ConfigClarity

Free browser-based DevOps audit tools โ€” no signup, nothing leaves your browser

Home โ€บ Errors โ€บ UFW inactive still protected

UFW inactive โ€” but ports are still filtered

UFW is off, but your server isn't wide open โ€” here's why

Not always a problem: Cloud providers (Hetzner, DigitalOcean, AWS) often have a network-level firewall outside your server. UFW being inactive doesn't necessarily mean you're exposed.

Why ports appear closed without UFW

Three layers can block ports independently of UFW:

  1. Cloud provider firewall โ€” Hetzner Cloud, DigitalOcean, Vultr, and AWS all have a firewall in their control panel that blocks traffic before it reaches your server
  2. Raw iptables rules โ€” UFW is a wrapper. iptables may have rules loaded from another source
  3. Application not listening โ€” If nothing is listening on a port, connections are refused regardless of firewall state

How to safely enable UFW

Critical: Always allow SSH before enabling UFW. Otherwise you will lock yourself out.
โœ… Safe UFW setup sequence 
# 1. Allow SSH first โ€” do this BEFORE enabling UFW
sudo ufw allow 22/tcp comment "SSH"

# 2. Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 3. Allow your services
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"

# 4. Enable UFW
sudo ufw enable

# 5. Verify
sudo ufw status verbose

Check what's actually protecting you now

# Check raw iptables rules
sudo iptables -L -n -v

# Check what's listening on what ports
sudo ss -tlnp

# Test from outside (turn off Wi-Fi, use mobile data)
nmap -p 22,80,443,3306,5432 YOUR_SERVER_IP

Audit your UFW rules

Paste your sudo ufw status verbose output and the Firewall Auditor flags high-risk ports, missing default-deny, IPv4/IPv6 mismatches, and nftables conflicts.

Open Firewall Auditor โ†’

Frequently Asked Questions

I enabled UFW and now I can't SSH in โ€” what do I do?

Use your cloud provider's rescue console (Hetzner Rescue, DigitalOcean Recovery, AWS Systems Manager) to get terminal access without SSH. Then run sudo ufw allow 22/tcp and sudo ufw reload. Always add the SSH rule before enabling UFW.

Should I use UFW or my cloud provider's firewall?

Both, ideally. The cloud firewall blocks traffic before it reaches your server (better performance). UFW provides a second layer inside the server and protects against Docker bypassing the cloud firewall's rules.

Does UFW work with Docker?

Only partially. Docker bypasses UFW by inserting iptables rules directly. Ports mapped with ports: in docker-compose.yml are publicly accessible regardless of UFW rules. Use 127.0.0.1:PORT:PORT binding to restrict Docker ports to localhost.