Update UFW article: add web server ports lesson from tttpod outage

Adds a section documenting how missing HTTP/HTTPS rules caused a
site outage on tttpod, and updates the fleet reference table.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

02-selfhosting/security/ufw-firewall-management.md

@@ -5,7 +5,7 @@ category: security
 tags: [security, firewall, ufw, ubuntu, networking]
 status: published
 created: 2026-04-02
-updated: 2026-04-02
+updated: 2026-04-03
 ---
 
 # UFW Firewall Management
@@ -133,6 +133,21 @@ sudo ufw default deny incoming
 sudo ufw default allow outgoing
 ```
 
+## Don't Forget Web Server Ports
+
+If you're running a web server behind UFW, make sure ports 80 and 443 are explicitly allowed. This sounds obvious, but it's easy to miss — especially on servers where UFW was enabled after the web server was already running, or where a firewall reset dropped rules that were never persisted.
+
+```bash
+# Allow HTTP and HTTPS
+sudo ufw allow 80
+sudo ufw allow 443
+
+# Or use an application profile
+sudo ufw allow 'Apache Full'
+```
+
+If your site suddenly stops responding after enabling UFW or resetting rules, check `sudo ufw status numbered` first. Missing web ports is the most common cause.
+
 ## UFW with Fail2ban
 
 On Ubuntu servers, Fail2ban and UFW operate at different layers. Fail2ban typically creates its own nftables table (`inet f2b-table`) at a higher priority than UFW's chains. This means:
@@ -166,7 +181,7 @@ UFW is used on these MajorsHouse servers:
 |---|---|
 | majortoot | SSH on tailscale0, deny 22 globally |
 | majorlinux | SSH on tailscale0, deny 22 globally |
-| tttpod | SSH on tailscale0, deny 22 globally |
+| tttpod | SSH on tailscale0, deny 22 globally, Apache Full (added 2026-04-03) |
 | teelia | SSH on tailscale0, deny 22 globally, Apache Full |
 
 The Fedora servers (majorlab, majorhome, majormail, majordiscord) use iptables or firewalld instead.