rules
sudo firewall-cmd --list-ports
sudo firewall-cmd --list-services

Further reading & support

High CPU Frequency Virtual Machines

Available Globally

Starting at

$2.99

Deploy now