This guide will help you use UFW (uncomplicated firewall) to block all traffic to your server other than traffic coming via Cloudflare, or for essential operations such as FTP and SSH.

Why would you want to do this?

Cloudflare will protect your site from all manner of attacks. However, your server may still be vulnerable. By closing ports down to everyone but CloudFlare, you will hopefully protect yourself further. Cloudflare offers Argo as a solution to combat this, which effectively does the same thing, blocks all traffic except Cloudflare’s. Argo costs at least $5 a month per domain. UFW is free, however, does nothing against DDOS attacks. You’ll want to make sure that the DNS Zones for websites hosted on the server we’re about to lock down are protected by Cloudflare, i.e. have the orange cloud rather than the grey one.

How can I set up UFW?

First, you’ll need to be running Debian or Ubuntu. I recommend (and use) DigitalOcean. For $100 free credit over 60 days, sign up using this link (I get $25 when you have spent $25).

UFW is usually installed by default. You can check using:

1sudo ufw status
Copied!

If it isn’t installed you can install it by running this command:

1sudo apt-get install ufw
Copied!

Before anything else, make sure you won’t lock yourself out, by opening up your SSH port:

1sudo ufw allow ssh
Copied!

If your SSH is not running on the default port 22, then run:

1sudo ufw allow 1234/tcp
Copied!

Replace 1234 with the SSH port number.

Now allow anything else that runs on your server, like FTP:

1sudo ufw allow ftp
Copied!

But not the web ports (80, 443) – we’re getting to that.

Cloudflare publishes the IP addresses of its servers online.

Without further ado, copy and paste the following into your terminal:

This allows all connections from <ip address>, to anything on port <port>.

1sudo ufw allow from 173.245.48.0/20 to any port http
2sudo ufw allow from 103.21.244.0/22 to any port http
3sudo ufw allow from 103.22.200.0/22 to any port http
4sudo ufw allow from 103.31.4.0/22 to any port http
5sudo ufw allow from 141.101.64.0/18 to any port http
6sudo ufw allow from 108.162.192.0/18 to any port http
7sudo ufw allow from 190.93.240.0/20 to any port http
8sudo ufw allow from 188.114.96.0/20 to any port http
9sudo ufw allow from 197.234.240.0/22 to any port http
10sudo ufw allow from 198.41.128.0/17 to any port http
11sudo ufw allow from 162.158.0.0/15 to any port http
12sudo ufw allow from 104.16.0.0/12 to any port http
13sudo ufw allow from 172.64.0.0/13 to any port http
14sudo ufw allow from 131.0.72.0/22 to any port http
Copied!

If you also use IPv6, also copy the following:

1sudo ufw allow from 2400:cb00::/32 to any port http
2sudo ufw allow from 2606:4700::/32 to any port http
3sudo ufw allow from 2803:f800::/32 to any port http
4sudo ufw allow from 2405:b500::/32 to any port http
5sudo ufw allow from 2405:8100::/32 to any port http
6sudo ufw allow from 2a06:98c0::/29 to any port http
7sudo ufw allow from 2c0f:f248::/32 to any port http
Copied!

If you use HTTPS, also do the following:

1sudo ufw allow from 173.245.48.0/20 to any port https
2sudo ufw allow from 103.21.244.0/22 to any port https
3sudo ufw allow from 103.22.200.0/22 to any port https
4sudo ufw allow from 103.31.4.0/22 to any port https
5sudo ufw allow from 141.101.64.0/18 to any port https
6sudo ufw allow from 108.162.192.0/18 to any port https
7sudo ufw allow from 190.93.240.0/20 to any port https
8sudo ufw allow from 188.114.96.0/20 to any port https
9sudo ufw allow from 197.234.240.0/22 to any port https
10sudo ufw allow from 198.41.128.0/17 to any port https
11sudo ufw allow from 162.158.0.0/15 to any port https
12sudo ufw allow from 104.16.0.0/12 to any port https
13sudo ufw allow from 172.64.0.0/13 to any port https
14sudo ufw allow from 131.0.72.0/22 to any port https
Copied!

And for HTTPS and IPv6:

1sudo ufw allow from 2400:cb00::/32 to any port https
2sudo ufw allow from 2606:4700::/32 to any port https
3sudo ufw allow from 2803:f800::/32 to any port https
4sudo ufw allow from 2405:b500::/32 to any port https
5sudo ufw allow from 2405:8100::/32 to any port https
6sudo ufw allow from 2a06:98c0::/29 to any port https
7sudo ufw allow from 2c0f:f248::/32 to any port https
Copied!

Run the following to enable UFW:

1sudo ufw enable
Copied!

Run this to check UFW’s status:

1sudo ufw status
Copied!

Now, nobody can access your websites without going through Cloudflare. And nobody can access your server through ports which don’t have ALLOW written next to them.