How to Set Up a Firewall (UFW and CSF)
Configure UFW or CSF on your GoZen VPS to control network traffic, block attacks, and protect your services.
A firewall controls which network traffic can reach your server and which gets blocked. Without one, every port on your VPS is open to the internet. GoZen also provides platform-level security across all plans. This guide covers UFW (the standard Ubuntu firewall) and CSF (a more feature-rich option popular with cPanel servers).
Which Firewall to Use
| Feature | UFW | CSF |
|---|---|---|
| Ease of use | Simple and clean | More complex, more features |
| Best for | VPS with manual setup | cPanel/WHM servers |
| Login failure detection | Needs Fail2Ban separately | Built-in (LFD) |
| UI available | No (CLI only) | Yes (cPanel/WHM plugin) |
| Connection tracking | Basic | Advanced |
| Country blocking | Manual with iptables | Built-in |
Use UFW on unmanaged VPS running Ubuntu/Debian. Use CSF if you run cPanel/WHM or need advanced features like connection tracking and country blocking.
Part 1: UFW (Uncomplicated Firewall)
UFW is a front-end for iptables that makes firewall rules readable and easy to manage. It’s pre-installed on most Ubuntu systems.
Install and Enable
# Install (usually already installed on Ubuntu)
sudo apt install ufw -y
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
The defaults mean: block all incoming traffic unless you explicitly allow it, and let outgoing traffic through.
Before enabling UFW, allow SSH first. If you enable the firewall without an SSH rule, you’ll lock yourself out of your own server.
# Allow SSH (default port 22)
sudo ufw allow 22/tcp
# If you changed your SSH port:
sudo ufw allow 2222/tcp
# Enable the firewall
sudo ufw enable
Common Rules
Allow the services you actually run. Don’t open ports you’re not using.
# Web traffic (HTTP and HTTPS)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Mail server (if running one)
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 587/tcp # SMTP submission
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 465/tcp # SMTPS
# MySQL (only if remote connections are needed)
sudo ufw allow from 10.0.0.0/8 to any port 3306
# DNS (if running a DNS server)
sudo ufw allow 53
Allow Specific IPs
Restrict access to sensitive services by IP:
# Allow SSH only from your office IP
sudo ufw allow from 203.0.113.50 to any port 22
# Allow database access from your app server only
sudo ufw allow from 10.0.1.5 to any port 3306
# Allow a subnet
sudo ufw allow from 192.168.1.0/24
Block Specific IPs
# Block an abusive IP
sudo ufw deny from 198.51.100.23
# Block an entire subnet
sudo ufw deny from 198.51.100.0/24
Delete Rules
# List rules with numbers
sudo ufw status numbered
# Delete by number
sudo ufw delete 3
# Delete by rule
sudo ufw delete allow 8080/tcp
Check Status
# View all active rules
sudo ufw status verbose
# View numbered list (useful for deleting)
sudo ufw status numbered
Application Profiles
UFW has built-in profiles for common apps:
# List available profiles
sudo ufw app list
# Allow a profile
sudo ufw allow 'Nginx Full' # Opens 80 and 443
sudo ufw allow 'OpenSSH' # Opens 22
Reset UFW
If something goes wrong, reset to defaults:
sudo ufw reset
This deletes all rules. You’ll need to re-add SSH and re-enable the firewall.
UFW with Fail2Ban
UFW handles static rules. For dynamic blocking (banning IPs after failed login attempts), pair it with Fail2Ban:
sudo apt install fail2ban -y
Fail2Ban automatically adds temporary UFW rules to block attackers. See Server Hardening Basics for the full Fail2Ban setup.
Part 2: CSF (ConfigServer Security & Firewall)
CSF is a popular firewall for cPanel/WHM servers. It includes LFD (Login Failure Daemon) which does what Fail2Ban does, plus connection tracking, port scanning detection, and country-level blocking.
