From c66d3a6fd0ad2c43d336ff8eed29e5569450c6c4 Mon Sep 17 00:00:00 2001 From: MajorLinux Date: Fri, 3 Apr 2026 03:57:27 -0400 Subject: [PATCH] Update UFW article: add web server ports lesson from tttpod outage Adds a section documenting how missing HTTP/HTTPS rules caused a site outage on tttpod, and updates the fleet reference table. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../security/ufw-firewall-management.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/02-selfhosting/security/ufw-firewall-management.md b/02-selfhosting/security/ufw-firewall-management.md index ae9f441..9c66fba 100644 --- a/02-selfhosting/security/ufw-firewall-management.md +++ b/02-selfhosting/security/ufw-firewall-management.md @@ -5,7 +5,7 @@ category: security tags: [security, firewall, ufw, ubuntu, networking] status: published created: 2026-04-02 -updated: 2026-04-02 +updated: 2026-04-03 --- # UFW Firewall Management @@ -133,6 +133,21 @@ sudo ufw default deny incoming sudo ufw default allow outgoing ``` +## Don't Forget Web Server Ports + +If you're running a web server behind UFW, make sure ports 80 and 443 are explicitly allowed. This sounds obvious, but it's easy to miss — especially on servers where UFW was enabled after the web server was already running, or where a firewall reset dropped rules that were never persisted. + +```bash +# Allow HTTP and HTTPS +sudo ufw allow 80 +sudo ufw allow 443 + +# Or use an application profile +sudo ufw allow 'Apache Full' +``` + +If your site suddenly stops responding after enabling UFW or resetting rules, check `sudo ufw status numbered` first. Missing web ports is the most common cause. + ## UFW with Fail2ban On Ubuntu servers, Fail2ban and UFW operate at different layers. Fail2ban typically creates its own nftables table (`inet f2b-table`) at a higher priority than UFW's chains. This means: @@ -166,7 +181,7 @@ UFW is used on these MajorsHouse servers: |---|---| | majortoot | SSH on tailscale0, deny 22 globally | | majorlinux | SSH on tailscale0, deny 22 globally | -| tttpod | SSH on tailscale0, deny 22 globally | +| tttpod | SSH on tailscale0, deny 22 globally, Apache Full (added 2026-04-03) | | teelia | SSH on tailscale0, deny 22 globally, Apache Full | The Fedora servers (majorlab, majorhome, majormail, majordiscord) use iptables or firewalld instead.