Firewall checklist
Topic: Networking basics
Summary
Use this checklist when enabling or changing a host firewall: allow SSH (or admin port) first, set default deny inbound, allow only required ports and established/related, verify rule order, test in a second session, and document rules. Avoid lockout and over-permissive rules by following the steps in order. References UFW, allow/deny, verify, and lock-down guides.
Intent: Checklist
Quick answer
- Before enabling: add allow for SSH (or your admin port); confirm the port with ss -tlnp. Set default deny incoming and allow outgoing; allow established/related so return traffic is permitted. Do not enable until SSH allow is in place.
- Rule order: allow established/related first; then allow SSH and required service ports; then default drop or deny. First match wins; if deny or drop is before an allow for the same traffic, that traffic is blocked.
- After enabling: open a second session and log in; list rules (ufw status, nft list ruleset); test allowed ports from a client and test that denied ports do not connect; document the policy and any changes.
Prerequisites
Steps
-
Allow SSH before enabling
Add allow 22/tcp (or the port sshd uses). Confirm with ss -tlnp | grep ssh. Do not set default deny or enable the firewall until this rule is present. Have console or a second session ready.
-
Set defaults and required allows
Default deny incoming; default allow outgoing. Add allow established/related. Add allow rules only for ports you need (e.g. 80, 443). Ensure these allow rules are evaluated before any broad deny or default drop.
-
Enable and verify
Enable the firewall (ufw enable or reload nftables). Open a second SSH session and confirm login. List rules; test allowed ports from a client; test that a denied port does not connect. Document the policy.
Summary
Checklist for enabling or changing a host firewall: allow SSH first, set default deny and only required allows, verify order and test in a second session, then document. Use this to avoid lockout and over-permissive rules.
Prerequisites
- What a firewall actually does.
- How to allow a port safely.
- Lock down a server to SSH only.
- How to verify firewall rules.
Steps
Step 1: Allow SSH before enabling
Add allow for 22/tcp (or the port sshd uses). Confirm with ss -tlnp. Do not enable or set default deny until this rule is in place. Keep console or a second session open.
Step 2: Set defaults and required allows
Default deny incoming; default allow outgoing. Allow established/related. Allow only the ports you need. Ensure these allows are before any broad deny or default drop.
Step 3: Enable and verify
Enable the firewall. Log in via a second SSH session. List rules; test allowed and denied ports from a client. Document the policy.
Verification
- SSH works; only intended ports are allowed; rule order is correct; policy is documented.
Troubleshooting
Locked out — Use console; add allow for SSH and reload. Allowed port not reachable — Check rule order and that the service is listening. Too many ports open — Remove unnecessary allows; see Common firewall mistakes.