Install CSF
cd /tmp
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sudo sh install.sh
Check Prerequisites
sudo perl /usr/local/csf/bin/csftest.pl
All tests should show OK. If iptables modules are missing, the output will tell you which ones.
Basic Configuration
sudo nano /etc/csf/csf.conf
Key settings:
# Disable testing mode (IMPORTANT: do this after you've confirmed rules work)
TESTING = "0"
# Incoming ports to allow
TCP_IN = "22,80,443,587,993,2083,2087"
# Outgoing ports to allow
TCP_OUT = "22,25,53,80,443,587,993,2087"
# UDP ports
UDP_IN = "53"
UDP_OUT = "53,123"
# Enable Login Failure Daemon
LF_DAEMON = "1"
# Block IP after 5 SSH failures in 5 minutes
LF_SSHD = "5"
# Block IP after 10 SMTP auth failures
LF_SMTPAUTH = "10"
# Connection tracking (block IPs with too many connections)
CT_LIMIT = "300"
CT_INTERVAL = "30"
Restart CSF:
sudo csf -r
Common CSF Commands
# Check status
sudo csf -s # Start
sudo csf -r # Restart
sudo csf -f # Flush/stop
# Allow an IP
sudo csf -a 203.0.113.50 # Quick allow (adds to csf.allow)
# Block an IP
sudo csf -d 198.51.100.23 # Quick deny (adds to csf.deny)
# Remove a block
sudo csf -dr 198.51.100.23
# Search for an IP in rules
sudo csf -g 203.0.113.50
# View blocked IPs
sudo csf -t # Temp blocks
cat /etc/csf/csf.deny # Permanent blocks
Block by Country
CSF can block or allow entire countries using MaxMind GeoIP data:
sudo nano /etc/csf/csf.conf
# Block all traffic from specific country codes
CC_DENY = "CN,RU,KP"
# Or: allow only specific countries (blocks everything else)
# CC_ALLOW = "US,GB,DE,NL"
# Use MaxMind GeoLite2 for accuracy
CC_SRC = "2"
Country blocking can be aggressive. Test carefully and make sure you’re not blocking legitimate customers.
CSF with cPanel/WHM
If you’re running cPanel, CSF integrates directly:
- Log into WHM
- Go to Plugins and then ConfigServer Security & Firewall
- You get a full web interface for managing rules, viewing blocks, and adjusting settings
CSF Allow and Deny Files
# Permanently allow IPs (one per line)
sudo nano /etc/csf/csf.allow
# Permanently block IPs
sudo nano /etc/csf/csf.deny
# Ignore IPs (never block, even for login failures)
sudo nano /etc/csf/csf.ignore
Always add your own IP to csf.ignore so you don’t accidentally lock yourself out.
Verify Your Firewall
After configuring either firewall, verify from outside your server:
# From another machine, scan for open ports
nmap -sV your-server-ip
You should only see the ports you explicitly opened. Everything else should show as filtered or not appear at all.
Check from inside the server:
# UFW
sudo ufw status verbose
# CSF
sudo csf -l
Troubleshooting
| Problem | Fix |
|---|---|
| Locked out of SSH | Use the VPS console in your GoZen client area to log in directly and fix the rules |
| UFW: rules not applying | Make sure UFW is enabled: sudo ufw status. If it says “inactive,” run sudo ufw enable |
| CSF: stuck in testing mode | In csf.conf, set TESTING = "0" and restart: sudo csf -r |
| Legitimate traffic blocked | Check blocked IPs: sudo csf -t (CSF) or sudo ufw status (UFW). Whitelist as needed |
| Docker bypasses UFW | Docker manipulates iptables directly. Use DOCKER_OPTS="--iptables=false" or use CSF’s DOCKER setting |
| Email not sending | Outgoing port 25 or 587 may be blocked. Add to TCP_OUT (CSF) or sudo ufw allow out 587/tcp (UFW) |
Related Articles
Last updated 19 Apr 2026, 23:46 +0300.