ufw: Uncomplicated Firewall... how do we set that up?

Just before (or immediately after) you've got nginx installed, it's time to think about getting a firewall in place.

ufw (Ucomplicated FireWall) is just the ticket.

Enable ufw, and allow these ports

To check if ufw is set up as expected...

sudo ufw status

And you should see this result:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)

For extra info you can try:

sudo ufw status verbose

Result:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)

And to see which apps are registered with ufw...

sudo ufw app list

result:

Available applications:
	Nginx Full
	Nginx HTTP
	Nginx HTTPS
	OpenSSH

Considerations for later

HTTPS connections can be allowed with this command:

sudo ufw allow https

If you'd rather use the port number, 443, use this command:

sudo ufw allow 443

Simpler one is:

sudo ufw allow 'Nginx HTTP'

Or, for http and https:

sudo ufw allow 'Nginx Full'

You can remove those you've already allowed with, for example:

sudo ufw delete allow 80/tcp

...because that's superceded by 'Nginx HTTP' profile

sudo ufw delete allow 'Nginx HTTP'

...because that's superceded by 'Nginx Full' (which allow both http and https)

Might also want to allow 'OpenSSH' something like sudo ufw allow 'OpenSSH' but i'm not sure so I'd stick with

sudo ufw allow 22/tcp

For now.

Although, checking what application lists are avaible with:

sudo ufw app list

I see:

Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH

So I expect if i do sudo ufw allow 'OpenSSH' then i would be able to delete 22/tcp and still use ssh.

Source

See also