How to Set Up a Basic Firewall for Web Servers on Debian 12 Bookworm

Setting up a firewall is one of the most essential steps in securing any server exposed to the internet. Whether you’re hosting a WordPress site, an eCommerce store, or a personal portfolio, controlling incoming and outgoing traffic helps prevent unauthorized access, minimize attack surfaces, and enforce good network hygiene.

In this article, we will walk through the process of setting up a basic firewall for web servers running Debian 12 Bookworm, using UFW (Uncomplicated Firewall) — a user-friendly interface for configuring iptables, the powerful firewall tool built into the Linux kernel.

Why You Need a Firewall on a Web Server

Before diving into the setup, let’s briefly understand why a firewall is critical:

• Traffic Control: Only allow traffic that is explicitly required (e.g., HTTP, HTTPS, SSH).
• Minimizing Attack Vectors: Close unused ports to reduce exposure.
• Rate Limiting and Logging: Prevent brute force attacks and keep logs for auditing.
• Compliance and Security Policies: Meet basic security standards for your organization or clients.

Now, let’s look at how to implement a firewall strategy on your Debian 12 system.

Step 1: Updating Your System

Before making any changes, it’s a good idea to ensure your system is fully up to date.

sudo apt update && sudo apt upgrade -y

This ensures that all packages, including security updates, are current.

Step 2: Installing UFW (Uncomplicated Firewall)

Debian 12 includes UFW in its repositories. To install it:

sudo apt install ufw -y

Once installed, you can check its status:

sudo ufw status verbose

By default, UFW is inactive after installation. We’ll configure it before activating.

Step 3: Defining Default Policies

A good firewall policy follows the default-deny approach: deny all incoming traffic, and allow only what you need.

sudo ufw default deny incoming
sudo ufw default allow outgoing

This ensures that no unexpected connections are allowed into your server, but your server can still make outbound requests (like downloading packages or updates).

Step 4: Allowing Essential Services

4.1 SSH Access (Port 22)

If you’re managing the server remotely via SSH, you must allow it before enabling UFW — otherwise, you’ll lock yourself out.

sudo ufw allow OpenSSH

This is the same as:

sudo ufw allow 22/tcp

If you’re using a different port for SSH, say port 2222:

sudo ufw allow 2222/tcp

4.2 HTTP and HTTPS Traffic (Ports 80 and 443)

Since this is a web server, you’ll likely want to allow standard web traffic.

sudo ufw allow http
sudo ufw allow https

Or, more explicitly:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

4.3 FTP, MySQL, or Other Services (Optional)

If you’re running additional services, you can allow those as needed. For example:

• FTP (port 21):

  sudo ufw allow 21/tcp
  

• MySQL (port 3306) — only if remote access is required (not recommended):

  sudo ufw allow 3306/tcp
  

If these services are not used externally, do not open their ports to the internet.

Step 5: Enabling the Firewall

Once you’ve configured all the necessary rules, you can enable UFW:

sudo ufw enable

You’ll be prompted to confirm. After enabling, check the status again:

sudo ufw status numbered

You should see a list of allowed ports and services.

Step 6: Managing Rules

6.1 Deleting Rules

If you need to remove a rule:

1. First, list the rules with numbers:

   sudo ufw status numbered
   

2. Then delete by number, for example:

   sudo ufw delete 2
   

6.2 Denying Specific IPs or Ranges

You can block traffic from a specific IP address:

sudo ufw deny from 203.0.113.45

Or block an entire subnet:

sudo ufw deny from 203.0.113.0/24

6.3 Allow Access from a Specific IP

If you have an office IP or a developer’s static IP that needs full access:

sudo ufw allow from 198.51.100.100

To allow access to a specific port from an IP:

sudo ufw allow from 198.51.100.100 to any port 22 proto tcp

Step 7: Logging and Monitoring

UFW supports logging, which helps in monitoring connection attempts.

Enable logging:

sudo ufw logging on

Logs are typically stored in:

/var/log/ufw.log

You can tail the log for real-time monitoring:

sudo tail -f /var/log/ufw.log

Step 8: Advanced Configuration Tips

8.1 Rate Limiting SSH

Protect against brute force attacks:

sudo ufw limit ssh

This allows connections but blocks repeated attempts in a short time.

8.2 Application Profiles

UFW comes with predefined application profiles. Check them with:

sudo ufw app list

You might see something like:

Available applications:
  OpenSSH
  Apache Full
  Apache Secure
  Apache

To use one:

sudo ufw allow 'Apache Full'

This profile typically allows both port 80 and 443.

Step 9: Testing the Firewall

To test that your firewall is correctly blocking or allowing traffic, you can use tools like:

• nmap from another machine:

  nmap -p 1-1000 your-server-ip
  

• Or simply try accessing allowed and disallowed ports via telnet or browser tools.

Ensure that:

• HTTP and HTTPS work
• SSH access is preserved
• All unnecessary ports are filtered or closed

Step 10: Saving and Backing Up UFW Rules

Although UFW saves rules across reboots, it’s good practice to back up your configuration:

sudo ufw status > ~/ufw-backup-$(date +%F).txt

You can also script your rules using a bash script for easier re-deployment.

Conclusion

A basic firewall configuration is a cornerstone of server security, especially for systems like web servers that are always online and exposed to the public. With Debian 12 Bookworm, using UFW simplifies managing your iptables-based firewall and makes your security policy easier to audit, maintain, and deploy.

By following the steps in this guide, you have:

• Installed and configured UFW
• Defined a minimal access policy
• Enabled essential web services
• Implemented optional access controls
• Enabled logging and tested your setup

As your server evolves, revisit your firewall settings periodically. Regular audits and reviews help ensure your server stays secure, responsive, and resilient against emerging threats.