Common VPS task

How to set VPS firewall rules

A good VPS firewall starts with a short port list, a rollback path, and a second SSH session. Open only what the server needs.

Use this as a focused checklist for one common hosting task. The larger setup guides still cover full-site and full-server builds.

Difficulty
Intermediate
Time
20 to 60 minutes
Images
4 official examples

1. Write the port list before changing rules

SSH

Port 22 unless you intentionally changed it. Restrict to your IP when possible.

HTTP

Port 80 for web traffic and certificate validation.

HTTPS

Port 443 for secure web traffic.

Everything else

Keep databases, Redis, admin panels, and private services closed to the public unless There's a documented reason.

2. Add provider firewall rules first

A provider firewall blocks traffic before it reaches the server. Add SSH first, test access, then add HTTP and HTTPS when the web stack is ready.

DigitalOcean cloud firewall quickstart
DigitalOcean cloud firewall quickstart: Cloud firewalls protect the server before traffic reaches the operating system.
DigitalOcean firewall rule section
DigitalOcean cloud firewall quickstart: Open SSH only to your IP when possible, then expose HTTP and HTTPS after the web stack is ready.
Hetzner Cloud firewalls documentation
Hetzner Cloud firewalls: A provider firewall gives a clean rollback path if the server firewall is misconfigured.

3. Enable the server firewall

sudo apt update
sudo apt -y install ufw
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose
Warning

Keep one working SSH session open while enabling UFW. Test a second SSH login before closing it.

DigitalOcean firewall notes in production setup
DigitalOcean production Droplet setup: Provider firewall and server firewall should both be understood before exposing ports.

4. Verify from outside the server

ssh deploy@SERVER_IP
curl -I http://example.com
curl -I https://example.com
sudo ufw status numbered
SSH

You can still log in from an allowed IP.

Web

HTTP and HTTPS respond only after the web stack is ready.

Private services

Database and cache ports are not publicly exposed.

Rollback

You know how to disable provider rules or use console recovery if access breaks.

Official sources checked

DigitalOcean cloud firewalls

Used for provider firewall setup and port rules.

DigitalOcean production Droplet setup

Used for production firewall sequence context.

Hetzner Cloud firewalls

Used for provider firewall context.

© 2026 WebHostWatch. We may earn affiliate commissions from links. Recommendations remain editorially independent.