Virginia Tech® home

Server Firewall


A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between the host and the network.


Windows Server

Windows Server Firewall can be accessed via the Windows Defender Firewall with Advanced Security application. To access this, follow these instructions

  1. Open the search menu from the Windows start menu.
  2. Search for Windows Defender Firewall.
  3. Select Windows Defender Firewall.

From here you can enable and disable the Windows Defender Firewall for the Domain, Private and Public profiles. More information on how to utilize the Windows Defender Firewall can be found from the official Windows Documentation.


Apple has discontinued macOS server. If you are looking for macOS client computer firewall instructions, see the Endpoint Firewall documentation.


This section lists firewall programs and apps that are recommended by or are the default of common server Linux distributions. Then, specific instructions for the more popular firewall applications are given.


All recent releases of Debian (after Debian 5.0 “lenny”) come with the iptables program installed by default, and configured to allow all traffic. It is expected that server administrators configure relevant rules to block unnecessary traffic.

However, iptables is being replaced by nftables by the same developers. Starting with Debian 10 “Buster”, the nftables framework is used by default. Debian installations still using the iptables backend are encouraged to migrate to nftables.

Server administrators are also encouraged to use a wrapper instead of handrolling iptables/nftables scripts. One such wrapper is firewalld, which integrates well with Debian installations. For a simpler interface to iptables, see Uncomplicated Firewall.


The default configuration tool for Ubuntu is ufw, which controls the iptables framework also available on Debian. It is initially disabled.


Fedora comes with firewalld by default, which can be controlled by the firewall-cmd or firewall-config programs.

Firewall Programs

Ufw Installation

Installation on Debian, Ubuntu:

$ sudo apt-get update
$ sudo apt-get install ufw

Installation on Fedora:

$ sudo dnf update
$ sudo dnf install ufw

Configuring Ufw for SSH

Important: If you are using an SSH connection to connect remotely, you need to allow incoming SSH connections. If this is not you, skip to Enabling Ufw.

(Optional) Allow SSH connections:

Before enabling the UFW firewall first, you need to allow incoming SSH connections.

If you’re connecting to your server from a remote location, and you enable the UFW firewall before explicitly allow incoming SSH connections you will no longer be able to connect to your Debian server.

To configure your UFW firewall to accept SSH connections, run the following command.

$ sudo ufw allow OpenSSH

By default SSH uses port 22. If your configuration is using another port, use the command

$ sudo ufw allow <port>/tcp

where is the port your configuration is using.

Enabling Ufw

Now that the UFW firewall is configured to allow incoming SSH connections, enable it by running:

$ sudo ufw enable

The output from the terminal will look like:

  Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
  Firewall is active and enabled on system startup

You will be warned that enabling the firewall may disrupt existing SSH connections. Type y and press Enter.

Firewalld Installation

Installation on Debian, Ubuntu:

$ sudo apt-get update
$ sudo apt-get install firewalld

Installation on Fedora:

$ sudo dnf update
$ sudo dnf install firewalld

Firewalld Usage

Start firewalld, by entering the following commands.

$ sudo systemctl unmask firewalld
$ sudo systemctl start firewalld

(Recommended) To make firewalld start automatically at system start, type the following command.

$ sudo systemctl enable firewalld


If you have questions that are not covered in this procedure, please contact the Virginia Tech IT Security Office at for a consultation.